Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
04-07-2024 23:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
15 signatures
150 seconds
General
-
Target
26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe
-
Size
4.0MB
-
MD5
26adc37442f43dd3e1c06c26c3793a56
-
SHA1
15d6486f8c6c5c767651d3016624025d2fb34da4
-
SHA256
f8ae2e6e1e607e7734fd02871d0754d7236e6f6ed9bb501ad6ff5115e40c42c2
-
SHA512
55d21803162d126d460f95dccb580b85725a209a367a9ba00d00a5057370985bbd9a77689d7d45efb4ce7cec3b74edcaecd33f4d9bba4c9f4e21c371a8cb3765
-
SSDEEP
98304:MRhxs1zO9FSSVNSt0RzOtk0kCkBptwhBKB0F+w7:GxEO9gSLSt0Ryi0pkBp6rK21
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\svchost.exe" 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3452 netsh.exe -
Sets service image path in registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\GbpSv\ImagePath = "explorer.exe C:\\Windows\\system32\\svchost.exe" 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\GbpSv\ImagePath = "explorer C:\\Windows\\system32\\svchost.exe" 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows32 = "C:\\Arquivos de programas\\Windows32.exe" 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\reg_0002.txt 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3268 4692 WerFault.exe 79 -
Kills process with taskkill 9 IoCs
pid Process 3408 taskkill.exe 2472 taskkill.exe 4300 taskkill.exe 468 taskkill.exe 4676 taskkill.exe 3968 taskkill.exe 3372 taskkill.exe 4420 taskkill.exe 2072 taskkill.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 592 schtasks.exe 1220 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 3408 taskkill.exe Token: SeDebugPrivilege 2472 taskkill.exe Token: SeDebugPrivilege 3968 taskkill.exe Token: SeDebugPrivilege 3372 taskkill.exe Token: SeDebugPrivilege 4420 taskkill.exe Token: SeDebugPrivilege 4300 taskkill.exe Token: SeDebugPrivilege 468 taskkill.exe Token: SeDebugPrivilege 2072 taskkill.exe Token: SeDebugPrivilege 4676 taskkill.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 4692 wrote to memory of 592 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 86 PID 4692 wrote to memory of 592 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 86 PID 4692 wrote to memory of 592 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 86 PID 4692 wrote to memory of 1216 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 87 PID 4692 wrote to memory of 1216 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 87 PID 4692 wrote to memory of 1216 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 87 PID 4692 wrote to memory of 1220 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 89 PID 4692 wrote to memory of 1220 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 89 PID 4692 wrote to memory of 1220 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 89 PID 4692 wrote to memory of 220 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 90 PID 4692 wrote to memory of 220 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 90 PID 4692 wrote to memory of 220 4692 26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe 90 PID 1216 wrote to memory of 3452 1216 cmd.exe 94 PID 1216 wrote to memory of 3452 1216 cmd.exe 94 PID 1216 wrote to memory of 3452 1216 cmd.exe 94 PID 220 wrote to memory of 3408 220 cmd.exe 95 PID 220 wrote to memory of 3408 220 cmd.exe 95 PID 220 wrote to memory of 3408 220 cmd.exe 95 PID 220 wrote to memory of 2472 220 cmd.exe 97 PID 220 wrote to memory of 2472 220 cmd.exe 97 PID 220 wrote to memory of 2472 220 cmd.exe 97 PID 220 wrote to memory of 3968 220 cmd.exe 98 PID 220 wrote to memory of 3968 220 cmd.exe 98 PID 220 wrote to memory of 3968 220 cmd.exe 98 PID 220 wrote to memory of 3372 220 cmd.exe 99 PID 220 wrote to memory of 3372 220 cmd.exe 99 PID 220 wrote to memory of 3372 220 cmd.exe 99 PID 220 wrote to memory of 4420 220 cmd.exe 100 PID 220 wrote to memory of 4420 220 cmd.exe 100 PID 220 wrote to memory of 4420 220 cmd.exe 100 PID 220 wrote to memory of 4300 220 cmd.exe 101 PID 220 wrote to memory of 4300 220 cmd.exe 101 PID 220 wrote to memory of 4300 220 cmd.exe 101 PID 220 wrote to memory of 468 220 cmd.exe 102 PID 220 wrote to memory of 468 220 cmd.exe 102 PID 220 wrote to memory of 468 220 cmd.exe 102 PID 220 wrote to memory of 2072 220 cmd.exe 103 PID 220 wrote to memory of 2072 220 cmd.exe 103 PID 220 wrote to memory of 2072 220 cmd.exe 103 PID 220 wrote to memory of 4676 220 cmd.exe 104 PID 220 wrote to memory of 4676 220 cmd.exe 104 PID 220 wrote to memory of 4676 220 cmd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\26adc37442f43dd3e1c06c26c3793a56_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Sets service image path in registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 2242⤵
- Program crash
PID:3268
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn startt /tr c:\autoexec.bat /sc onstart /ru system2⤵
- Scheduled Task/Job: Scheduled Task
PID:592
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c "netsh firewall set opmode mode = disable"2⤵
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode = disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3452
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn startt /tr c:\start.bat /sc onstart /ru system2⤵
- Scheduled Task/Job: Scheduled Task
PID:1220
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\lsass.bat2⤵
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im GBPSV.EXE3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3408
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im nod32kui.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im KAVPF.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3968
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Kav.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3372
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mcdash.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4420
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Mcdetect.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4300
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mcregwiz.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:468
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im McTskshd.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2072
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mcupdmgr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4676
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4692 -ip 46921⤵PID:4060
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c14d95d8440642152af2f490e615dfd3
SHA146c91e8ef85cc8b1487754914b1168ea6554f393
SHA256d65a504a357ebb854146a5d39e4c0c3108080c3cf062e126099ef779be9b5718
SHA51245929269745d1b590146e29ffd2d57e019072ecb9271598a12e2ddf0348209c682168caff6759c29fc94205c3f9f5d76b364dadae19c2d63f12c8748d2f55f82