Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
06/07/2024, 10:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
28438517f96da37569cdf64333884f50_JaffaCakes118.exe
Resource
win7-20240508-en
windows7-x64
21 signatures
150 seconds
General
-
Target
28438517f96da37569cdf64333884f50_JaffaCakes118.exe
-
Size
952KB
-
MD5
28438517f96da37569cdf64333884f50
-
SHA1
a77b7beb305a828f4c0f73b3dbe220d9a53e42f2
-
SHA256
e0a69909638dbec232e66444075e59502c580252a28bb2f48434cf6eaf6799de
-
SHA512
d21f46f16495a4a4197ac5e303d4cae2410cf2f7f1e3670aca13dd10bf93d4e0df4615d955f1807a8b1edb70b1b84acc3f671e7c4dedc68e57f3007f16606c7e
-
SSDEEP
24576:zY/qcnlLRW6SJwAZtyrjYC2kTyRqqwRurH:E/V/SJ3XyrjYCeqpqH
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\system32\\winlogon.exe" 28438517f96da37569cdf64333884f50_JaffaCakes118.exe -
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winlogon.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" winlogon.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winlogon.exe -
Disables Task Manager via registry modification
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 28438517f96da37569cdf64333884f50_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Control Panel\International\Geo\Nation 28438517f96da37569cdf64333884f50_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
pid Process 2908 winlogon.exe 2752 winlogon.exe 5008 winlogon.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\system32\\winlogon.exe" 28438517f96da37569cdf64333884f50_JaffaCakes118.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 winlogon.exe File opened for modification \??\PhysicalDrive0 28438517f96da37569cdf64333884f50_JaffaCakes118.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4068 set thread context of 1008 4068 28438517f96da37569cdf64333884f50_JaffaCakes118.exe 85 PID 1008 set thread context of 1704 1008 28438517f96da37569cdf64333884f50_JaffaCakes118.exe 86 PID 2908 set thread context of 2752 2908 winlogon.exe 88 PID 2752 set thread context of 5008 2752 winlogon.exe 89 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winlogon.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 28438517f96da37569cdf64333884f50_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 28438517f96da37569cdf64333884f50_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 28438517f96da37569cdf64333884f50_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 28438517f96da37569cdf64333884f50_JaffaCakes118.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 28438517f96da37569cdf64333884f50_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 28438517f96da37569cdf64333884f50_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5008 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1704 28438517f96da37569cdf64333884f50_JaffaCakes118.exe Token: SeSecurityPrivilege 1704 28438517f96da37569cdf64333884f50_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1704 28438517f96da37569cdf64333884f50_JaffaCakes118.exe Token: SeLoadDriverPrivilege 1704 28438517f96da37569cdf64333884f50_JaffaCakes118.exe Token: SeSystemProfilePrivilege 1704 28438517f96da37569cdf64333884f50_JaffaCakes118.exe Token: SeSystemtimePrivilege 1704 28438517f96da37569cdf64333884f50_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 1704 28438517f96da37569cdf64333884f50_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1704 28438517f96da37569cdf64333884f50_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 1704 28438517f96da37569cdf64333884f50_JaffaCakes118.exe Token: SeBackupPrivilege 1704 28438517f96da37569cdf64333884f50_JaffaCakes118.exe Token: SeRestorePrivilege 1704 28438517f96da37569cdf64333884f50_JaffaCakes118.exe