Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
04/07/2024, 00:11
Static task
static1
Behavioral task
behavioral1
Sample
23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe
-
Size
354KB
-
MD5
23f62fe026e1632b60e9bb0dc7857537
-
SHA1
b790dbc0dd1bf407df7e92a65cc20ae1e76d487d
-
SHA256
b7c18eb1f6597734af890ebb5fa3345bc3c90ba6f60cb934025c3d56343a63da
-
SHA512
78e6cc5891d0f2f4e7b0b01a1837f8651157962c6535d6ed68a9d5f96fb4da879fb5058ea4990a021922e02ef1f59bab14c78959dfe89aa0a9634e5d593ba34b
-
SSDEEP
6144:gDCwfG1bnxLERR9saMDCwfG1bnxLERR9saah:g72bntEL9/M72bntEL9/ah
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" avscan.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" hosts.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" avscan.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hosts.exe -
Adds policy Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\BISMIZHX = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\BISMIZHX = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\BISMIZHX = "W_X_C.bat" WScript.exe -
Executes dropped EXE 6 IoCs
pid Process 2580 avscan.exe 2508 avscan.exe 2520 hosts.exe 2556 hosts.exe 2792 avscan.exe 764 hosts.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power REG.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc REG.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend REG.exe -
Loads dropped DLL 5 IoCs
pid Process 1992 23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe 1992 23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe 2580 avscan.exe 2520 hosts.exe 2520 hosts.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" 23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" avscan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" hosts.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\windows\W_X_C.vbs 23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe File created \??\c:\windows\W_X_C.bat 23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe File opened for modification C:\Windows\hosts.exe 23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe File opened for modification C:\Windows\hosts.exe avscan.exe File opened for modification C:\Windows\hosts.exe hosts.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 9 IoCs
pid Process 3028 REG.exe 2728 REG.exe 2452 REG.exe 1480 REG.exe 2940 REG.exe 2948 REG.exe 1484 REG.exe 2988 REG.exe 2032 REG.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2580 avscan.exe 2520 hosts.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1992 23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe 2580 avscan.exe 2508 avscan.exe 2520 hosts.exe 2792 avscan.exe 2556 hosts.exe 764 hosts.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1992 wrote to memory of 2032 1992 23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe 28 PID 1992 wrote to memory of 2032 1992 23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe 28 PID 1992 wrote to memory of 2032 1992 23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe 28 PID 1992 wrote to memory of 2032 1992 23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe 28 PID 1992 wrote to memory of 2580 1992 23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe 30 PID 1992 wrote to memory of 2580 1992 23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe 30 PID 1992 wrote to memory of 2580 1992 23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe 30 PID 1992 wrote to memory of 2580 1992 23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe 30 PID 2580 wrote to memory of 2508 2580 avscan.exe 31 PID 2580 wrote to memory of 2508 2580 avscan.exe 31 PID 2580 wrote to memory of 2508 2580 avscan.exe 31 PID 2580 wrote to memory of 2508 2580 avscan.exe 31 PID 2580 wrote to memory of 1352 2580 avscan.exe 32 PID 2580 wrote to memory of 1352 2580 avscan.exe 32 PID 2580 wrote to memory