Analysis
-
max time kernel
141s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-06-2024 19:57
Static task
static1
Behavioral task
behavioral1
Sample
1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exe
-
Size
804KB
-
MD5
1753e5c51e39ae8b979d2b7ce213a446
-
SHA1
52e63b19aee9ba61c753593b0089cc6e352bf5cc
-
SHA256
c3bab0f648527f6f1ce39bd437ca304d57264c4d45dd2bddef79f39be956640e
-
SHA512
879ec0e1b861b574062d20d5aa9be06020870103c86c932a014826882c9ba48443142cc660630fd8da467c8470a6cf4d59d70e6fb2c6767898a5199c328368d0
-
SSDEEP
12288:bK1q+iF0S+Xi+FSiSFVpIfi7CQc8FTnE97SFdmFnItdDlM2j:bICmS+XNF3aEsCQc8CSDo0dj
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\system32dll.exe" vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\system32dll.exe" vbc.exe -
Drops file in System32 directory 3 IoCs
Processes:
vbc.exedescription ioc process File created C:\Windows\SysWOW64\system32dll.exe vbc.exe File opened for modification C:\Windows\SysWOW64\system32dll.exe vbc.exe File opened for modification C:\Windows\SysWOW64\ vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exedescription pid process target process PID 1312 set thread context of 2008 1312 1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exe vbc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2448 2008 WerFault.exe vbc.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
vbc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2008 vbc.exe Token: SeSecurityPrivilege 2008 vbc.exe Token: SeTakeOwnershipPrivilege 2008 vbc.exe Token: SeLoadDriverPrivilege 2008 vbc.exe Token: SeSystemProfilePrivilege 2008 vbc.exe Token: SeSystemtimePrivilege 2008 vbc.exe Token: SeProfSingleProcessPrivilege 2008 vbc.exe Token: SeIncBasePriorityPrivilege 2008 vbc.exe Token: SeCreatePagefilePrivilege 2008 vbc.exe Token: SeBackupPrivilege 2008 vbc.exe Token: SeRestorePrivilege 2008 vbc.exe Token: SeShutdownPrivilege 2008 vbc.exe Token: SeDebugPrivilege 2008 vbc.exe Token: SeSystemEnvironmentPrivilege 2008 vbc.exe Token: SeChangeNotifyPrivilege 2008 vbc.exe Token: SeRemoteShutdownPrivilege 2008 vbc.exe Token: SeUndockPrivilege 2008 vbc.exe Token: SeManageVolumePrivilege 2008 vbc.exe Token: SeImpersonatePrivilege 2008 vbc.exe Token: SeCreateGlobalPrivilege 2008 vbc.exe Token: 33 2008 vbc.exe Token: 34 2008 vbc.exe Token: 35 2008 vbc.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exevbc.exedescription pid process target process PID 1312 wrote to memory of 2008 1312 1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exe vbc.exe PID 1312 wrote to memory of 2008 1312 1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exe vbc.exe PID 1312 wrote to memory of 2008 1312 1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exe vbc.exe PID 1312 wrote to memory of 2008 1312 1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exe vbc.exe PID 1312 wrote to memory of 2008 1312 1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exe vbc.exe PID 1312 wrote to memory of 2008 1312 1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exe vbc.exe PID 1312 wrote to memory of 2008 1312 1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exe vbc.exe PID 1312 wrote to memory of 2008 1312 1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exe vbc.exe PID 1312 wrote to memory of 2008 1312 1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exe vbc.exe PID 1312 wrote to memory of 2008 1312 1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exe vbc.exe PID 1312 wrote to memory of 2008 1312 1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exe vbc.exe PID 1312 wrote to memory of 2008 1312 1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exe vbc.exe PID 1312 wrote to memory of 2008 1312 1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exe vbc.exe PID 2008 wrote to memory of 2756 2008 vbc.exe cmd.exe PID 2008 wrote to memory of 2756 2008 vbc.exe cmd.exe PID 2008 wrote to memory of 2756 2008 vbc.exe cmd.exe PID 2008 wrote to memory of 2756 2008 vbc.exe cmd.exe PID 2008 wrote to memory of 2496 2008 vbc.exe cmd.exe PID 2008 wrote to memory of 2496 2008 vbc.exe cmd.exe PID 2008 wrote to memory of 2496 2008 vbc.exe cmd.exe PID 2008 wrote to memory of 2496 2008 vbc.exe cmd.exe PID 2008 wrote to memory of 2448 2008 vbc.exe WerFault.exe PID 2008 wrote to memory of 2448 2008 vbc.exe WerFault.exe PID 2008 wrote to memory of 2448 2008 vbc.exe WerFault.exe PID 2008 wrote to memory of 2448 2008 vbc.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "3⤵PID:2756
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "3⤵PID:2496
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 6163⤵
- Program crash
PID:2448
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70B
MD573b0495dfd90f2f77a64d3ac7f6e7c03
SHA10503c56481fda524b90139b4d2e0b686765c355f
SHA2560a4c374db7dcbe8944a2a3fc0d774247861318cc55494fe8b6f001fe46a69fc2
SHA5129d6fbe22f8441cf2b78506bde2535e4137af1c200fe36272d4fb0adea8f33360c93cb1619c3b667514f185d632a078760ebc0f47eeb0825979e468a7c2c88e39
-
Filesize
62B
MD5c6abd7a109bb37ab773b9e79b91b7741
SHA17933b8795914b27483d2afed35b3830e8bf5bdb6
SHA2568bc84b3ddfd9c295f555926bf1c311be423732423c585ca90796cdee7a245629
SHA51235d14c9b7366a4737e3685223d55d85c583c7fbe73274577424dc8d9960cc78c79a80a8b42a62f6d9d9962ddd60cf2a332411d4ac18196258dc9d5b0b575e3dc