Analysis

  • max time kernel
    150s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-07-2024 22:19

General

  • Target

    266ebb06e9cf5650e72334ae7232b20c_JaffaCakes118.exe

  • Size

    840KB

  • MD5

    266ebb06e9cf5650e72334ae7232b20c

  • SHA1

    a2c637826d6eaa5645ef06bd15c7e410666ec471

  • SHA256

    e05c4427f5ae05cb478d964bdbcdc7bb01becc8ab81d20d1fe9c92d76e53630b

  • SHA512

    6c82d2cddf413fb00676b65c28b444649214ef94cd12c50ac1ed717f5eedc9661dc2a11155e6684129202deb27695b3d5b096be1fe26daa61242f3a63cbcbb21

  • SSDEEP

    12288:Ir6jZOUcbFO84y1GYJvPW+isCV1b5wnKMzu0JTMbfUbJX+Os3C9nNY0N:Ij5Oi5msCV1t9N9bUJXAC9N1

Score
8/10

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 29 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 11 IoCs
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 42 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\266ebb06e9cf5650e72334ae7232b20c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\266ebb06e9cf5650e72334ae7232b20c_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Writes to the Master Boot Record (MBR)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:3540
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 732
      2⤵
      • Program crash
      PID:2956
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 788
      2⤵
      • Program crash
      PID:2112
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 1224
      2⤵
      • Program crash
      PID:1100
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 1232
      2⤵
      • Program crash
      PID:3256
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 1284
      2⤵
      • Program crash
      PID:2152
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 1376
      2⤵
      • Program crash
      PID:324
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 1280
      2⤵
      • Program crash
      PID:4260
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 1440
      2⤵
      • Program crash
      PID:3388
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 1464
      2⤵
      • Program crash
      PID:4984
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 1900
      2⤵
      • Program crash
      PID:4716
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 2216
      2⤵
      • Program crash
      PID:3920
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3540 -ip 3540
    1⤵
      PID:3544
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3540 -ip 3540
      1⤵
        PID:5104
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3540 -ip 3540
        1⤵
          PID:1392
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3540 -ip 3540
          1⤵
            PID:4340
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3540 -ip 3540
            1⤵
              PID:3920
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3540 -ip 3540
              1⤵
                PID:4036
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3540 -ip 3540
                1⤵
                  PID:4080
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3540 -ip 3540
                  1⤵
                    PID:3892
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3540 -ip 3540
                    1⤵
                      PID:1000
                    • C:\Windows\system32\sihost.exe
                      sihost.exe
                      1⤵
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of WriteProcessMemory
                      PID:3148
                      • C:\Windows\explorer.exe
                        explorer.exe /LOADSAVEDWINDOWS
                        2⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Enumerates connected drives
                        • Checks SCSI registry key(s)
                        • Modifies registry class
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        PID:2032
                    • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                      "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                      1⤵
                      • Checks processor information in registry
                      • Enumerates system info in registry
                      • Modifies data under HKEY_USERS
                      • Suspicious use of SetWindowsHookEx
                      PID:556
                    • C:\Windows\system32\sihost.exe
                      sihost.exe
                      1⤵
                      • Modifies registry class
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of WriteProcessMemory
                      PID:3628
                      • C:\Windows\explorer.exe
                        explorer.exe /LOADSAVEDWINDOWS
                        2⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Enumerates connected drives
                        • Checks SCSI registry key(s)
                        • Modifies registry class
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        PID:3660
                    • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                      "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                      1⤵
                      • Checks processor information in registry
                      • Enumerates system info in registry
                      • Modifies data under HKEY_USERS
                      • Suspicious use of SetWindowsHookEx
                      PID:4552
                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                      1⤵
                      • Modifies registry class
                      • Suspicious use of SetWindowsHookEx
                      PID:2028
                    • C:\Windows\system32\sihost.exe
                      sihost.exe
                      1⤵
                      • Suspicious use of FindShellTrayWindow
                      PID:3292
                    • C:\Windows\system32\sihost.exe
                      sihost.exe
                      1⤵
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:1936
                      • C:\Windows\explorer.exe
                        explorer.exe /LOADSAVEDWINDOWS
                        2⤵
                          PID:4600
                      • C:\Windows\explorer.exe
                        explorer.exe
                        1⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Enumerates connected drives
                        • Checks SCSI registry key(s)
                        • Modifies Internet Explorer settings
                        • Modifies registry class
                        • Suspicious behavior: AddClipboardFormatListener
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of SendNotifyMessage
                        • Suspicious use of SetWindowsHookEx
                        PID:4380
                      • C:\Windows\System32\rundll32.exe
                        C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
                        1⤵
                          PID:3160
                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                          1⤵
                          • Suspicious use of SetWindowsHookEx
                          PID:3896
                        • C:\Windows\system32\sihost.exe
                          sihost.exe
                          1⤵
                            PID:4848
                          • C:\Windows\system32\sihost.exe
                            sihost.exe
                            1⤵
                            • Suspicious use of WriteProcessMemory
                            PID:3140
                            • C:\Windows\explorer.exe
                              explorer.exe /LOADSAVEDWINDOWS
                              2⤵
                              • Boot or Logon Autostart Execution: Active Setup
                              • Enumerates connected drives
                              • Checks SCSI registry key(s)
                              • Modifies registry class
                              • Suspicious use of SetWindowsHookEx
                              PID:3440
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3540 -ip 3540
                            1⤵
                              PID:4784
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3540 -ip 3540
                              1⤵
                                PID:1304

