Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
27-06-2024 11:20
Static task
static1
Behavioral task
behavioral1
Sample
15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe
-
Size
616KB
-
MD5
15ce45fdf58db94c01d9379c4f0148f2
-
SHA1
74aa27d81f3a3d1cf544f6b2c6e8ea160654fac0
-
SHA256
8439f3656b12b448b15f43c7ea8a8871ea978aaa3f3140af622682d0ac06b8ce
-
SHA512
651fe20068e868a418cb64af078470be30017fa71d25bca9a1781511f2b135bc71a7ab4a71e7401e11fc20f536b8aecb982ff131f390ca0c135ac2f9336f346f
-
SSDEEP
12288:YePwlp7/N0+OLbetJZv5m0/VyVz9ZPYHm1GjD2JSmJVRC:fmS+OEZvMQAFAmMeJSmfw
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
Processes:
15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile 15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "1" 15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe -
Disables Task Manager via registry modification
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exepid process 2108 15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exedescription pid process Token: SeIncreaseQuotaPrivilege 2108 15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe Token: SeSecurityPrivilege 2108 15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2108 15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2108 15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2108 15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe Token: SeSystemtimePrivilege 2108 15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2108 15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2108 15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2108 15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe Token: SeBackupPrivilege 2108 15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe Token: SeRestorePrivilege 2108 15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe Token: SeShutdownPrivilege 2108 15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe Token: SeDebugPrivilege 2108 15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2108 15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2108 15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2108 15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe Token: SeUndockPrivilege 2108 15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe Token: SeManageVolumePrivilege 2108 15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe Token: SeImpersonatePrivilege 2108 15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2108 15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe Token: 33 2108 15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe Token: 34 2108 15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe Token: 35 2108 15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid process 1728 DllHost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\15ce45fdf58db94c01d9379c4f0148f2_JaffaCakes118.exe"1⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:1728
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD52870e9e67d6d096fc68d5f4142f2c330
SHA181c2762a80b0780fb7ede89fc86cc3d9fc23a645
SHA2560b175cd519a4e8323a6f335abbc65c450af719e72e3f34280ffc6f896887eec9
SHA512caf2e2c12beace47ca7fdeaa27da3d0cef1a5e7aa103e71ebec06b4a7573a6fcadbfa501f1b1b65e9bb42351b39260009a1ff73f85346c66584769894960e5a0