Analysis
-
max time kernel
147s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
18-08-2024 08:30
Static task
static1
Behavioral task
behavioral1
Sample
a6140ea94f3369840d411f33f309992c_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
a6140ea94f3369840d411f33f309992c_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
a6140ea94f3369840d411f33f309992c_JaffaCakes118.exe
-
Size
28KB
-
MD5
a6140ea94f3369840d411f33f309992c
-
SHA1
80329d3aa7949b7d7bbb79ad307ea3b5cc6401b4
-
SHA256
8cd5079cbcb4f1d7483752ec7574b255acb9d7c9804e7943cab2e8b399e31132
-
SHA512
c8fd9d2a6a4e684f4229899a4d5224a70a86e9f5844447cb50d66ac51301f9e9a519528cfcce547b7ab8fc656412c281666a327583f8ce72c07e260ba658d082
-
SSDEEP
768:LP6ARLjHBv4fp1x0uSLFUoVb8me6RANF5J33ShQj9gitfufI430zDzYcCe:Llv4fpf0rZBVb7YFj33Vj9gitfub0zR
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\spoolsc\\spoolsc.exe," spoolsc.exe -
Executes dropped EXE 1 IoCs
pid Process 1744 spoolsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsc = "C:\\Users\\Admin\\AppData\\Roaming\\spoolsc\\spoolsc.exe" spoolsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsc = "C:\\Users\\Admin\\AppData\\Roaming\\spoolsc\\spoolsc.exe" spoolsc.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2860 a6140ea94f3369840d411f33f309992c_JaffaCakes118.exe 2860 a6140ea94f3369840d411f33f309992c_JaffaCakes118.exe 2860 a6140ea94f3369840d411f33f309992c_JaffaCakes118.exe 2860 a6140ea94f3369840d411f33f309992c_JaffaCakes118.exe 2860 a6140ea94f3369840d411f33f309992c_JaffaCakes118.exe 2860 a6140ea94f3369840d411f33f309992c_JaffaCakes118.exe 2860 a6140ea94f3369840d411f33f309992c_JaffaCakes118.exe 2860 a6140ea94f3369840d411f33f309992c_JaffaCakes118.exe 2860 a6140ea94f3369840d411f33f309992c_JaffaCakes118.exe 2860 a6140ea94f3369840d411f33f309992c_JaffaCakes118.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe 1744 spoolsc.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 2860 a6140ea94f3369840d411f33f309992c_JaffaCakes118.exe Token: SeDebugPrivilege 1744 spoolsc.exe Token: SeIncreaseQuotaPrivilege 1744 spoolsc.exe Token: SeSecurityPrivilege 1744 spoolsc.exe Token: SeTakeOwnershipPrivilege 1744 spoolsc.exe Token: SeLoadDriverPrivilege 1744 spoolsc.exe Token: SeSystemProfilePrivilege 1744 spoolsc.exe Token: SeSystemtimePrivilege 1744 spoolsc.exe Token: SeProfSingleProcessPrivilege 1744 spoolsc.exe Token: SeIncBasePriorityPrivilege 1744 spoolsc.exe Token: SeCreatePagefilePrivilege 1744 spoolsc.exe Token: SeBackupPrivilege 1744 spoolsc.exe Token: SeRestorePrivilege 1744 spoolsc.exe Token: SeShutdownPrivilege 1744 spoolsc.exe Token: SeDebugPrivilege 1744 spoolsc.exe Token: SeSystemEnvironmentPrivilege 1744 spoolsc.exe Token: SeRemoteShutdownPrivilege 1744 spoolsc.exe Token: SeUndockPrivilege 1744 spoolsc.exe Token: SeManageVolumePrivilege 1744 spoolsc.exe Token: 33 1744 spoolsc.exe Token: 34 1744 spoolsc.exe Token: 35 1744 spoolsc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2860 wrote to memory of 1744 2860 a6140ea94f3369840d411f33f309992c_JaffaCakes118.exe 31 PID 2860 wrote to memory of 1744 2860 a6140ea94f3369840d411f33f309992c_JaffaCakes118.exe 31 PID 2860 wrote to memory of 1744 2860 a6140ea94f3369840d411f33f309992c_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6140ea94f3369840d411f33f309992c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a6140ea94f3369840d411f33f309992c_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Users\Admin\AppData\Roaming\spoolsc\spoolsc.exe"C:\Users\Admin\AppData\Roaming\spoolsc\spoolsc.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD5a6140ea94f3369840d411f33f309992c
SHA180329d3aa7949b7d7bbb79ad307ea3b5cc6401b4
SHA2568cd5079cbcb4f1d7483752ec7574b255acb9d7c9804e7943cab2e8b399e31132
SHA512c8fd9d2a6a4e684f4229899a4d5224a70a86e9f5844447cb50d66ac51301f9e9a519528cfcce547b7ab8fc656412c281666a327583f8ce72c07e260ba658d082