Analysis
-
max time kernel
145s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 19:57
Static task
static1
Behavioral task
behavioral1
Sample
1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exe
-
Size
804KB
-
MD5
1753e5c51e39ae8b979d2b7ce213a446
-
SHA1
52e63b19aee9ba61c753593b0089cc6e352bf5cc
-
SHA256
c3bab0f648527f6f1ce39bd437ca304d57264c4d45dd2bddef79f39be956640e
-
SHA512
879ec0e1b861b574062d20d5aa9be06020870103c86c932a014826882c9ba48443142cc660630fd8da467c8470a6cf4d59d70e6fb2c6767898a5199c328368d0
-
SSDEEP
12288:bK1q+iF0S+Xi+FSiSFVpIfi7CQc8FTnE97SFdmFnItdDlM2j:bICmS+XNF3aEsCQc8CSDo0dj
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\system32dll.exe" vbc.exe -
Executes dropped EXE 1 IoCs
Processes:
system32dll.exepid process 3280 system32dll.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\system32dll.exe" vbc.exe -
Drops file in System32 directory 3 IoCs
Processes:
vbc.exedescription ioc process File created C:\Windows\SysWOW64\system32dll.exe vbc.exe File opened for modification C:\Windows\SysWOW64\system32dll.exe vbc.exe File opened for modification C:\Windows\SysWOW64\ vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exedescription pid process target process PID 2136 set thread context of 1120 2136 1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exe vbc.exe -
Modifies registry class 1 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vbc.exe -
Runs ping.exe 1 TTPs 3 IoCs
Processes:
PING.EXEPING.EXEPING.EXEpid process 928 PING.EXE 1852 PING.EXE 1544 PING.EXE -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
vbc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1120 vbc.exe Token: SeSecurityPrivilege 1120 vbc.exe Token: SeTakeOwnershipPrivilege 1120 vbc.exe Token: SeLoadDriverPrivilege 1120 vbc.exe Token: SeSystemProfilePrivilege 1120 vbc.exe Token: SeSystemtimePrivilege 1120 vbc.exe Token: SeProfSingleProcessPrivilege 1120 vbc.exe Token: SeIncBasePriorityPrivilege 1120 vbc.exe Token: SeCreatePagefilePrivilege 1120 vbc.exe Token: SeBackupPrivilege 1120 vbc.exe Token: SeRestorePrivilege 1120 vbc.exe Token: SeShutdownPrivilege 1120 vbc.exe Token: SeDebugPrivilege 1120 vbc.exe Token: SeSystemEnvironmentPrivilege 1120 vbc.exe Token: SeChangeNotifyPrivilege 1120 vbc.exe Token: SeRemoteShutdownPrivilege 1120 vbc.exe Token: SeUndockPrivilege 1120 vbc.exe Token: SeManageVolumePrivilege 1120 vbc.exe Token: SeImpersonatePrivilege 1120 vbc.exe Token: SeCreateGlobalPrivilege 1120 vbc.exe Token: 33 1120 vbc.exe Token: 34 1120 vbc.exe Token: 35 1120 vbc.exe Token: 36 1120 vbc.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exevbc.execmd.execmd.execmd.exedescription pid process target process PID 2136 wrote to memory of 1120 2136 1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exe vbc.exe PID 2136 wrote to memory of 1120 2136 1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exe vbc.exe PID 2136 wrote to memory of 1120 2136 1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exe vbc.exe PID 2136 wrote to memory of 1120 2136 1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exe vbc.exe PID 2136 wrote to memory of 1120 2136 1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exe vbc.exe PID 2136 wrote to memory of 1120 2136 1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exe vbc.exe PID 2136 wrote to memory of 1120 2136 1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exe vbc.exe PID 2136 wrote to memory of 1120 2136 1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exe vbc.exe PID 2136 wrote to memory of 1120 2136 1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exe vbc.exe PID 2136 wrote to memory of 1120 2136 1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exe vbc.exe PID 2136 wrote to memory of 1120 2136 1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exe vbc.exe PID 2136 wrote to memory of 1120 2136 1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exe vbc.exe PID 2136 wrote to memory of 1120 2136 1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exe vbc.exe PID 2136 wrote to memory of 1120 2136 1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exe vbc.exe PID 1120 wrote to memory of 2612 1120 vbc.exe cmd.exe PID 1120 wrote to memory of 2612 1120 vbc.exe cmd.exe PID 1120 wrote to memory of 2612 1120 vbc.exe cmd.exe PID 1120 wrote to memory of 2520 1120 vbc.exe cmd.exe PID 1120 wrote to memory of 2520 1120 vbc.exe cmd.exe PID 1120 wrote to memory of 2520 1120 vbc.exe cmd.exe PID 1120 wrote to memory of 564 1120 vbc.exe cmd.exe PID 1120 wrote to memory of 564 1120 vbc.exe cmd.exe PID 1120 wrote to memory of 564 1120 vbc.exe cmd.exe PID 2612 wrote to memory of 1852 2612 cmd.exe PING.EXE PID 2612 wrote to memory of 1852 2612 cmd.exe PING.EXE PID 2612 wrote to memory of 1852 2612 cmd.exe PING.EXE PID 564 wrote to memory of 928 564 cmd.exe PING.EXE PID 564 wrote to memory of 928 564 cmd.exe PING.EXE PID 564 wrote to memory of 928 564 cmd.exe PING.EXE PID 2520 wrote to memory of 1544 2520 cmd.exe PING.EXE PID 2520 wrote to memory of 1544 2520 cmd.exe PING.EXE PID 2520 wrote to memory of 1544 2520 cmd.exe PING.EXE PID 1120 wrote to memory of 3280 1120 vbc.exe system32dll.exe PID 1120 wrote to memory of 3280 1120 vbc.exe system32dll.exe PID 1120 wrote to memory of 3280 1120 vbc.exe system32dll.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1753e5c51e39ae8b979d2b7ce213a446_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 54⤵
- Runs ping.exe
PID:1852 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 54⤵
- Runs ping.exe
PID:1544 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 54⤵
- Runs ping.exe
PID:928 -
C:\Windows\SysWOW64\system32dll.exe"C:\Windows\system32\system32dll.exe"3⤵
- Executes dropped EXE
PID:3280
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4112 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:81⤵PID:2780
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
82B
MD5638415f09175908af6b20ffa78526db1
SHA187c3527c6ad7721245820f68bfa32be11e0a916c
SHA2560a46d339ddfa8ccdfe17c055190f19e873120e9ae3722f6601464281d0011d60
SHA51285198b6a713218ed7d0ecf0b49c79d8ced0f7ff38f20ef11baa4a63fcbe1201069de08b79153d5a26d0efa3c1fefbfdb19326cf77335065abaf417cd21fd8a9b
-
Filesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34