cbd589bd0b27a84befb4f8bd187cb842a0ea12a1bc79c507985229188f547220

Analysis

max time kernel
63s
max time network
67s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
24-08-2024 13:24

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

beae90a4c4d0637f34b0c432a292e3d2_JaffaCakes118.exe
Size

437KB
MD5

beae90a4c4d0637f34b0c432a292e3d2
SHA1

94d5a653a4010da4f76742dca992239bab4ac4ca
SHA256

cbd589bd0b27a84befb4f8bd187cb842a0ea12a1bc79c507985229188f547220
SHA512

33241e2ad2cf2a9b0c309eaa163868227c6b3d0e9ab039ac3b6b84483de7740f6ebbf86489b6c2a65ff08e5d1671a199cc7b1f9c985691edb62c2090f0f644bb
SSDEEP

12288:OEC1Fo9faQp++gs7s7ytNr72gUxNBRh9:r9f/pMMs78UbB

Score

9^/10

defense_evasion discovery evasion persistence ransomware

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 10 IoCs

ransomware evasion

Inhibit System Recovery

T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	Process
2856	bcdedit.exe
1504	bcdedit.exe
2272	bcdedit.exe
3044	bcdedit.exe
2712	bcdedit.exe
2628	bcdedit.exe
2360	bcdedit.exe
2532	bcdedit.exe
952	bcdedit.exe
1756	bcdedit.exe

Drops file in Drivers directory 1 IoCs

Processes:

caqos.exe

description	ioc	Process
File created	C:\Windows\system32\drivers\f789981.sys	caqos.exe

Enables test signing to bypass driver trust controls 1 TTPs 10 IoCs

Allows any signed driver to load without validation against a trusted certificate authority.

defense_evasion

Code Signing Policy Modification

T1553.006

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	Process
2628	bcdedit.exe
2532	bcdedit.exe
2856	bcdedit.exe
3044	bcdedit.exe
2712	bcdedit.exe
2360	bcdedit.exe
952	bcdedit.exe
1756	bcdedit.exe
1504	bcdedit.exe
2272	bcdedit.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
1796	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

caqos.exe

pid	Process
2192	caqos.exe

Loads dropped DLL 2 IoCs

Processes:

beae90a4c4d0637f34b0c432a292e3d2_JaffaCakes118.exe

pid	Process
1748	beae90a4c4d0637f34b0c432a292e3d2_JaffaCakes118.exe
1748	beae90a4c4d0637f34b0c432a292e3d2_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

caqos.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\Caqos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Apicul\\caqos.exe"	caqos.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

beae90a4c4d0637f34b0c432a292e3d2_JaffaCakes118.exe

description	pid	Process	procid_target
PID 1748 set thread context of 1796	1748	beae90a4c4d0637f34b0c432a292e3d2_JaffaCakes118.exe	50

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

caqos.execmd.exebeae90a4c4d0637f34b0c432a292e3d2_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	caqos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beae90a4c4d0637f34b0c432a292e3d2_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

beae90a4c4d0637f34b0c432a292e3d2_JaffaCakes118.execaqos.exe

pid	Process
1748	beae90a4c4d0637f34b0c432a292e3d2_JaffaCakes118.exe
2192	caqos.exe
2192	caqos.exe
2192	caqos.exe
2192	caqos.exe
2192	caqos.exe
2192	caqos.exe
2192	caqos.exe
2192	caqos.exe
2192	caqos.exe
2192	caqos.exe
2192	caqos.exe
2192	caqos.exe
2192	caqos.exe
2192	caqos.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid	Process
476