Token: SeShutdownPrivilege 1704 28438517f96da37569cdf64333884f50_JaffaCakes118.exe Token: SeDebugPrivilege 1704 28438517f96da37569cdf64333884f50_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 1704 28438517f96da37569cdf64333884f50_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 1704 28438517f96da37569cdf64333884f50_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 1704 28438517f96da37569cdf64333884f50_JaffaCakes118.exe Token: SeUndockPrivilege 1704 28438517f96da37569cdf64333884f50_JaffaCakes118.exe Token: SeManageVolumePrivilege 1704 28438517f96da37569cdf64333884f50_JaffaCakes118.exe Token: SeImpersonatePrivilege 1704 28438517f96da37569cdf64333884f50_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 1704 28438517f96da37569cdf64333884f50_JaffaCakes118.exe Token: 33 1704 28438517f96da37569cdf64333884f50_JaffaCakes118.exe Token: 34 1704 28438517f96da37569cdf64333884f50_JaffaCakes118.exe Token: 35 1704 28438517f96da37569cdf64333884f50_JaffaCakes118.exe Token: 36 1704 28438517f96da37569cdf64333884f50_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 5008 winlogon.exe Token: SeSecurityPrivilege 5008 winlogon.exe Token: SeTakeOwnershipPrivilege 5008 winlogon.exe Token: SeLoadDriverPrivilege 5008 winlogon.exe Token: SeSystemProfilePrivilege 5008 winlogon.exe Token: SeSystemtimePrivilege 5008 winlogon.exe Token: SeProfSingleProcessPrivilege 5008 winlogon.exe Token: SeIncBasePriorityPrivilege 5008 winlogon.exe Token: SeCreatePagefilePrivilege 5008 winlogon.exe Token: SeBackupPrivilege 5008 winlogon.exe Token: SeRestorePrivilege 5008 winlogon.exe Token: SeShutdownPrivilege 5008 winlogon.exe Token: SeDebugPrivilege 5008 winlogon.exe Token: SeSystemEnvironmentPrivilege 5008 winlogon.exe Token: SeChangeNotifyPrivilege 5008 winlogon.exe Token: SeRemoteShutdownPrivilege 5008 winlogon.exe Token: SeUndockPrivilege 5008 winlogon.exe Token: SeManageVolumePrivilege 5008 winlogon.exe Token: SeImpersonatePrivilege 5008 winlogon.exe Token: SeCreateGlobalPrivilege 5008 winlogon.exe Token: 33 5008 winlogon.exe Token: 34 5008 winlogon.exe Token: 35 5008 winlogon.exe Token: 36 5008 winlogon.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 4068 28438517f96da37569cdf64333884f50_JaffaCakes118.exe 1008 28438517f96da37569cdf64333884f50_JaffaCakes118.exe 2908 winlogon.exe 2752 winlogon.exe 5008 winlogon.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 4068 wrote to memory of 1008 4068 28438517f96da37569cdf64333884f50_JaffaCakes118.exe 85 PID 4068 wrote to memory of 1008 4068 28438517f96da37569cdf64333884f50_JaffaCakes118.exe 85 PID 4068 wrote to memory of 1008 4068 28438517f96da37569cdf64333884f50_JaffaCakes118.exe 85 PID 4068 wrote to memory of 1008 4068 28438517f96da37569cdf64333884f50_JaffaCakes118.exe 85 PID 4068 wrote to memory of 1008 4068 28438517f96da37569cdf64333884f50_JaffaCakes118.exe 85 PID 4068 wrote to memory of 1008 4068 28438517f96da37569cdf64333884f50_JaffaCakes118.exe 85 PID 4068 wrote to memory of 1008 4068 28438517f96da37569cdf64333884f50_JaffaCakes118.exe 85 PID 4068 wrote to memory of 1008 4068 28438517f96da37569cdf64333884f50_JaffaCakes118.exe 85 PID 1008 wrote to memory of 1704 1008 28438517f96da37569cdf64333884f50_JaffaCakes118.exe 86 PID 1008 wrote to memory of 1704 1008 28438517f96da37569cdf64333884f50_JaffaCakes118.exe 86 PID 1008 wrote to memory of 1704 1008 28438517f96da37569cdf64333884f50_JaffaCakes118.exe 86 PID 1008 wrote to memory of 1704 1008 28438517f96da37569cdf64333884f50_JaffaCakes118.exe 86 PID 1008 wrote to memory of 1704 1008 28438517f96da37569cdf64333884f50_JaffaCakes118.exe 86 PID 1008 wrote to memory of 1704 1008 