Analysis
-
max time kernel
138s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
17-08-2024 04:34
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
a13789f8bd4cdec26e790329a4004abc
-
SHA1
bb08e6997073e49249361ea813bc1c84b7a4c991
-
SHA256
e5606780198a41f4ff786171c0ade6682cdf9a528bc3e41e5d4b85287846872a
-
SHA512
7215de411b6acee9051b7398ca91c851bfc0ff50d6c795329d136ca65d20628346fe833cb7a9d0f77edc1663d8d80d9fe501c794da0074277d5d80be0a45b1a4
-
SSDEEP
24576:MJeJfAqkjp98zHpieTX1DeGOxmKoc7LbvyFyK9:OeJfAJGpLrFeGOxmzc7M
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe rundll.exe" a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe -
Disables Task Manager via registry modification
-
resource yara_rule behavioral1/files/0x0007000000016cf5-12.dat upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger = "C:\\Windows\\system32\\regsvr.exe" a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\v: a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe File opened (read-only) \??\w: a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe File opened (read-only) \??\u: a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe File opened (read-only) \??\k: a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe File opened (read-only) \??\m: a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe File opened (read-only) \??\p: a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe File opened (read-only) \??\i: a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe File opened (read-only) \??\b: a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe File opened (read-only) \??\e: a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe File opened (read-only) \??\g: a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe File opened (read-only) \??\h: a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe File opened (read-only) \??\l: a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe File opened (read-only) \??\r: a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe File opened (read-only) \??\s: a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe File opened (read-only) \??\a: a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe File opened (read-only) \??\n: a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe File opened (read-only) \??\o: a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe File opened (read-only) \??\q: a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe File opened (read-only) \??\t: a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe File opened (read-only) \??\x: a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe File opened (read-only) \??\y: a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe File opened (read-only) \??\z: a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe File opened (read-only) \??\j: a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\system = "Winhelp.exe" a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/1484-0-0x0000000000400000-0x000000000053B000-memory.dmp autoit_exe behavioral1/files/0x0007000000016d32-24.dat autoit_exe behavioral1/memory/1484-31-0x0000000000400000-0x000000000053B000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll.exe a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\rundll.exe a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe File created C:\Windows\SysWOW64\COMCTL32.OCX a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe File created C:\Windows\SysWOW64\regsvr.exe a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\COMCTL32.OCX a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\regsvr.exe a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe File created C:\Windows\SysWOW64\winhelp.exe a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\winhelp.exe a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\setup.ini a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\winhelp.ini a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe File opened for modification C:\Windows\winhelp.ini a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe File created C:\Windows\regsvr.exe a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe File opened for modification C:\Windows\regsvr.exe a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1484 wrote to memory of 2964 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 30 PID 1484 wrote to memory of 2964 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 30 PID 1484 wrote to memory of 2964 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 30 PID 1484 wrote to memory of 2964 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 30 PID 2964 wrote to memory of 2668 2964 cmd.exe 32 PID 2964 wrote to memory of 2668 2964 cmd.exe 32 PID 2964 wrote to memory of 2668 2964 cmd.exe 32 PID 2964 wrote to memory of 2668 2964 cmd.exe 32 PID 1484 wrote to memory of 2356 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 33 PID 1484 wrote to memory of 2356 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 33 PID 1484 wrote to memory of 2356 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 33 PID 1484 wrote to memory of 2356 1484 a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe 33 PID 2356 wrote to memory of 2776 2356 cmd.exe 35 PID 2356 wrote to memory of 2776 2356 cmd.exe 35 PID 2356 wrote to memory of 2776 2356 cmd.exe 35 PID 2356 wrote to memory of 2776 2356 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a13789f8bd4cdec26e790329a4004abc_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\at.exeAT /delete /yes3⤵
- System Location Discovery: System Language Discovery
PID:2668
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\winhelp.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\winhelp.exe3⤵
- System Location Discovery: System Language Discovery
PID:2776
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
161KB
MD519eca722500302f159f9872fcfed19ee
SHA1b4aba98fce5fffe45bb1de10f5204bc34031bdad
SHA256022b872cf55d4a2c0160e18350674b0c5a9d62a7523460ca5ae8edbed21cbc09
SHA5128a92343149273bd0984b87a7fd2c0c077167cc3d7fdd3abdf63d40b407980d09d878cb6345e8e75f69f40c1b6a95c928419fc1fc192449e28399f5d2f2e3e9e2
-
Filesize
1.1MB
MD5a13789f8bd4cdec26e790329a4004abc
SHA1bb08e6997073e49249361ea813bc1c84b7a4c991
SHA256e5606780198a41f4ff786171c0ade6682cdf9a528bc3e41e5d4b85287846872a
SHA5127215de411b6acee9051b7398ca91c851bfc0ff50d6c795329d136ca65d20628346fe833cb7a9d0f77edc1663d8d80d9fe501c794da0074277d5d80be0a45b1a4