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

caqos.exe

description	pid	Process
Token: SeShutdownPrivilege	2192	caqos.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

beae90a4c4d0637f34b0c432a292e3d2_JaffaCakes118.execaqos.exe

description	pid	Process	procid_target
PID 1748 wrote to memory of 2192	1748	beae90a4c4d0637f34b0c432a292e3d2_JaffaCakes118.exe	29
PID 1748 wrote to memory of 2192	1748	beae90a4c4d0637f34b0c432a292e3d2_JaffaCakes118.exe	29
PID 1748 wrote to memory of 2192	1748	beae90a4c4d0637f34b0c432a292e3d2_JaffaCakes118.exe	29
PID 1748 wrote to memory of 2192	1748	beae90a4c4d0637f34b0c432a292e3d2_JaffaCakes118.exe	29
PID 2192 wrote to memory of 2856	2192	caqos.exe	30
PID 2192 wrote to memory of 2856	2192	caqos.exe	30
PID 2192 wrote to memory of 2856	2192	caqos.exe	30
PID 2192 wrote to memory of 2856	2192	caqos.exe	30
PID 2192 wrote to memory of 1504	2192	caqos.exe	31
PID 2192 wrote to memory of 1504	2192	caqos.exe	31
PID 2192 wrote to memory of 1504	2192	caqos.exe	31
PID 2192 wrote to memory of 1504	2192	caqos.exe	31
PID 2192 wrote to memory of 2272	2192	caqos.exe	32
PID 2192 wrote to memory of 2272	2192	caqos.exe	32
PID 2192 wrote to memory of 2272	2192	caqos.exe	32
PID 2192 wrote to memory of 2272	2192	caqos.exe	32
PID 2192 wrote to memory of 3044	2192	caqos.exe	33
PID 2192 wrote to memory of 3044	2192	caqos.exe	33
PID 2192 wrote to memory of 3044	2192	caqos.exe	33
PID 2192 wrote to memory of 3044	2192	caqos.exe	33
PID 2192 wrote to memory of 2712	2192	caqos.exe	34
PID 2192 wrote to memory of 2712	2192	caqos.exe	34
PID 2192 wrote to memory of 2712	2192	caqos.exe	34
PID 2192 wrote to memory of 2712	2192	caqos.exe	34
PID 2192 wrote to memory of 2628	2192	caqos.exe	35
PID 2192 wrote to memory of 2628	2192	caqos.exe	35
PID 2192 wrote to memory of 2628	2192	caqos.exe	35
PID 2192 wrote to memory of 2628	2192	caqos.exe	35
PID 2192 wrote to memory of 2360	2192	caqos.exe	36
PID 2192 wrote to memory of 2360	2192	caqos.exe	36
PID 2192 wrote to memory of 2360	2192	caqos.exe	36
PID 2192 wrote to memory of 2360	2192	caqos.exe	36
PID 2192 wrote to memory of 2532	2192	caqos.exe	37
PID 2192 wrote to memory of 2532	2192	caqos.exe	37
PID 2192 wrote to memory of 2532	2192	caqos.exe	37
PID 2192 wrote to memory of 2532	2192	caqos.exe	37
PID 2192 wrote to memory of 952	2192	caqos.exe	38
PID 2192 wrote to memory of 952	2192	caqos.exe	38
PID 2192 wrote to memory of 952	2192	caqos.exe	38
PID 2192 wrote to memory of 952	2192	caqos.exe	38
PID 2192 wrote to memory of 1756	2192	caqos.exe	39
PID 2192 wrote to memory of 1756	2192	caqos.exe	39
PID 2192 wrote to memory of 1756	2192	caqos.exe	39
PID 2192 wrote to memory of 1756	2192	caqos.exe	39
PID 2192 wrote to memory of 1112	2192	caqos.exe	18
PID 2192 wrote to memory of 1112	2192	caqos.exe	18
PID 2192 wrote to memory of 1112	2192	caqos.exe	18
PID 2192 wrote to memory of 1112	2192	caqos.exe	18
PID 2192 wrote to memory of 1112	2192	caqos.exe	18
PID 2192 wrote to memory of 1184	2192	caqos.exe	19
PID 2192 wrote to memory of 1184	2192	caqos.exe	19
PID 2192 wrote to memory of 1184	2192	caqos.exe	19
PID 2192 wrote to memory of 1184	2192	caqos.exe	19
PID 2192 wrote to memory of 1184	2192	caqos.exe	19
PID 2192 wrote to memory of 1244	2192	caqos.exe	20
PID 2192 wrote to memory of 1244	2192	caqos.exe	20
PID 2192 wrote to memory of 1244	2192	caqos.exe	20
PID 2192 wrote to memory of 1244	2192	caqos.exe	20
PID 2192 wrote to memory of 1244	2192	caqos.exe	20
PID 2192 wrote to memory of 864	2192	caqos.exe	22
PID 2192 wrote to memory of 864	2192	caqos.exe	22
PID 2192 wrote to memory of 864	2192	caqos.exe	22
PID 2192 wrote to memory of 864	2192	caqos.exe	22
PID 2192 wrote to memory of 864	2192	caqos.exe	22

