Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
13/07/2024, 07:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
40b2f07cf98c47e1b3436e91d7bcdcc7_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
40b2f07cf98c47e1b3436e91d7bcdcc7_JaffaCakes118.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
40b2f07cf98c47e1b3436e91d7bcdcc7_JaffaCakes118.exe
-
Size
76KB
-
MD5
40b2f07cf98c47e1b3436e91d7bcdcc7
-
SHA1
dde6474ecc96080d03477b072e0fbfd750818753
-
SHA256
faf82bb436e9bf6ffdf55b1338bf0fa20c93f548a7816e8a15d4daf38759c453
-
SHA512
3ae4461f25af280e2b466a85c9caa0a2971351d152a78eb4bf41cf01efc84a13ddfa5dd6294ad09972823fe0fb8257ed28dda2a916b7f9bbb5672882dd01eeff
-
SSDEEP
768:Je8bNRqsuhlGOBnhgFwumSCbxTGy/BBGg4NKJJKqUThbJ32+ve7i40vN0TlT+XkG:FnqJu3abBGy3G8V0iuoKn
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 40b2f07cf98c47e1b3436e91d7bcdcc7_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" scnp.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" scnp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 40b2f07cf98c47e1b3436e91d7bcdcc7_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 824 scnp.exe -
Modifies system executable filetype association 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt 40b2f07cf98c47e1b3436e91d7bcdcc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt scnp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm" scnp.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: scnp.exe File opened (read-only) \??\G: scnp.exe File opened (read-only) \??\Q: scnp.exe File opened (read-only) \??\N: scnp.exe File opened (read-only) \??\O: scnp.exe File opened (read-only) \??\W: scnp.exe File opened (read-only) \??\X: scnp.exe File opened (read-only) \??\B: scnp.exe File opened (read-only) \??\K: scnp.exe File opened (read-only) \??\L: scnp.exe File opened (read-only) \??\M: scnp.exe File opened (read-only) \??\Y: scnp.exe File opened (read-only) \??\V: scnp.exe File opened (read-only) \??\I: scnp.exe File opened (read-only) \??\P: scnp.exe File opened (read-only) \??\T: scnp.exe File opened (read-only) \??\U: scnp.exe File opened (read-only) \??\Z: scnp.exe File opened (read-only) \??\H: scnp.exe File opened (read-only) \??\J: scnp.exe File opened (read-only) \??\R: scnp.exe File opened (read-only) \??\S: scnp.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\SysWOW64\maxtrox.txt scnp.exe File opened for modification \??\c:\windows\SysWOW64\Windows 3D.scr scnp.exe File created \??\c:\windows\SysWOW64\Desktop.sysm scnp.exe File created \??\c:\windows\SysWOW64\CommandPrompt.Sysm scnp.exe File created \??\c:\windows\SysWOW64\maxtrox.txt 40b2f07cf98c47e1b3436e91d7bcdcc7_JaffaCakes118.exe File created \??\c:\windows\SysWOW64\Windows 3D.scr 40b2f07cf98c47e1b3436e91d7bcdcc7_JaffaCakes118.exe -
Drops file in Program Files directory 27 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Mozilla Firefox\pingsender.exe scnp.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\plugin-container.exe scnp.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmprph.exe scnp.exe File opened for modification \??\c:\Program Files\Internet Explorer\iediagcmd.exe scnp.exe File opened for modification \??\c:\Program Files\7-Zip\Uninstall.exe scnp.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe scnp.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\updater.exe scnp.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmpnetwk.exe scnp.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmpshare.exe scnp.exe File opened for modification \??\c:\Program Files\7-Zip\7zG.exe scnp.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\crashreporter.exe scnp.exe File opened for modification \??\c:\Program Files\Windows Mail\wabmig.exe scnp.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmpconfig.exe scnp.exe File opened for modification \??\c:\Program Files\7-Zip\7z.exe scnp.exe File opened for modification \??\c:\Program Files\Windows Media Player\setup_wm.exe scnp.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmlaunch.exe scnp.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\private_browsing.exe scnp.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmpnscfg.exe scnp.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe scnp.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe scnp.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmplayer.exe scnp.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe scnp.exe File opened for modification \??\c:\Program Files\Internet Explorer\ieinstal.exe scnp.exe File opened for modification \??\c:\Program Files\Internet Explorer\ielowutil.exe scnp.exe File opened for modification \??\c:\Program Files\Internet Explorer\iexplore.exe scnp.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\firefox.exe scnp.exe File opened for modification \??\c:\Program Files\7-Zip\7zFM.exe scnp.exe -
