Analysis
-
max time kernel
80s -
max time network
63s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 11:42
Behavioral task
behavioral1
Sample
15dfb59ca8a6290e3c8a52f31cfe627d_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
15dfb59ca8a6290e3c8a52f31cfe627d_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
10 signatures
150 seconds
Errors
Reason
Machine shutdown
General
-
Target
15dfb59ca8a6290e3c8a52f31cfe627d_JaffaCakes118.exe
-
Size
4KB
-
MD5
15dfb59ca8a6290e3c8a52f31cfe627d
-
SHA1
6363cb5af4ec6a6cdc9113285986129af4616c97
-
SHA256
8673f5c3480550fcacc2ff94507f67d410463feb1b0f67e595ff70deb900f0d7
-
SHA512
6dc5eaf5235c7fbd12e09a6b6992378d34a64046d3fd50482b59b4e8ac516380bb3a0ac40faefe8a27ca62b8cad42f7a970f4051eb0d4413f7c14ace6b4ac8ba
-
SSDEEP
96:0PYA1iFC4K6jtAvpm05RYPPPM/zpPjwsOEepLt1x:0p10q6jtAvpm0rYPPPM/lwt1x
Score
7/10
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3528-0-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral2/memory/3528-1-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral2/memory/3528-5-0x0000000000400000-0x000000000040A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDebug = "C:\\Windows\\system32\\windebug.exe" 15dfb59ca8a6290e3c8a52f31cfe627d_JaffaCakes118.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\windebug.exe 15dfb59ca8a6290e3c8a52f31cfe627d_JaffaCakes118.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shm OfficeClickToRun.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\player_1.exe 15dfb59ca8a6290e3c8a52f31cfe627d_JaffaCakes118.exe File opened for modification C:\Windows\player_1.exe 15dfb59ca8a6290e3c8a52f31cfe627d_JaffaCakes118.exe File created C:\Windows\Parmenide.teb 15dfb59ca8a6290e3c8a52f31cfe627d_JaffaCakes118.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString OfficeClickToRun.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU OfficeClickToRun.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily OfficeClickToRun.exe -
Modifies data under HKEY_USERS 26 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1" OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3528 15dfb59ca8a6290e3c8a52f31cfe627d_JaffaCakes118.exe 3528 15dfb59ca8a6290e3c8a52f31cfe627d_JaffaCakes118.exe -
Suspicious behavior: LoadsDriver 64 IoCs
pid Process 1072 Process not Found 5092 Process not Found 4200 Process not Found 4872 Process not Found 2564 Process not Found 3224 Process not Found 3872 Process not Found 3520 Process not Found 3576 Process not Found 4460 Process not Found 2152 Process not Found 980 Process not Found 3472 Process not Found 1604 Process not Found 2612 Process not Found 4996 Process not Found 3464 Process not Found 3480 Process not Found 4312 Process not Found 2508 Process not Found 1272 Process not Found 3140 Process not Found 4588 Process not Found 4304 Process not Found 3108 Process not Found 1960 Process not Found 900 Process not Found 1136 Process not Found 2636 Process not Found 2700 Process not Found 2112 Process not Found 1664 Process not Found 5044 Process not Found 1268 Process not Found 2876 Process not Found 2036 Process not Found 4000 Process not Found 3980 Process not Found 1548 Process not Found 2552 Process not Found 2728 Process not Found 3256 Process not Found 5028 Process not Found 4520 Process not Found 2924 Process not Found 4080 Process not Found 1384 Process not Found 4424 Process not Found 228 Process not Found 3260 Process not Found 4372 Process not Found 4432 Process not Found 2544 Process not Found 4456 Process not Found 4072 Process not Found 4644 Process not Found 1364 Process not Found 2596 Process not Found 2276 Process not Found 3120 Process not Found 2852 Process not Found 4820 Process not Found 3624 Process not Found 1804 Process not Found -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1492 OfficeClickToRun.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\15dfb59ca8a6290e3c8a52f31cfe627d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\15dfb59ca8a6290e3c8a52f31cfe627d_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3528
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1492
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:2712
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:4572
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1344