Analysis
-
max time kernel
13s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22/07/2024, 16:38
Static task
static1
Behavioral task
behavioral1
Sample
63f2fc876c09c7a6a1700612e479f251_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
63f2fc876c09c7a6a1700612e479f251_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
63f2fc876c09c7a6a1700612e479f251_JaffaCakes118.exe
-
Size
668KB
-
MD5
63f2fc876c09c7a6a1700612e479f251
-
SHA1
36acdc5c72b3159ce9b2764259a3c208ff2d4f54
-
SHA256
4a2b8775c52b3594c1e8889afdf96c1477853d5b912b3ede8248fa306da74bcd
-
SHA512
9bdd352918b393a5a8d39f0b1535cea00f21a2127ebaca992dc159895549a6b5c7efe057442831d959dc7fdc166f5d3e5a9b77dd50fa0899c9abe117542e6647
-
SSDEEP
12288:+oiyf03HDkrzviq6C09GZPQcxaBOzcL75WmnTKWfg0wxXSjqT9tMM/GU9fWXaFQI:+oIHgnq5IOKFQB2Fakn
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Updates\\winupdate.exe" vbc.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts vbc.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vbc.exe -
resource yara_rule behavioral1/memory/2268-13-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2268-12-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2268-11-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2268-7-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2268-5-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2268-15-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2268-18-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2268-19-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2268-20-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2268-17-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2268-16-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2268-33-0x0000000000400000-0x00000000004B5000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinUpdater32 = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Updates\\winupdate.exe" vbc.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2304 set thread context of 2268 2304 63f2fc876c09c7a6a1700612e479f251_JaffaCakes118.exe 29 PID 2268 set thread context of 2640 2268 vbc.exe 30 -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 vbc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString vbc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier vbc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier vbc.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier vbc.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2268 vbc.exe Token: SeSecurityPrivilege 2268 vbc.exe Token: SeTakeOwnershipPrivilege 2268 vbc.exe Token: SeLoadDriverPrivilege 2268 vbc.exe Token: SeSystemProfilePrivilege 2268 vbc.exe Token: SeSystemtimePrivilege 2268 vbc.exe Token: SeProfSingleProcessPrivilege 2268 vbc.exe Token: SeIncBasePriorityPrivilege 2268 vbc.exe Token: SeCreatePagefilePrivilege 2268 vbc.exe Token: SeBackupPrivilege 2268 vbc.exe Token: SeRestorePrivilege 2268 vbc.exe Token: SeShutdownPrivilege 2268 vbc.exe Token: SeDebugPrivilege 2268 vbc.exe Token: SeSystemEnvironmentPrivilege 2268 vbc.exe Token: SeChangeNotifyPrivilege 2268 vbc.exe Token: SeRemoteShutdownPrivilege 2268 vbc.exe Token: SeUndockPrivilege 2268 vbc.exe Token: SeManageVolumePrivilege 2268 vbc.exe Token: SeImpersonatePrivilege 2268 vbc.exe Token: SeCreateGlobalPrivilege 2268 vbc.exe Token: 33 2268 vbc.exe Token: 34 2268 vbc.exe Token: 35 2268 vbc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2304 wrote to memory of 2268 2304 63f2fc876c09c7a6a1700612e479f251_JaffaCakes118.exe 29 PID 2304 wrote to memory of 2268 2304 63f2fc876c09c7a6a1700612e479f251_JaffaCakes118.exe 29 PID 2304 wrote to memory of 2268 2304 63f2fc876c09c7a6a1700612e479f251_JaffaCakes118.exe 29 PID 2304 wrote to memory of 2268 2304 63f2fc876c09c7a6a1700612e479f251_JaffaCakes118.exe 29 PID 2304 wrote to memory of 2268 2304 63f2fc876c09c7a6a1700612e479f251_JaffaCakes118.exe 29 PID 2304 wrote to memory of 2268 2304 63f2fc876c09c7a6a1700612e479f251_JaffaCakes118.exe 29 PID 2304 wrote to memory of 2268 2304 63f2fc876c09c7a6a1700612e479f251_JaffaCakes118.exe 29 PID 2304 wrote to memory of 2268 2304 63f2fc876c09c7a6a1700612e479f251_JaffaCakes118.exe 29 PID 2268 wrote to memory of 2640 2268 vbc.exe 30 PID 2268 wrote to memory of 2640 2268 vbc.exe 30 PID 2268 wrote to memory of 2640 2268 vbc.exe 30 PID 2268 wrote to memory of 2640 2268 vbc.exe 30 PID 2268 wrote to memory of 2640 2268 vbc.exe 30 PID 2268 wrote to memory of 2640 2268 vbc.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\63f2fc876c09c7a6a1700612e479f251_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\63f2fc876c09c7a6a1700612e479f251_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵PID:2640
-
-