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\IconCache.db

                                Filesize

                                18KB

                                MD5

                                b802c26497e9a8c07eb0dfb40c225fed

                                SHA1

                                c5d83b1e9cde6c154f7164ce2f318f894f29affd

                                SHA256

                                a3afce280413534137491516b07ebeab8c7e7285c6a4e16bf73e1473c639d7d7

                                SHA512

                                6a6ebc11b673b562b726818b6e0168d6ee55abf6fbc5e53c191c290b07b7a8f961a00c392989b74db9bd465a854b508b008ef3a976ed0ad16dab3b6fd6a312e2

                              • C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

                                Filesize

                                1022B

                                MD5

                                0130952b18e0184af71f5ab47746990d

                                SHA1

                                b6822a78558e9f0c8ea3e3de6823080fb6f23e16

                                SHA256

                                44a25dfa8b123d63a9de796171b5e6f397845daf1b64ceddc0d7f5eaec7cbbfa

                                SHA512

                                5ccb30e9abe230379976128e5f52230b3ad48c4858e98233b546ec839cb3d34c971bbfeb24d5ab9c339d67eb76817e73d9c1a284a3f5346dec2f6a3f75bdea47

                              • C:\Users\Admin\AppData\Local\Temp\{4702F5D4-663B-4750-93F6-09FE37B838B3}.png

                                Filesize

                                6KB

                                MD5

                                099ba37f81c044f6b2609537fdb7d872

                                SHA1

                                470ef859afbce52c017874d77c1695b7b0f9cb87

                                SHA256

                                8c98c856e4d43f705ff9a5c9a55f92e1885765654912b4c75385c3ea2fdef4a7

                                SHA512

                                837e1ad7fe4f5cbc0a87f3703ba211c18f32b20df93b23f681cbd0390d8077adba64cf6454a1bb28df1f7df4cb2cdc021d826b6ef8db890e40f21d618d5eb07a

                              • memory/2032-9-0x0000000004340000-0x0000000004341000-memory.dmp

                                Filesize

                                4KB

                              • memory/3440-28-0x0000000003510000-0x0000000003511000-memory.dmp

                                Filesize

                                4KB

                              • memory/3540-32-0x0000000000400000-0x0000000000A38000-memory.dmp

                                Filesize

                                6.2MB

                              • memory/3540-40-0x0000000000400000-0x0000000000A38000-memory.dmp

                                Filesize

                                6.2MB

                              • memory/3540-5-0x0000000000400000-0x0000000000A38000-memory.dmp

                                Filesize

                                6.2MB

                              • memory/3540-63-0x0000000000400000-0x0000000000A38000-memory.dmp

                                Filesize

                                6.2MB

                              • memory/3540-15-0x0000000000400000-0x0000000000A38000-memory.dmp

                                Filesize

                                6.2MB

                              • memory/3540-62-0x0000000000400000-0x0000000000A38000-memory.dmp

                                Filesize

                                6.2MB

                              • memory/3540-4-0x0000000000400000-0x0000000000A38000-memory.dmp

                                Filesize

                                6.2MB

                              • memory/3540-2-0x0000000000400000-0x0000000000A38000-memory.dmp

                                Filesize

                                6.2MB

                              • memory/3540-30-0x0000000000400000-0x0000000000A38000-memory.dmp

                                Filesize

                                6.2MB

                              • memory/3540-0-0x0000000000A2B000-0x0000000000A2C000-memory.dmp

                                Filesize

                                4KB

                              • memory/3540-31-0x0000000000400000-0x0000000000A38000-memory.dmp

                                Filesize

                                6.2MB

                              • memory/3540-1-0x0000000000400000-0x0000000000A38000-memory.dmp

                                Filesize

                                6.2MB

                              • memory/3540-39-0x0000000000400000-0x0000000000A38000-memory.dmp

                                Filesize

                                6.2MB

                              • memory/3540-6-0x0000000000400000-0x0000000000A38000-memory.dmp

                                Filesize

                                6.2MB

                              • memory/3540-47-0x0000000000400000-0x0000000000A38000-memory.dmp

                                Filesize

                                6.2MB

                              • memory/3540-48-0x0000000000400000-0x0000000000A38000-memory.dmp

                                Filesize

                                6.2MB

                              • memory/3540-49-0x0000000000400000-0x0000000000A38000-memory.dmp

                                Filesize

                                6.2MB

                              • memory/3540-50-0x0000000000400000-0x0000000000A38000-memory.dmp

                                Filesize

                                6.2MB

                              • memory/3540-55-0x0000000000400000-0x0000000000A38000-memory.dmp

                                Filesize

                                6.2MB

                              • memory/3540-56-0x0000000000400000-0x0000000000A38000-memory.dmp

                                Filesize

                                6.2MB

                              • memory/3540-57-0x0000000000400000-0x0000000000A38000-memory.dmp

                                Filesize

                                6.2MB

                              • memory/3540-60-0x0000000000400000-0x0000000000A38000-memory.dmp

                                Filesize

                                6.2MB

                              • memory/3540-61-0x0000000000400000-0x0000000000A38000-memory.dmp

                                Filesize

                                6.2MB

                              • memory/3660-12-0x0000000004140000-0x0000000004141000-memory.dmp

                                Filesize

                                4KB

                              • memory/4380-20-0x0000000004B70000-0x0000000004B71000-memory.dmp

                                Filesize

                                4KB