of 1352 2580 avscan.exe 32 PID 2580 wrote to memory of 1352 2580 avscan.exe 32 PID 1992 wrote to memory of 2640 1992 23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe 34 PID 1992 wrote to memory of 2640 1992 23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe 34 PID 1992 wrote to memory of 2640 1992 23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe 34 PID 1992 wrote to memory of 2640 1992 23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe 34 PID 1352 wrote to memory of 2520 1352 cmd.exe 36 PID 1352 wrote to memory of 2520 1352 cmd.exe 36 PID 1352 wrote to memory of 2520 1352 cmd.exe 36 PID 1352 wrote to memory of 2520 1352 cmd.exe 36 PID 2640 wrote to memory of 2556 2640 cmd.exe 37 PID 2640 wrote to memory of 2556 2640 cmd.exe 37 PID 2640 wrote to memory of 2556 2640 cmd.exe 37 PID 2640 wrote to memory of 2556 2640 cmd.exe 37 PID 2520 wrote to memory of 2792 2520 hosts.exe 38 PID 2520 wrote to memory of 2792 2520 hosts.exe 38 PID 2520 wrote to memory of 2792 2520 hosts.exe 38 PID 2520 wrote to memory of 2792 2520 hosts.exe 38 PID 1352 wrote to memory of 1772 1352 cmd.exe 39 PID 1352 wrote to memory of 1772 1352 cmd.exe 39 PID 1352 wrote to memory of 1772 1352 cmd.exe 39 PID 1352 wrote to memory of 1772 1352 cmd.exe 39 PID 2520 wrote to memory of 2140 2520 hosts.exe 40 PID 2520 wrote to memory of 2140 2520 hosts.exe 40 PID 2520 wrote to memory of 2140 2520 hosts.exe 40 PID 2520 wrote to memory of 2140 2520 hosts.exe 40 PID 2640 wrote to memory of 2568 2640 cmd.exe 42 PID 2640 wrote to memory of 2568 2640 cmd.exe 42 PID 2640 wrote to memory of 2568 2640 cmd.exe 42 PID 2640 wrote to memory of 2568 2640 cmd.exe 42 PID 2140 wrote to memory of 764 2140 cmd.exe 43 PID 2140 wrote to memory of 764 2140 cmd.exe 43 PID 2140 wrote to memory of 764 2140 cmd.exe 43 PID 2140 wrote to memory of 764 2140 cmd.exe 43 PID 2140 wrote to memory of 768 2140 cmd.exe 44 PID 2140 wrote to memory of 768 2140 cmd.exe 44 PID 2140 wrote to memory of 768 2140 cmd.exe 44 PID 2140 wrote to memory of 768 2140 cmd.exe 44 PID 2580 wrote to memory of 1484 2580 avscan.exe 45 PID 2580 wrote to memory of 1484 2580 avscan.exe 45 PID 2580 wrote to memory of 1484 2580 avscan.exe 45 PID 2580 wrote to memory of 1484 2580 avscan.exe 45 PID 2520 wrote to memory of 3028 2520 hosts.exe 47 PID 2520 wrote to memory of 3028 2520 hosts.exe 47 PID 2520 wrote to memory of 3028 2520 hosts.exe 47 PID 2520 wrote to memory of 3028 2520 hosts.exe 47 PID 2580 wrote to memory of 2728 2580 avscan.exe 51 PID 2580 wrote to memory of 2728 2580 avscan.exe 51 PID 2580 wrote to memory of 2728 2580 avscan.exe 51 PID 2580 wrote to memory of 2728 2580 avscan.exe 51
Processes
-
C:\Users\Admin\AppData\Local\Temp\23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f2⤵
- Impair Defenses: Safe Mode Boot
- Modifies registry key
PID:2032
-
-
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2508
-
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\W_X_C.bat3⤵
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\windows\hosts.exeC:\windows\hosts.exe4⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2792
-
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\W_X_C.bat5⤵
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\windows\hosts.exeC:\windows\hosts.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:764
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"6⤵
- Adds policy Run key to start application
PID:768
-
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
PID:3028
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
PID:2452
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
PID:1480
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
PID:2948
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"4⤵
- Adds policy Run key to start application
PID:1772
-
