Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22/07/2024, 18:59
Behavioral task
behavioral1
Sample
6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe
-
Size
733KB
-
MD5
6466d57f553e2f1a1fa2b04887cb39f1
-
SHA1
91d78fc011d9cbb2f3e7fe8f74af26e447026320
-
SHA256
3c02b033d320021a76bb882beea0d2f26c8ae88f9174b012455b4b6e8f1fde7e
-
SHA512
6df6934886cf9e7d8859ff626eb09db66f449dde780b9d262ed8fd3891e02c7a39524c91265c1a0524541a6d9eb27fc546a549d6338de43059fb4f31374ee100
-
SSDEEP
12288:TpwABK90BOe/x9lPAYvxPQVjdsAY2XjWlnlpTMzXG91uhKIXn/RG:1wAcu99lPzvxP+Bsz2XjWTRMTckkIXn4
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" 6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation 6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 1528 winupdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" 6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1528 winupdate.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3504 6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe Token: SeSecurityPrivilege 3504 6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 3504 6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe Token: SeLoadDriverPrivilege 3504 6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe Token: SeSystemProfilePrivilege 3504 6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe Token: SeSystemtimePrivilege 3504 6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 3504 6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 3504 6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 3504 6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe Token: SeBackupPrivilege 3504 6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe Token: SeRestorePrivilege 3504 6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe Token: SeShutdownPrivilege 3504 6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe Token: SeDebugPrivilege 3504 6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 3504 6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 3504 6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 3504 6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe Token: SeUndockPrivilege 3504 6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe Token: SeManageVolumePrivilege 3504 6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe Token: SeImpersonatePrivilege 3504 6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 3504 6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe Token: 33 3504 6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe Token: 34 3504 6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe Token: 35 3504 6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe Token: 36 3504 6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 1528 winupdate.exe Token: SeSecurityPrivilege 1528 winupdate.exe Token: SeTakeOwnershipPrivilege 1528 winupdate.exe Token: SeLoadDriverPrivilege 1528 winupdate.exe Token: SeSystemProfilePrivilege 1528 winupdate.exe Token: SeSystemtimePrivilege 1528 winupdate.exe Token: SeProfSingleProcessPrivilege 1528 winupdate.exe Token: SeIncBasePriorityPrivilege 1528 winupdate.exe Token: SeCreatePagefilePrivilege 1528 winupdate.exe Token: SeBackupPrivilege 1528 winupdate.exe Token: SeRestorePrivilege 1528 winupdate.exe Token: SeShutdownPrivilege 1528 winupdate.exe Token: SeDebugPrivilege 1528 winupdate.exe Token: SeSystemEnvironmentPrivilege 1528 winupdate.exe Token: SeChangeNotifyPrivilege 1528 winupdate.exe Token: SeRemoteShutdownPrivilege 1528 winupdate.exe Token: SeUndockPrivilege 1528 winupdate.exe Token: SeManageVolumePrivilege 1528 winupdate.exe Token: SeImpersonatePrivilege 1528 winupdate.exe Token: SeCreateGlobalPrivilege 1528 winupdate.exe Token: 33 1528 winupdate.exe Token: 34 1528 winupdate.exe Token: 35 1528 winupdate.exe Token: 36 1528 winupdate.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3504 wrote to memory of 3316 3504 6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe 84 PID 3504 wrote to memory of 3316 3504 6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe 84 PID 3504 wrote to memory of 3316 3504 6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe 84 PID 3504 wrote to memory of 1528 3504 6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe 88 PID 3504 wrote to memory of 1528 3504 6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe 88 PID 3504 wrote to memory of 1528 3504 6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe 88 PID 1528 wrote to memory of 2500 1528 winupdate.exe 89 PID 1528 wrote to memory of 2500 1528 winupdate.exe 89 PID 1528 wrote to memory of 2500 1528 winupdate.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6466d57f553e2f1a1fa2b04887cb39f1_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵PID:3316
-
-
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵PID:2500
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
733KB
MD56466d57f553e2f1a1fa2b04887cb39f1
SHA191d78fc011d9cbb2f3e7fe8f74af26e447026320
SHA2563c02b033d320021a76bb882beea0d2f26c8ae88f9174b012455b4b6e8f1fde7e
SHA5126df6934886cf9e7d8859ff626eb09db66f449dde780b9d262ed8fd3891e02c7a39524c91265c1a0524541a6d9eb27fc546a549d6338de43059fb4f31374ee100