Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11-08-2024 08:38
Behavioral task
behavioral1
Sample
89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
89b4515a49376f92b7f52f668933422f
-
SHA1
aeb37965ae2dff6bba95d1ce60557420ba3dcd97
-
SHA256
32f5cd068eed57f23fe3238b0adc8ce17bd60166f69e74406f2a1523b16de16f
-
SHA512
af2cb1c883f40720379a69537724c08d5413e4dc74bd78f975d5dc8bee0dfe31048caeaedf76ded18a4fc65014ba6e1120de520a7b7de923c02eb5d2e58fab1e
-
SSDEEP
6144:CYZTNk3D6LyUXwLLk+cR3qh0GQ43VJRD0ew2fPDZj:CSNC80I+cR3R03Vse5fPDZ
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe SSVICHOSST.exe" 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe -
Disables Task Manager via registry modification
-
resource yara_rule behavioral2/memory/3856-0-0x0000000000400000-0x00000000004D4000-memory.dmp upx behavioral2/memory/3856-10-0x0000000000400000-0x00000000004D4000-memory.dmp upx behavioral2/memory/3856-11-0x0000000000400000-0x00000000004D4000-memory.dmp upx behavioral2/memory/3856-12-0x0000000000400000-0x00000000004D4000-memory.dmp upx behavioral2/memory/3856-13-0x0000000000400000-0x00000000004D4000-memory.dmp upx behavioral2/memory/3856-14-0x0000000000400000-0x00000000004D4000-memory.dmp upx behavioral2/memory/3856-15-0x0000000000400000-0x00000000004D4000-memory.dmp upx behavioral2/memory/3856-16-0x0000000000400000-0x00000000004D4000-memory.dmp upx behavioral2/memory/3856-17-0x0000000000400000-0x00000000004D4000-memory.dmp upx behavioral2/memory/3856-18-0x0000000000400000-0x00000000004D4000-memory.dmp upx behavioral2/memory/3856-19-0x0000000000400000-0x00000000004D4000-memory.dmp upx behavioral2/memory/3856-20-0x0000000000400000-0x00000000004D4000-memory.dmp upx behavioral2/memory/3856-21-0x0000000000400000-0x00000000004D4000-memory.dmp upx behavioral2/memory/3856-22-0x0000000000400000-0x00000000004D4000-memory.dmp upx behavioral2/memory/3856-23-0x0000000000400000-0x00000000004D4000-memory.dmp upx behavioral2/memory/3856-24-0x0000000000400000-0x00000000004D4000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger = "C:\\Windows\\system32\\SSVICHOSST.exe" 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\r: 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe File opened (read-only) \??\t: 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe File opened (read-only) \??\u: 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe File opened (read-only) \??\w: 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe File opened (read-only) \??\l: 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe File opened (read-only) \??\g: 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe File opened (read-only) \??\i: 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe File opened (read-only) \??\j: 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe File opened (read-only) \??\n: 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe File opened (read-only) \??\p: 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe File opened (read-only) \??\v: 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe File opened (read-only) \??\a: 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe File opened (read-only) \??\k: 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe File opened (read-only) \??\o: 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe File opened (read-only) \??\q: 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe File opened (read-only) \??\y: 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe File opened (read-only) \??\h: 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe File opened (read-only) \??\e: 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe File opened (read-only) \??\m: 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe File opened (read-only) \??\s: 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe File opened (read-only) \??\x: 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe File opened (read-only) \??\z: 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe File opened (read-only) \??\b: 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe -
AutoIT Executable 15 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3856-10-0x0000000000400000-0x00000000004D4000-memory.dmp autoit_exe behavioral2/memory/3856-11-0x0000000000400000-0x00000000004D4000-memory.dmp autoit_exe behavioral2/memory/3856-12-0x0000000000400000-0x00000000004D4000-memory.dmp autoit_exe behavioral2/memory/3856-13-0x0000000000400000-0x00000000004D4000-memory.dmp autoit_exe behavioral2/memory/3856-14-0x0000000000400000-0x00000000004D4000-memory.dmp autoit_exe behavioral2/memory/3856-15-0x0000000000400000-0x00000000004D4000-memory.dmp autoit_exe behavioral2/memory/3856-16-0x0000000000400000-0x00000000004D4000-memory.dmp autoit_exe behavioral2/memory/3856-17-0x0000000000400000-0x00000000004D4000-memory.dmp autoit_exe behavioral2/memory/3856-18-0x0000000000400000-0x00000000004D4000-memory.dmp autoit_exe behavioral2/memory/3856-19-0x0000000000400000-0x00000000004D4000-memory.dmp autoit_exe behavioral2/memory/3856-20-0x0000000000400000-0x00000000004D4000-memory.dmp autoit_exe behavioral2/memory/3856-21-0x0000000000400000-0x00000000004D4000-memory.dmp autoit_exe behavioral2/memory/3856-22-0x0000000000400000-0x00000000004D4000-memory.dmp autoit_exe behavioral2/memory/3856-23-0x0000000000400000-0x00000000004D4000-memory.dmp autoit_exe behavioral2/memory/3856-24-0x0000000000400000-0x00000000004D4000-memory.dmp autoit_exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\SSVICHOSST.exe 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\SSVICHOSST.exe 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\autorun.ini 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\SSVICHOSST.exe 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe File opened for modification C:\Windows\SSVICHOSST.exe 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://rnd009.googlepages.com/google.html" 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://rnd009.googlepages.com/google.html" 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Search Page = "http://rnd009.googlepages.com/google.html" 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://rnd009.googlepages.com/google.html" 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://rnd009.googlepages.com/google.html" 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3856 wrote to memory of 2752 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 86 PID 3856 wrote to memory of 2752 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 86 PID 3856 wrote to memory of 2752 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 86 PID 2752 wrote to memory of 2544 2752 cmd.exe 88 PID 2752 wrote to memory of 2544 2752 cmd.exe 88 PID 2752 wrote to memory of 2544 2752 cmd.exe 88 PID 3856 wrote to memory of 3944 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 89 PID 3856 wrote to memory of 3944 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 89 PID 3856 wrote to memory of 3944 3856 89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe 89 PID 3944 wrote to memory of 1136 3944 cmd.exe 91 PID 3944 wrote to memory of 1136 3944 cmd.exe 91 PID 3944 wrote to memory of 1136 3944 cmd.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\89b4515a49376f92b7f52f668933422f_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\at.exeAT /delete /yes3⤵
- System Location Discovery: System Language Discovery
PID:2544
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\SSVICHOSST.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\SSVICHOSST.exe3⤵
- System Location Discovery: System Language Discovery
PID:1136
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
109B
MD543b9dfd6e61eba0dda808ab0f5f966aa
SHA1ffdca1842198d91dae7c98e862704ea80235894b
SHA256de6a46a45c6fb7c6e3ef68bba4d706b2f398dc961fbdbd2b23a5067c5faff406
SHA51240f1c2597ad182c5e4c2fd6e3bf63e5683f1f9acdd3021eaee5d7c20f39dfc525736bd73ad7955a770b23ce1eb419a3c346095b31573bb9aea9558fd07494981