Analysis
-
max time kernel
149s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 13:41
Behavioral task
behavioral1
Sample
16345de556130b38be95f6e4d8740121_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
16345de556130b38be95f6e4d8740121_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
16345de556130b38be95f6e4d8740121_JaffaCakes118.exe
-
Size
771KB
-
MD5
16345de556130b38be95f6e4d8740121
-
SHA1
0ced1e7bcc96fb116bee7076f8894d18c9115cba
-
SHA256
532eb5e45493e1988bbf041c3db40410abbb456e6199b00d02d141a5b3aeafa7
-
SHA512
b2e05de7dad1792f6a310e9c57c65b1ad3102251ee657f1e57e6fc9ed703fa222363e0ed0c5528c2e92ed364d9091b6dbf3ebb962b4c981cef8ddeb31def2fc7
-
SSDEEP
12288:Efbh3edoSdPDze9LBApPsKNoeP313umLcUmyqC+N/jXI0zvvNVR:+R8oYzS12PVaA3LLRHqC+ljXFvzR
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
16345de556130b38be95f6e4d8740121_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe -
Processes:
winupdate.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
16345de556130b38be95f6e4d8740121_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
winupdate.exepid process 4920 winupdate.exe -
Processes:
winupdate.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16345de556130b38be95f6e4d8740121_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
16345de556130b38be95f6e4d8740121_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
16345de556130b38be95f6e4d8740121_JaffaCakes118.exewinupdate.exedescription pid process Token: SeIncreaseQuotaPrivilege 4956 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: SeSecurityPrivilege 4956 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 4956 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: SeLoadDriverPrivilege 4956 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: SeSystemProfilePrivilege 4956 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: SeSystemtimePrivilege 4956 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 4956 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 4956 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 4956 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: SeBackupPrivilege 4956 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: SeRestorePrivilege 4956 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: SeShutdownPrivilege 4956 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: SeDebugPrivilege 4956 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 4956 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 4956 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 4956 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: SeUndockPrivilege 4956 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: SeManageVolumePrivilege 4956 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: SeImpersonatePrivilege 4956 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 4956 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: 33 4956 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: 34 4956 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: 35 4956 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: 36 4956 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 4920 winupdate.exe Token: SeSecurityPrivilege 4920 winupdate.exe Token: SeTakeOwnershipPrivilege 4920 winupdate.exe Token: SeLoadDriverPrivilege 4920 winupdate.exe Token: SeSystemProfilePrivilege 4920 winupdate.exe Token: SeSystemtimePrivilege 4920 winupdate.exe Token: SeProfSingleProcessPrivilege 4920 winupdate.exe Token: SeIncBasePriorityPrivilege 4920 winupdate.exe Token: SeCreatePagefilePrivilege 4920 winupdate.exe Token: SeBackupPrivilege 4920 winupdate.exe Token: SeRestorePrivilege 4920 winupdate.exe Token: SeShutdownPrivilege 4920 winupdate.exe Token: SeDebugPrivilege 4920 winupdate.exe Token: SeSystemEnvironmentPrivilege 4920 winupdate.exe Token: SeChangeNotifyPrivilege 4920 winupdate.exe Token: SeRemoteShutdownPrivilege 4920 winupdate.exe Token: SeUndockPrivilege 4920 winupdate.exe Token: SeManageVolumePrivilege 4920 winupdate.exe Token: SeImpersonatePrivilege 4920 winupdate.exe Token: SeCreateGlobalPrivilege 4920 winupdate.exe Token: 33 4920 winupdate.exe Token: 34 4920 winupdate.exe Token: 35 4920 winupdate.exe Token: 36 4920 winupdate.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
winupdate.exepid process 4920 winupdate.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
16345de556130b38be95f6e4d8740121_JaffaCakes118.exewinupdate.exedescription pid process target process PID 4956 wrote to memory of 4920 4956 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe winupdate.exe PID 4956 wrote to memory of 4920 4956 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe winupdate.exe PID 4956 wrote to memory of 4920 4956 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe winupdate.exe PID 4920 wrote to memory of 5076 4920 winupdate.exe iexplore.exe PID 4920 wrote to memory of 5076 4920 winupdate.exe iexplore.exe PID 4920 wrote to memory of 5076 4920 winupdate.exe iexplore.exe PID 4920 wrote to memory of 5092 4920 winupdate.exe explorer.exe PID 4920 wrote to memory of 5092 4920 winupdate.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"2⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵PID:5076
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵PID:5092
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3812,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=3896 /prefetch:81⤵PID:1316
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
771KB
MD516345de556130b38be95f6e4d8740121
SHA10ced1e7bcc96fb116bee7076f8894d18c9115cba
SHA256532eb5e45493e1988bbf041c3db40410abbb456e6199b00d02d141a5b3aeafa7
SHA512b2e05de7dad1792f6a310e9c57c65b1ad3102251ee657f1e57e6fc9ed703fa222363e0ed0c5528c2e92ed364d9091b6dbf3ebb962b4c981cef8ddeb31def2fc7