28438517f96da37569cdf64333884f50_JaffaCakes118.exe 86 PID 1008 wrote to memory of 1704 1008 28438517f96da37569cdf64333884f50_JaffaCakes118.exe 86 PID 1008 wrote to memory of 1704 1008 28438517f96da37569cdf64333884f50_JaffaCakes118.exe 86 PID 1008 wrote to memory of 1704 1008 28438517f96da37569cdf64333884f50_JaffaCakes118.exe 86 PID 1008 wrote to memory of 1704 1008 28438517f96da37569cdf64333884f50_JaffaCakes118.exe 86 PID 1008 wrote to memory of 1704 1008 28438517f96da37569cdf64333884f50_JaffaCakes118.exe 86 PID 1008 wrote to memory of 1704 1008 28438517f96da37569cdf64333884f50_JaffaCakes118.exe 86 PID 1008 wrote to memory of 1704 1008 28438517f96da37569cdf64333884f50_JaffaCakes118.exe 86 PID 1008 wrote to memory of 1704 1008 28438517f96da37569cdf64333884f50_JaffaCakes118.exe 86 PID 1704 wrote to memory of 2908 1704 28438517f96da37569cdf64333884f50_JaffaCakes118.exe 87 PID 1704 wrote to memory of 2908 1704 28438517f96da37569cdf64333884f50_JaffaCakes118.exe 87 PID 1704 wrote to memory of 2908 1704 28438517f96da37569cdf64333884f50_JaffaCakes118.exe 87 PID 2908 wrote to memory of 2752 2908 winlogon.exe 88 PID 2908 wrote to memory of 2752 2908 winlogon.exe 88 PID 2908 wrote to memory of 2752 2908 winlogon.exe 88 PID 2908 wrote to memory of 2752 2908 winlogon.exe 88 PID 2908 wrote to memory of 2752 2908 winlogon.exe 88 PID 2908 wrote to memory of 2752 2908 winlogon.exe 88 PID 2908 wrote to memory of 2752 2908 winlogon.exe 88 PID 2908 wrote to memory of 2752 2908 winlogon.exe 88 PID 2752 wrote to memory of 5008 2752 winlogon.exe 89 PID 2752 wrote to memory of 5008 2752 winlogon.exe 89 PID 2752 wrote to memory of 5008 2752 winlogon.exe 89 PID 2752 wrote to memory of 5008 2752 winlogon.exe 89 PID 2752 wrote to memory of 5008 2752 winlogon.exe 89 PID 2752 wrote to memory of 5008 2752 winlogon.exe 89 PID 2752 wrote to memory of 5008 2752 winlogon.exe 89 PID 2752 wrote to memory of 5008 2752 winlogon.exe 89 PID 2752 wrote to memory of 5008 2752 winlogon.exe 89 PID 2752 wrote to memory of 5008 2752 winlogon.exe 89 PID 2752 wrote to memory of 5008 2752 winlogon.exe 89 PID 2752 wrote to memory of 5008 2752 winlogon.exe 89 PID 2752 wrote to memory of 5008 2752 winlogon.exe 89 PID 2752 wrote to memory of 5008 2752 winlogon.exe 89 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern winlogon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\28438517f96da37569cdf64333884f50_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\28438517f96da37569cdf64333884f50_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Users\Admin\AppData\Local\Temp\28438517f96da37569cdf64333884f50_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\28438517f96da37569cdf64333884f50_JaffaCakes118.exe"2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Users\Admin\AppData\Local\Temp\28438517f96da37569cdf64333884f50_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\28438517f96da37569cdf64333884f50_JaffaCakes118.exe"3⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\system32\winlogon.exe"C:\system32\winlogon.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\system32\winlogon.exe"C:\system32\winlogon.exe"5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\system32\winlogon.exe"C:\system32\winlogon.exe"6⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:5008
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
952KB
MD528438517f96da37569cdf64333884f50
SHA1a77b7beb305a828f4c0f73b3dbe220d9a53e42f2
SHA256e0a69909638dbec232e66444075e59502c580252a28bb2f48434cf6eaf6799de
SHA512d21f46f16495a4a4197ac5e303d4cae2410cf2f7f1e3670aca13dd10bf93d4e0df4615d955f1807a8b1edb70b1b84acc3f671e7c4dedc68e57f3007f16606c7e