Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
22/07/2024, 19:04
Static task
static1
Behavioral task
behavioral1
Sample
646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe
-
Size
658KB
-
MD5
646ae77a2a1e3b77d67f3fbfbad0c196
-
SHA1
ef127099b6ed542a5ade8ce84ce0ba3959e146b4
-
SHA256
0af3bcc26eecebcc4e5c86819edf001bbc09db78c2e6b83160293312c4a37ef7
-
SHA512
b20bcba6433853f81a0a070502b848db93dca155b8aa8d1217b251a0fd07942c0624118e9eb1490ffae0f8993b3eef999820076db1c368484f357e5e9d27af80
-
SSDEEP
12288:SJWWV9azog1UtQC9A9toG6MgkNTIoj8lTowJ1nmVPvx99v7sQejQLNIGJEKt:SJWWu8PQRBBN8Z85RjsQVIO
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\system32/drivers/drivers/driv/driverinstall/driver" 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\driverinstall = "C:\\system32/drivers/drivers/driv/driverinstall/driver" 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2672 set thread context of 1280 2672 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe 30 PID 1280 set thread context of 2836 1280 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe 31 -
Program crash 1 IoCs
pid pid_target Process procid_target 2628 2836 WerFault.exe 31 -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1280 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe Token: SeSecurityPrivilege 1280 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1280 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe Token: SeLoadDriverPrivilege 1280 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe Token: SeSystemProfilePrivilege 1280 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe Token: SeSystemtimePrivilege 1280 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 1280 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1280 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 1280 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe Token: SeBackupPrivilege 1280 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe Token: SeRestorePrivilege 1280 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe Token: SeShutdownPrivilege 1280 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe Token: SeDebugPrivilege 1280 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 1280 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 1280 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 1280 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe Token: SeUndockPrivilege 1280 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe Token: SeManageVolumePrivilege 1280 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe Token: SeImpersonatePrivilege 1280 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 1280 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe Token: 33 1280 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe Token: 34 1280 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe Token: 35 1280 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2672 wrote to memory of 1280 2672 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe 30 PID 2672 wrote to memory of 1280 2672 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe 30 PID 2672 wrote to memory of 1280 2672 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe 30 PID 2672 wrote to memory of 1280 2672 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe 30 PID 2672 wrote to memory of 1280 2672 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe 30 PID 2672 wrote to memory of 1280 2672 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe 30 PID 2672 wrote to memory of 1280 2672 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe 30 PID 2672 wrote to memory of 1280 2672 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe 30 PID 2672 wrote to memory of 1280 2672 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe 30 PID 2672 wrote to memory of 1280 2672 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe 30 PID 2672 wrote to memory of 1280 2672 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe 30 PID 2672 wrote to memory of 1280 2672 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe 30 PID 2672 wrote to memory of 1280 2672 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe 30 PID 1280 wrote to memory of 2836 1280 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe 31 PID 1280 wrote to memory of 2836 1280 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe 31 PID 1280 wrote to memory of 2836 1280 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe 31 PID 1280 wrote to memory of 2836 1280 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe 31 PID 1280 wrote to memory of 2836 1280 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe 31 PID 1280 wrote to memory of 2836 1280 646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe 31 PID 2836 wrote to memory of 2628 2836 explorer.exe 32 PID 2836 wrote to memory of 2628 2836 explorer.exe 32 PID 2836 wrote to memory of 2628 2836 explorer.exe 32 PID 2836 wrote to memory of 2628 2836 explorer.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\646ae77a2a1e3b77d67f3fbfbad0c196_JaffaCakes118.exe"2⤵
- Modifies WinLogon for persistence
- Windows security bypass
- Checks BIOS information in registry
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 2364⤵
- Program crash
PID:2628
-
-
-