Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22/07/2024, 22:31
Behavioral task
behavioral1
Sample
650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe
-
Size
723KB
-
MD5
650e8eebea969067fdde31da20d9b0ba
-
SHA1
710f976b524504e65d01ddb947a7bb756a9e1fd6
-
SHA256
dc2bbbadf241dc21246ca32daaea5abcef6c5141ca83cbb863c48e6d4b17646e
-
SHA512
b41a26c3c62d9b0e21310916a09d762d93ab94edfdf410b4b254655489cdde92c7719fb866ff37ce8c6bae6f1517252071053a36f727dc6c0faf2551a8753029
-
SSDEEP
12288:gFLlJnnbWOtz6sVJhvaz1Qc/WdI//vfM4qwrbkniafLo6vUTyl0w/q9jJO:Q3nbWmJVJFwSddIXvfhqbiaxvRxq94
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\MSWINST\\mswinstat.exe" 650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe -
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" iexplore.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile mswinstat.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" mswinstat.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" mswinstat.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" iexplore.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1336 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 472 mswinstat.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\MSWINST\\mswinstat.exe" mswinstat.exe Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\MSWINST\\mswinstat.exe" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\MSWINST\\mswinstat.exe" 650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 472 set thread context of 2600 472 mswinstat.exe 91 -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\MSWINST\mswinstat.exe 650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe File opened for modification C:\Windows\MSWINST\mswinstat.exe 650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe File opened for modification C:\Windows\MSWINST\ 650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1120 650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe Token: SeSecurityPrivilege 1120 650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1120 650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe Token: SeLoadDriverPrivilege 1120 650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe Token: SeSystemProfilePrivilege 1120 650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe Token: SeSystemtimePrivilege 1120 650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 1120 650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1120 650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 1120 650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe Token: SeBackupPrivilege 1120 650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe Token: SeRestorePrivilege 1120 650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe Token: SeShutdownPrivilege 1120 650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe Token: SeDebugPrivilege 1120 650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 1120 650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 1120 650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 1120 650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe Token: SeUndockPrivilege 1120 650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe Token: SeManageVolumePrivilege 1120 650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe Token: SeImpersonatePrivilege 1120 650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 1120 650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe Token: 33 1120 650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe Token: 34 1120 650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe Token: 35 1120 650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe Token: 36 1120 650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 472 mswinstat.exe Token: SeSecurityPrivilege 472 mswinstat.exe Token: SeTakeOwnershipPrivilege 472 mswinstat.exe Token: SeLoadDriverPrivilege 472 mswinstat.exe Token: SeSystemProfilePrivilege 472 mswinstat.exe Token: SeSystemtimePrivilege 472 mswinstat.exe Token: SeProfSingleProcessPrivilege 472 mswinstat.exe Token: SeIncBasePriorityPrivilege 472 mswinstat.exe Token: SeCreatePagefilePrivilege 472 mswinstat.exe Token: SeBackupPrivilege 472 mswinstat.exe Token: SeRestorePrivilege 472 mswinstat.exe Token: SeShutdownPrivilege 472 mswinstat.exe Token: SeDebugPrivilege 472 mswinstat.exe Token: SeSystemEnvironmentPrivilege 472 mswinstat.exe Token: SeChangeNotifyPrivilege 472 mswinstat.exe Token: SeRemoteShutdownPrivilege 472 mswinstat.exe Token: SeUndockPrivilege 472 mswinstat.exe Token: SeManageVolumePrivilege 472 mswinstat.exe Token: SeImpersonatePrivilege 472 mswinstat.exe Token: SeCreateGlobalPrivilege 472 mswinstat.exe Token: 33 472 mswinstat.exe Token: 34 472 mswinstat.exe Token: 35 472 mswinstat.exe Token: 36 472 mswinstat.exe Token: SeIncreaseQuotaPrivilege 2600 iexplore.exe Token: SeSecurityPrivilege 2600 iexplore.exe Token: SeTakeOwnershipPrivilege 2600 iexplore.exe Token: SeLoadDriverPrivilege 2600 iexplore.exe Token: SeSystemProfilePrivilege 2600 iexplore.exe Token: SeSystemtimePrivilege 2600 iexplore.exe Token: SeProfSingleProcessPrivilege 2600 iexplore.exe Token: SeIncBasePriorityPrivilege 2600 iexplore.exe Token: SeCreatePagefilePrivilege 2600 iexplore.exe Token: SeBackupPrivilege 2600 iexplore.exe Token: SeRestorePrivilege 2600 iexplore.exe Token: SeShutdownPrivilege 2600 iexplore.exe Token: SeDebugPrivilege 2600 iexplore.exe Token: SeSystemEnvironmentPrivilege 2600 iexplore.exe Token: SeChangeNotifyPrivilege 2600 iexplore.exe Token: SeRemoteShutdownPrivilege 2600 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2600 iexplore.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1120 wrote to memory of 2028 1120 650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe 86 PID 1120 wrote to memory of 2028 1120 650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe 86 PID 1120 wrote to memory of 2028 1120 650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe 86 PID 2028 wrote to memory of 1336 2028 cmd.exe 88 PID 2028 wrote to memory of 1336 2028 cmd.exe 88 PID 2028 wrote to memory of 1336 2028 cmd.exe 88 PID 1120 wrote to memory of 472 1120 650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe 90 PID 1120 wrote to memory of 472 1120 650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe 90 PID 1120 wrote to memory of 472 1120 650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe 90 PID 472 wrote to memory of 2600 472 mswinstat.exe 91 PID 472 wrote to memory of 2600 472 mswinstat.exe 91 PID 472 wrote to memory of 2600 472 mswinstat.exe 91 PID 472 wrote to memory of 2600 472 mswinstat.exe 91 PID 472 wrote to memory of 2600 472 mswinstat.exe 91 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1336 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\650e8eebea969067fdde31da20d9b0ba_JaffaCakes118.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1336
-
-
-
C:\Windows\MSWINST\mswinstat.exe"C:\Windows\MSWINST\mswinstat.exe"2⤵
- Modifies firewall policy service
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:472 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Modifies firewall policy service
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2600
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
101B
MD5996f0aaed9af6625ed3e623c73d2965d
SHA1cbd202d3723fe64b4455cb25bbeab4dab018fea2
SHA2563f191bad7339a018fb0022c72759a6526e2f961154fbdd16ec7942f83930521b
SHA512dbfb3fae42f0f65956173293acbf816ed0625d6297deb1046c513512bd969c8494d1f3e253bd1ee7ba30f7394b9a78fd8d869ff75aa3ce13b6e61d054b8c6b3d
-
Filesize
723KB
MD5650e8eebea969067fdde31da20d9b0ba
SHA1710f976b524504e65d01ddb947a7bb756a9e1fd6
SHA256dc2bbbadf241dc21246ca32daaea5abcef6c5141ca83cbb863c48e6d4b17646e
SHA512b41a26c3c62d9b0e21310916a09d762d93ab94edfdf410b4b254655489cdde92c7719fb866ff37ce8c6bae6f1517252071053a36f727dc6c0faf2551a8753029