Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22/07/2024, 16:32
Static task
static1
Behavioral task
behavioral1
Sample
63ef0345e13c18cb0678e3f02a6d73ec_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
63ef0345e13c18cb0678e3f02a6d73ec_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
63ef0345e13c18cb0678e3f02a6d73ec_JaffaCakes118.exe
-
Size
900KB
-
MD5
63ef0345e13c18cb0678e3f02a6d73ec
-
SHA1
36447d8e0ae1700a67c516137169e8ead9a78003
-
SHA256
dad7e8970d66932f9ec8a877164854ef92e4cfa821faa3a092aa374680bd10a0
-
SHA512
ad6e529569ff4167362ced1f6dd627457a74c11cc6b9b9ae332f3efe28fd7a058b5e7eb9c11fe3e8ae7c039b546a85b2cec967196b8dfec1e4fbbd64e3f56015
-
SSDEEP
12288:RMYIWfFq6mgOmJbJPTLUfkF1w8fbN3+J86FMSaJ/q3NSo76ZBvu6Yoa/TBiFrO+z:RX3CkF1w8T1+J86F/uq3Mo6ZYoatE
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" test .scr.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate test .scr.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 63ef0345e13c18cb0678e3f02a6d73ec_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 3852 test .scr.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" test .scr.exe Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" notepad.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2980 3852 WerFault.exe 86 -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 test .scr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString test .scr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier test .scr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier test .scr.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier test .scr.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3852 test .scr.exe Token: SeSecurityPrivilege 3852 test .scr.exe Token: SeTakeOwnershipPrivilege 3852 test .scr.exe Token: SeLoadDriverPrivilege 3852 test .scr.exe Token: SeSystemProfilePrivilege 3852 test .scr.exe Token: SeSystemtimePrivilege 3852 test .scr.exe Token: SeProfSingleProcessPrivilege 3852 test .scr.exe Token: SeIncBasePriorityPrivilege 3852 test .scr.exe Token: SeCreatePagefilePrivilege 3852 test .scr.exe Token: SeBackupPrivilege 3852 test .scr.exe Token: SeRestorePrivilege 3852 test .scr.exe Token: SeShutdownPrivilege 3852 test .scr.exe Token: SeDebugPrivilege 3852 test .scr.exe Token: SeSystemEnvironmentPrivilege 3852 test .scr.exe Token: SeChangeNotifyPrivilege 3852 test .scr.exe Token: SeRemoteShutdownPrivilege 3852 test .scr.exe Token: SeUndockPrivilege 3852 test .scr.exe Token: SeManageVolumePrivilege 3852 test .scr.exe Token: SeImpersonatePrivilege 3852 test .scr.exe Token: SeCreateGlobalPrivilege 3852 test .scr.exe Token: 33 3852 test .scr.exe Token: 34 3852 test .scr.exe Token: 35 3852 test .scr.exe Token: 36 3852 test .scr.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 3944 wrote to memory of 5024 3944 63ef0345e13c18cb0678e3f02a6d73ec_JaffaCakes118.exe 84 PID 3944 wrote to memory of 5024 3944 63ef0345e13c18cb0678e3f02a6d73ec_JaffaCakes118.exe 84 PID 3944 wrote to memory of 3852 3944 63ef0345e13c18cb0678e3f02a6d73ec_JaffaCakes118.exe 86 PID 3944 wrote to memory of 3852 3944 63ef0345e13c18cb0678e3f02a6d73ec_JaffaCakes118.exe 86 PID 3944 wrote to memory of 3852 3944 63ef0345e13c18cb0678e3f02a6d73ec_JaffaCakes118.exe 86 PID 3852 wrote to memory of 1752 3852 test .scr.exe 88 PID 3852 wrote to memory of 1752 3852 test .scr.exe 88 PID 3852 wrote to memory of 1752 3852 test .scr.exe 88 PID 3852 wrote to memory of 1752 3852 test .scr.exe 88 PID 3852 wrote to memory of 1752 3852 test .scr.exe 88 PID 3852 wrote to memory of 1752 3852 test .scr.exe 88 PID 3852 wrote to memory of 1752 3852 test .scr.exe 88 PID 3852 wrote to memory of 1752 3852 test .scr.exe 88 PID 3852 wrote to memory of 1752 3852 test .scr.exe 88 PID 3852 wrote to memory of 1752 3852 test .scr.exe 88 PID 3852 wrote to memory of 1752 3852 test .scr.exe 88 PID 3852 wrote to memory of 1752 3852 test .scr.exe 88 PID 3852 wrote to memory of 1752 3852 test .scr.exe 88 PID 3852 wrote to memory of 1752 3852 test .scr.exe 88 PID 3852 wrote to memory of 1752 3852 test .scr.exe 88 PID 3852 wrote to memory of 1752 3852 test .scr.exe 88 PID 3852 wrote to memory of 1752 3852 test .scr.exe 88 PID 3852 wrote to memory of 1752 3852 test .scr.exe 88 PID 3852 wrote to memory of 1752 3852 test .scr.exe 88 PID 3852 wrote to memory of 1752 3852 test .scr.exe 88 PID 3852 wrote to memory of 1752 3852 test .scr.exe 88 PID 3852 wrote to memory of 1752 3852 test .scr.exe 88 PID 3852 wrote to memory of 1752 3852 test .scr.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\63ef0345e13c18cb0678e3f02a6d73ec_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\63ef0345e13c18cb0678e3f02a6d73ec_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\matrix.bat" "2⤵PID:5024
-
-
C:\Users\Admin\AppData\Local\Temp\test .scr.exe"C:\Users\Admin\AppData\Local\Temp\test .scr.exe"2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- Adds Run key to start application
PID:1752
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 8603⤵
- Program crash
PID:2980
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3852 -ip 38521⤵PID:3732
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
498B
MD582c80b9371a77dea5dae7be0465e12ec
SHA1352c293197f06d61af414990e4e12e716779bb28
SHA2562d0992c371d04241a42091bc513cddfcc0a50c65d03cb4f1bb0d5a255b908801
SHA512bd226a353b156a684d402aab391c7b2a50a231349a9a6750086e3a065d70a5de5dfe908b53e6ef3b79c39390a9fe681efff167837a563053eae173b772892c73
-
Filesize
659KB
MD527826851be859cf68fd872f52bf0fda0
SHA1ede13d2ada6448f7d7fba2eb7ae30a4ed2ba6adb
SHA2562cec27c92a4eadd7bb087737718af0cb23c2864065caf7ef5e82c95be32b43b8
SHA512ae3645ea4e03085f670f2228bf1d93d1b1d6bba146c272ef583698b3227423b6dc966e7f613bcc1b135ce16012f20ddf00061fdf487570dc371246871efbe1af