Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
27/06/2024, 15:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe
Resource
win7-20240220-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe
-
Size
92KB
-
MD5
1684be38e3a7be1d34164287c1ee407f
-
SHA1
abceb5edefe0eedacfbd10d2d4066172cc5dff4d
-
SHA256
b6a6f338c95975cdfe5c121e9539521c381ea458f4f202dfa518dfa6caccb5e6
-
SHA512
fbc39800f80c492163bacf2e386dc338eb6457c67036593c5bbe2855b45d137e15c24538c8144a4986486f158a6d04bf72986a846fa23e68aec5033a2bbfc4aa
-
SSDEEP
1536:+6CTQKSFmROBPXYV9iTDFqBEyA4CepiVOhn9cO5gI:+oh5ioTsBSepiw9cOKI
Score
10/10
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe:*:Enabled:Service Nouts" 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2572 netsh.exe -
Executes dropped EXE 2 IoCs
pid Process 412 wnepoi.exe 2768 wnepoi.exe -
resource yara_rule behavioral2/memory/464-2-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/464-5-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/464-6-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/464-7-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/2768-20-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/464-23-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/2768-24-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/2768-25-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/2768-26-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/2768-27-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/2768-28-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/2768-29-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/2768-30-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/2768-31-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/2768-32-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/2768-33-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/2768-34-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/2768-35-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/2768-36-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/2768-37-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/2768-38-0x0000000000400000-0x0000000000455000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Service Nouts = "wnepoi.exe" 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4988 set thread context of 464 4988 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 83 PID 412 set thread context of 2768 412 wnepoi.exe 86 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\wnepoi.exe 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe File opened for modification C:\Windows\wnepoi.exe 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4988 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 412 wnepoi.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 4988 wrote to memory of 464 4988 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 83 PID 4988 wrote to memory of 464 4988 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 83 PID 4988 wrote to memory of 464 4988 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 83 PID 4988 wrote to memory of 464 4988 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 83 PID 4988 wrote to memory of 464 4988 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 83 PID 4988 wrote to memory of 464 4988 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 83 PID 4988 wrote to memory of 464 4988 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 83 PID 4988 wrote to memory of 464 4988 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 83 PID 464 wrote to memory of 2572 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 84 PID 464 wrote to memory of 2572 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 84 PID 464 wrote to memory of 2572 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 84 PID 464 wrote to memory of 412 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 85 PID 464 wrote to memory of 412 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 85 PID 464 wrote to memory of 412 464 1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe 85 PID 412 wrote to memory of 2768 412 wnepoi.exe 86 PID 412 wrote to memory of 2768 412 wnepoi.exe 86 PID 412 wrote to memory of 2768 412 wnepoi.exe 86 PID 412 wrote to memory of 2768 412 wnepoi.exe 86 PID 412 wrote to memory of 2768 412 wnepoi.exe 86 PID 412 wrote to memory of 2768 412 wnepoi.exe 86 PID 412 wrote to memory of 2768 412 wnepoi.exe 86 PID 412 wrote to memory of 2768 412 wnepoi.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Users\Admin\AppData\Local\Temp\1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\1684be38e3a7be1d34164287c1ee407f_JaffaCakes118.exe2⤵
- Modifies firewall policy service
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram wnepoi.exe 1 ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2572
-
-
C:\Windows\wnepoi.exe"C:\Windows\wnepoi.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\wnepoi.exeC:\Windows\wnepoi.exe4⤵
- Executes dropped EXE
PID:2768
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD51684be38e3a7be1d34164287c1ee407f
SHA1abceb5edefe0eedacfbd10d2d4066172cc5dff4d
SHA256b6a6f338c95975cdfe5c121e9539521c381ea458f4f202dfa518dfa6caccb5e6
SHA512fbc39800f80c492163bacf2e386dc338eb6457c67036593c5bbe2855b45d137e15c24538c8144a4986486f158a6d04bf72986a846fa23e68aec5033a2bbfc4aa