d1bf365dc4132fb562fb99e01e3613ed2a3548d5af74a810debacb7da8bf4e28

Analysis

max time kernel
7s
max time network
7s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 13:09

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

67b78d68337844c4ce0c585851b633e2_JaffaCakes118.exe
Size

39KB
MD5

67b78d68337844c4ce0c585851b633e2
SHA1

e356526d53a8f1bef9587544c46af4035d31d7f8
SHA256

d1bf365dc4132fb562fb99e01e3613ed2a3548d5af74a810debacb7da8bf4e28
SHA512

0b4ce217d00d6f1f76700a15aeae9cbf91a88f3e4ec96806e4f45b04480f19b734151fd74934921d8cf08ea702b49c4f88682df446d8330c6486e9169e8ec0be
SSDEEP

384:bZk4nwCxOnBpWP0Gre5dHMvjNk4UIgeOdCAH2N7gt/V5bd2ChRl9mmu1ZPeic:bZhwCepW1re5arXAHr/Lbd2Pmbi

Score

8^/10

evasion

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	svchost.exe

Deletes itself 1 IoCs

pid	Process
1720	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2304	35E404869C1FD13C8140.exe

Loads dropped DLL 2 IoCs

pid	Process
1720	svchost.exe
1720	svchost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeSystemProfilePrivilege	1720	svchost.exe
Token: SeBackupPrivilege	2332	vssvc.exe
Token: SeRestorePrivilege	2332	vssvc.exe
Token: SeAuditPrivilege	2332	vssvc.exe
Token: SeRestorePrivilege	2784	DrvInst.exe
Token: SeRestorePrivilege	2784	DrvInst.exe
Token: SeRestorePrivilege	2784	DrvInst.exe
Token: SeRestorePrivilege	2784	DrvInst.exe
Token: SeRestorePrivilege	2784	DrvInst.exe
Token: SeRestorePrivilege	2784	DrvInst.exe
Token: SeRestorePrivilege	2784	DrvInst.exe
Token: SeLoadDriverPrivilege	2784	DrvInst.exe
Token: SeLoadDriverPrivilege	2784	DrvInst.exe
Token: SeLoadDriverPrivilege	2784	DrvInst.exe
Token: SeShutdownPrivilege	1976	shutdown.exe
Token: SeRemoteShutdownPrivilege	1976	shutdown.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 1720	2076	67b78d68337844c4ce0c585851b633e2_JaffaCakes118.exe	30
PID 2076 wrote to memory of 1720	2076	67b78d68337844c4ce0c585851b633e2_JaffaCakes118.exe	30
PID 2076 wrote to memory of 1720	2076	67b78d68337844c4ce0c585851b633e2_JaffaCakes118.exe	30
PID 2076 wrote to memory of 1720	2076	67b78d68337844c4ce0c585851b633e2_JaffaCakes118.exe	30
PID 2076 wrote to memory of 1720	2076	67b78d68337844c4ce0c585851b633e2_JaffaCakes118.exe	30
PID 1720 wrote to memory of 3068	1720	svchost.exe	31
PID 1720 wrote to memory of 3068	1720	svchost.exe	31
PID 1720 wrote to memory of 3068	1720	svchost.exe	31
PID 1720 wrote to memory of 3068	1720	svchost.exe	31
PID 1720 wrote to memory of 1976	1720	svchost.exe	38
PID 1720 wrote to memory of 1976	1720	svchost.exe	38
PID 1720 wrote to memory of 1976	1720	svchost.exe	38
PID 1720 wrote to memory of 1976	1720	svchost.exe	38
PID 1720 wrote to memory of 2304	1720	svchost.exe	39
PID 1720 wrote to memory of 2304	1720	svchost.exe	39
PID 1720 wrote to memory of 2304	1720	svchost.exe	39
PID 1720 wrote to memory of 2304	1720	svchost.exe	39
PID 2304 wrote to memory of 2028	2304	35E404869C1FD13C8140.exe	41
PID 2304 wrote to memory of 2028	2304	35E404869C1FD13C8140.exe	41
PID 2304 wrote to memory of 2028	2304	35E404869C1FD13C8140.exe	41
PID 2304 wrote to memory of 2028	2304	35E404869C1FD13C8140.exe	41
PID 2304 wrote to memory of 2028	2304	35E404869C1FD13C8140.exe	41

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\67b78d68337844c4ce0c585851b633e2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\67b78d68337844c4ce0c585851b633e2_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Disables RegEdit via registry modification
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\SysWOW64\reg.exe
    reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown.exe -r -f -t 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1976
- - C:\Users\Admin\AppData\Local\Temp\35E404869C1FD13C8140.exe
    C:\Users\Admin\AppData\Local\Temp\35E404869C1FD13C8140.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:2028

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000594" "00000000000004C4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1672

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2892

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\35E404869C1FD13C8140.exe

Filesize
39KB

MD5
67b78d68337844c4ce0c585851b633e2

SHA1
e356526d53a8f1bef9587544c46af4035d31d7f8

SHA256
d1bf365dc4132fb562fb99e01e3613ed2a3548d5af74a810debacb7da8bf4e28

SHA512
0b4ce217d00d6f1f76700a15aeae9cbf91a88f3e4ec96806e4f45b04480f19b734151fd74934921d8cf08ea702b49c4f88682df446d8330c6486e9169e8ec0be

Download Submit
memory/1720-19-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

Filesize
56KB

Download
memory/1720-3-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

Filesize
56KB

Download
memory/1720-5-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

Filesize
56KB

Download
memory/1720-2-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

Filesize
56KB

Download
memory/2028-16-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

Filesize
56KB

Download
memory/2028-20-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

Filesize
56KB

Download
memory/2028-22-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

Filesize
56KB

Download
memory/2028-25-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

Filesize
56KB

Download
memory/2076-4-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2076-0-0x0000000000020000-0x0000000000026000-memory.dmp

Filesize
24KB

Download
memory/2076-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2304-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2304-17-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download