Modifies registry class 36 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe" 40b2f07cf98c47e1b3436e91d7bcdcc7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd scnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe" scnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd 40b2f07cf98c47e1b3436e91d7bcdcc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1" 40b2f07cf98c47e1b3436e91d7bcdcc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1" scnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command 40b2f07cf98c47e1b3436e91d7bcdcc7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell 40b2f07cf98c47e1b3436e91d7bcdcc7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile scnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct" scnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon 40b2f07cf98c47e1b3436e91d7bcdcc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe" 40b2f07cf98c47e1b3436e91d7bcdcc7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open 40b2f07cf98c47e1b3436e91d7bcdcc7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon scnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt scnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 40b2f07cf98c47e1b3436e91d7bcdcc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt 40b2f07cf98c47e1b3436e91d7bcdcc7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open 40b2f07cf98c47e1b3436e91d7bcdcc7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command scnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command 40b2f07cf98c47e1b3436e91d7bcdcc7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm 40b2f07cf98c47e1b3436e91d7bcdcc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic" scnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon scnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command scnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1" scnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell 40b2f07cf98c47e1b3436e91d7bcdcc7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon 40b2f07cf98c47e1b3436e91d7bcdcc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt scnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt scnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm scnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt 40b2f07cf98c47e1b3436e91d7bcdcc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct" 40b2f07cf98c47e1b3436e91d7bcdcc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic" 40b2f07cf98c47e1b3436e91d7bcdcc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt 40b2f07cf98c47e1b3436e91d7bcdcc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1" 40b2f07cf98c47e1b3436e91d7bcdcc7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe" scnp.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5004 40b2f07cf98c47e1b3436e91d7bcdcc7_JaffaCakes118.exe 824 scnp.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5004 wrote to memory of 824 5004 40b2f07cf98c47e1b3436e91d7bcdcc7_JaffaCakes118.exe 86 PID 5004 wrote to memory of 824 5004 40b2f07cf98c47e1b3436e91d7bcdcc7_JaffaCakes118.exe 86 PID 5004 wrote to memory of 824 5004 40b2f07cf98c47e1b3436e91d7bcdcc7_JaffaCakes118.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\40b2f07cf98c47e1b3436e91d7bcdcc7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\40b2f07cf98c47e1b3436e91d7bcdcc7_JaffaCakes118.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Modifies system executable filetype association
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5004 -
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\scnp.exe"c:\Documents and Settings\Admin\Application Data\Microsoft\scnp.exe" 40b2f07cf98c47e1b3436e91d7bcdcc7_JaffaCakes1182⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:824
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD5da125eb6556c60c1c9396ced822bd700
SHA14cacf5123c5cbf5372312ea241faf272e6692087
SHA256e8a0724c628bfa10f5fd6dae36bbdddf07d1f2abf38760b5c0b8e24173904b00
SHA512fb6220505d8554aa71889049b6f5c17d6c98d2ad97cade291d74c0daf4feef747e10d78dd932cacf7022bfa8bf73392ce1509518f723b1ca0cc0df99992d9cbf
-
Filesize
76KB
MD564353a40882362068e80c57c9c242683
SHA1567244faf6af5e335c4b0f66c40758c2be41b57f
SHA256b742cfed368c84091dacc557b6a8c4b92168d44a7b232f894d212b07f043effa
SHA512bf5d1ab9265be4cbe126f20e253b9365f25dd4f94bef7209e09390f6f724489a41242a5c21cd356e9531df3d3ebd7d889d6e7d94298bae81a6dc37301f5535c1
-
Filesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062