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244
- C:\Users\Admin\AppData\Local\Temp\beae90a4c4d0637f34b0c432a292e3d2_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\beae90a4c4d0637f34b0c432a292e3d2_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Users\Admin\AppData\Local\Temp\Apicul\caqos.exe
    "C:\Users\Admin\AppData\Local\Temp\Apicul\caqos.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe -set TESTSIGNING ON
      4⤵
      Modifies boot configuration data using bcdedit
      Enables test signing to bypass driver trust controls
      PID:2856
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe -set TESTSIGNING ON
      4⤵
      Modifies boot configuration data using bcdedit
      Enables test signing to bypass driver trust controls
      PID:1504
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe -set TESTSIGNING ON
      4⤵
      Modifies boot configuration data using bcdedit
      Enables test signing to bypass driver trust controls
      PID:2272
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe -set TESTSIGNING ON
      4⤵
      Modifies boot configuration data using bcdedit
      Enables test signing to bypass driver trust controls
      PID:3044
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe -set TESTSIGNING ON
      4⤵
      Modifies boot configuration data using bcdedit
      Enables test signing to bypass driver trust controls
      PID:2712
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe -set TESTSIGNING ON
      4⤵
      Modifies boot configuration data using bcdedit
      Enables test signing to bypass driver trust controls
      PID:2628
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe -set TESTSIGNING ON
      4⤵
      Modifies boot configuration data using bcdedit
      Enables test signing to bypass driver trust controls
      PID:2360
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe -set TESTSIGNING ON
      4⤵
      Modifies boot configuration data using bcdedit
      Enables test signing to bypass driver trust controls
      PID:2532
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe -set TESTSIGNING ON
      4⤵
      Modifies boot configuration data using bcdedit
      Enables test signing to bypass driver trust controls
      PID:952
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe -set TESTSIGNING ON
      4⤵
      Modifies boot configuration data using bcdedit
      Enables test signing to bypass driver trust controls
      PID:1756
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OIQBFF2.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:1796

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:864

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:904

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Code Signing Policy Modification

T1553.006

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OIQBFF2.bat

Filesize
240B

MD5
bcef3b99cc46134e62cdf45ff184eca0

SHA1
20e2a8b849294de1eb568e0d3c4107c28bc5fd7d

SHA256
5278cff709412be9780ea6a132e951cf648fbb5e003d7d6ea8ba04db43d51706

SHA512
73810a73c40072487aa3e074dfe469946a090db16591ca1a817a7166fe476dcb615f539496669307f6379b79933344e96d565bfcfca7d28f691afa40e2686a44

Download Submit
\Users\Admin\AppData\Local\Temp\Apicul\caqos.exe

Filesize
437KB

MD5
15def0b9ea7a8e16f01f588058c8accf

SHA1
4c86ffe16da179ccd51d8b4306526723b71283d7

SHA256
28f5b1d4cd6becbdaa720a42843d221be5faea0d799202fa48a50a2c41ce6fd5

SHA512
1a33f2ce7f775c3279d861125047bfa482bb6f7f2c14843007bc6155de714c6618ada7cf4b789adc3eeef710d9a43f421cf801c25b2e268d5083b18fcfab7c53

