Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17-08-2024 07:18
Static task
static1
Behavioral task
behavioral1
Sample
a1a44be3c34145e13bdd062e4782697e_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
a1a44be3c34145e13bdd062e4782697e_JaffaCakes118.exe
-
Size
276KB
-
MD5
a1a44be3c34145e13bdd062e4782697e
-
SHA1
0f5b1321d8572864e898ea8b285f21691c42f7e0
-
SHA256
ed6b39fcb1ae870df3f60aa2de8ea3809a364c5b57a13c662973442f4929af57
-
SHA512
096e6c28aadc85cb38826aa9425fa23309210e5433d408f2ab5297b5f59752737a0c9affd1143dde624a188ccdeca69f7581ba53bf43b489c81c51e0bf0ddc67
-
SSDEEP
3072:xX0e1FB/DpKjCLHhgEBJxb8dlLtw4pEqz:7bqlL2i
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a1a44be3c34145e13bdd062e4782697e_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" a1a44be3c34145e13bdd062e4782697e_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" a1a44be3c34145e13bdd062e4782697e_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a1a44be3c34145e13bdd062e4782697e_JaffaCakes118.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum a1a44be3c34145e13bdd062e4782697e_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 a1a44be3c34145e13bdd062e4782697e_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process PID 2280 set thread context of 0 2280 a1a44be3c34145e13bdd062e4782697e_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1a44be3c34145e13bdd062e4782697e_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeBackupPrivilege 2280 a1a44be3c34145e13bdd062e4782697e_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2280 a1a44be3c34145e13bdd062e4782697e_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process PID 2280 wrote to memory of 0 2280 a1a44be3c34145e13bdd062e4782697e_JaffaCakes118.exe PID 2280 wrote to memory of 0 2280 a1a44be3c34145e13bdd062e4782697e_JaffaCakes118.exe PID 2280 wrote to memory of 0 2280 a1a44be3c34145e13bdd062e4782697e_JaffaCakes118.exe PID 2280 wrote to memory of 0 2280 a1a44be3c34145e13bdd062e4782697e_JaffaCakes118.exe -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a1a44be3c34145e13bdd062e4782697e_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1a44be3c34145e13bdd062e4782697e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a1a44be3c34145e13bdd062e4782697e_JaffaCakes118.exe"1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2280
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
4