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:1484
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:2728
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:2988
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:2940
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\W_X_C.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\windows\hosts.exeC:\windows\hosts.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2556
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"3⤵
- Adds policy Run key to start application
PID:2568
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
757KB
MD5a27e5d8c92fa8c13c12020e03a4807d9
SHA1b8050ea87899a8b955cad2df055d4db7de6e465c
SHA256a407fa91daba18747be6f348e8d8f1b814551a58d5cc37cffcf6edc9f71647d3
SHA5125601e4565409423f7ad50d16536533d9e3fd8534d9967219d9ee82a418edf3f8df4a8ba6c8981cbf3040fc6ab8d7642768205e60ee5e8d713065dff56d4a66f5
-
Filesize
1.1MB
MD5769789adde82e420491147c536bfcecd
SHA150c5a415d151260608d15642ea7623c9509710a4
SHA2568084d0c034dd6105ea7cbdca6988a0c53160529af166e1bc142e1eefdfc380f8
SHA512a8420a148177625254e2c4c9b402999d904f5637bc62c2efcc9b3a22e8dbba012051bf2eb8e6ecdc126975b1ba233a1cbe05d4a83c8e7978c221486a1e528a2f
-
Filesize
1.4MB
MD57756c8ce2beee23c10e930f157f523e1
SHA19d5572499f6ff398ca12dfd87306e1f7fff7aeff
SHA2563be6a514a99514d6d86a2a2bd3de2534fef4ba1e92b771fb98e7d193a8f5d291
SHA512cbc55d468845bdcafb47d78789427173651fac96fbc932194be2ab3ca3b0907b0e80cfb100fbde09fff575c038a5c03fc3741cc809ea665957cae0a67cf941d3
-
Filesize
1.8MB
MD55fe949d7cc5931c3059290b744b51e48
SHA1a9774d33e655ccbd606fccb2ed1bd5e4c0b0dc83
SHA256619790eb663bdb615ffbbe857d3726cbfa6e89172d705b74f3a53375d11e2c9b
SHA51296b88823f69caabb274f4e8165f58a92aea3494d431e35cf6891682044b6ddf219b74c490d4987a0cbb66719b38c2bef59608d2fccaf5b5c5d9bbb5255efcca2
-
Filesize
2.1MB
MD557f4aeea61c498b9757a2ac34c037360
SHA1d30b76abd617a91419cb50d7a8e1af7a3bcdb71d
SHA25646a51664ce36506a6b701ad6a04729d5a41c82086009e309cae1908b98ccb1fd
SHA512e9d62d39bbc22a22ad00cf1969f19fb702b08dcd076d8e99704ee72330412e04dac370ef1c3534f64b2cf75d929c72533b25dc8f18adc23b08ea074644ea36f8
-
Filesize
2.5MB
MD572f9e2b4ca024d473143ecbb869f9be8
SHA147b7528b2cae0096a29feca66588e3b203f897a8
SHA25694679529d5bd732f5d9376e5bc560306b788871ac3e4d5d6607115ce4f74d2b3
SHA5124264d0fbc35ea61e8ea50a8e58fa084a3a5c8a89b14b5e059e0e434d53fcf2292d9a6ea1629146cad4a5acafc996fefddf1a85458c6f6415200d85f657311eee
-
Filesize
2.8MB
MD5f08927f29cb4d42f88e46e5e12e06ecf
SHA1fba217b258fe31f3bfec70630f598e5c003a7b95
SHA2568a9de13041e61fdec28bd94a7d50cee665726d4174923311d8af5d5b8821887b
SHA5121b7ca4ccbee3ce5ca18bad68fd45f6290f8d2b57e852091e87c1380237a6c0ee22b9140cc1adc0bf01d30c30730b802e568472fc2362e4d95a6f0c7ba99d3b96
-
Filesize
195B
MD57fd017e8c0f6e808ab92dd24fc015f50
SHA1917f0c6f8588a70a1044dfd2b0dd94d2738ac705
SHA256009ab8b53bde4a5b671cddc837eeab5e1023557db347ed33f355d75d230d0ae1
SHA51291f7dc20c39ddb47221416ec3ffd8b91e1ccdfe2cb8b60294380df08c6e4edef19387da198107eedb47a75e7ad311cc5933095eeddfcb47d7d45d5a8b0a40ae3
-
Filesize
354KB
MD5cced3a528d346f900f9aeb4d105e4a12
SHA1f023300b62263c9c5adeb6d07d2d9409d26d889e
SHA2563c025eb20b17c0cf80636674c30048e849ecec0d0d21fd7b5f761c426548abd2
SHA512bbc6905d42382937b749bbc55b3fa7356f8dda997bfd634801499ba1619809c351fc2f1ffe0dd0e498b1cd6ab73396d06a5efa2b46886e33772dc7e39d2dc8ee
-
Filesize
336B
MD54db9f8b6175722b62ececeeeba1ce307
SHA13b3ba8414706e72a6fa19e884a97b87609e11e47
SHA256d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78
SHA5121d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b
-
Filesize
354KB
MD562ed18b2a3d928025cc85b04d1a8d199
SHA16416828bc3fef7da3629d8a94d81ec31a44e5dfb
SHA256938f4c4b7aedd3f41f20b8440cce9eb050527d02539cdb63473ea32dc5202771
SHA51296a82b1f7bd1f00c0d7d26a47d0d60e63ba4148ee3f11915da3e1af41130ab41d4a3c630c3b3d9f24e4ba00370532246be3da96077655a44225d53071f8d9d85