Download Submit
memory/864-35-0x0000000001CD0000-0x0000000001D3E000-memory.dmp

Filesize
440KB

Download
memory/864-34-0x0000000001CD0000-0x0000000001D3E000-memory.dmp

Filesize
440KB

Download
memory/864-33-0x0000000001CD0000-0x0000000001D3E000-memory.dmp

Filesize
440KB

Download
memory/864-32-0x0000000001CD0000-0x0000000001D3E000-memory.dmp

Filesize
440KB

Download
memory/1112-19-0x0000000002130000-0x000000000219E000-memory.dmp

Filesize
440KB

Download
memory/1112-17-0x0000000002130000-0x000000000219E000-memory.dmp

Filesize
440KB

Download
memory/1112-16-0x0000000002130000-0x000000000219E000-memory.dmp

Filesize
440KB

Download
memory/1112-20-0x0000000002130000-0x000000000219E000-memory.dmp

Filesize
440KB

Download
memory/1112-18-0x0000000002130000-0x000000000219E000-memory.dmp

Filesize
440KB

Download
memory/1184-23-0x00000000020B0000-0x000000000211E000-memory.dmp

Filesize
440KB

Download
memory/1184-25-0x00000000020B0000-0x000000000211E000-memory.dmp

Filesize
440KB

Download
memory/1184-24-0x00000000020B0000-0x000000000211E000-memory.dmp

Filesize
440KB

Download
memory/1184-22-0x00000000020B0000-0x000000000211E000-memory.dmp

Filesize
440KB

Download
memory/1244-28-0x0000000002D10000-0x0000000002D7E000-memory.dmp

Filesize
440KB

Download
memory/1244-27-0x0000000002D10000-0x0000000002D7E000-memory.dmp

Filesize
440KB

Download
memory/1244-29-0x0000000002D10000-0x0000000002D7E000-memory.dmp

Filesize
440KB

Download
memory/1244-30-0x0000000002D10000-0x0000000002D7E000-memory.dmp

Filesize
440KB

Download
memory/1748-43-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1748-2-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1748-50-0x0000000001D70000-0x0000000001DDE000-memory.dmp

Filesize
440KB

Download
memory/1748-45-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1748-44-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1748-39-0x0000000001D70000-0x0000000001DDE000-memory.dmp

Filesize
440KB

Download
memory/1748-37-0x0000000001D70000-0x0000000001DDE000-memory.dmp

Filesize
440KB

Download
memory/1748-48-0x0000000001D70000-0x0000000001DDE000-memory.dmp

Filesize
440KB

Download
memory/1748-49-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1748-47-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1748-40-0x0000000001D70000-0x0000000001DDE000-memory.dmp

Filesize
440KB

Download
memory/1748-0-0x0000000000390000-0x00000000003D4000-memory.dmp

Filesize
272KB

Download
memory/1748-42-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1748-41-0x0000000001D70000-0x0000000001DDE000-memory.dmp

Filesize
440KB

Download
memory/1748-38-0x0000000001D70000-0x0000000001DDE000-memory.dmp

Filesize
440KB

Download
memory/1748-1-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1748-46-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1748-59-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1796-54-0x0000000000050000-0x00000000000BE000-memory.dmp

Filesize
440KB

Download
memory/1796-67-0x0000000000050000-0x00000000000BE000-memory.dmp

Filesize
440KB

Download
memory/1796-63-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1796-61-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1796-60-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1796-62-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1796-58-0x0000000000050000-0x00000000000BE000-memory.dmp

Filesize
440KB

Download
memory/1796-57-0x0000000000050000-0x00000000000BE000-memory.dmp

Filesize
440KB

Download
memory/1796-56-0x0000000000050000-0x00000000000BE000-memory.dmp

Filesize
440KB

Download
memory/1796-70-0x0000000000050000-0x00000000000BE000-memory.dmp

Filesize
440KB

Download
memory/1796-66-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1796-64-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1796-65-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2192-78-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2192-15-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2192-72-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2192-73-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2192-74-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2192-75-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2192-76-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2192-77-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2192-81-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2192-79-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2192-12-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads