Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-09-2024 06:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e63ac5e07f37c1b181aa02d04743c49d_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
16 signatures
150 seconds
General
-
Target
e63ac5e07f37c1b181aa02d04743c49d_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
e63ac5e07f37c1b181aa02d04743c49d
-
SHA1
45025e5457cf4883acaf32db083a72cbe91532e0
-
SHA256
2d54f8acc24d92b01e76b7e588795fcf4c6767d91af149230b2ff0adedc5593b
-
SHA512
468c9f9f93dd06c457ab135cd7f190c3c0f34030e61add8eb74e176deec68ce07f1dc4884fa94b46ae0520ce3a73f9ca49affc3e5b404d055adaa7355f90971a
-
SSDEEP
12288:/1jNhRmGWxuIOlYddlH6fQni2CVNQdOFyR78RdIHGD84O+XXdNKUL9LJwDu0cwS7:oOWXa4tr8zIHGD/LoJLb70g/F8i4h
Malware Config
Extracted
Family
latentbot
C2
pleasework1.zapto.org
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Idman.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" Idman.exe -
Modifies firewall policy service 3 TTPs 6 IoCs
Processes:
winupdate.exeexplorer.exedescription ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "1" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winupdate.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" explorer.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exeIdman.exewinupdate.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Idman.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe -
Executes dropped EXE 4 IoCs
Processes:
0mbblnme.aky.exefxa2txpp.crf.exeIdman.exewinupdate.exepid Process 372 0mbblnme.aky.exe 2692 fxa2txpp.crf.exe 2700 Idman.exe 3000 winupdate.exe -
Loads dropped DLL 7 IoCs
Processes:
e63ac5e07f37c1b181aa02d04743c49d_JaffaCakes118.exeIdman.exewinupdate.exepid Process 2716 e63ac5e07f37c1b181aa02d04743c49d_JaffaCakes118.exe 2716 e63ac5e07f37c1b181aa02d04743c49d_JaffaCakes118.exe 2716 e63ac5e07f37c1b181aa02d04743c49d_JaffaCakes118.exe 2700 Idman.exe 3000 winupdate.exe 3000 winupdate.exe 3000 winupdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Idman.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" Idman.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
winupdate.exedescription pid Process procid_target PID 3000 set thread context of 1312 3000 winupdate.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
explorer.exee63ac5e07f37c1b181aa02d04743c49d_JaffaCakes118.exe0mbblnme.aky.exeIdman.exewinupdate.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e63ac5e07f37c1b181aa02d04743c49d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0mbblnme.aky.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idman.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Idman.exewinupdate.exeexplorer.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Idman.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Idman.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Idman.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Idman.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
Idman.exewinupdate.exeexplorer.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier Idman.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Idman.exewinupdate.exeexplorer.exedescription pid Process Token: SeIncreaseQuotaPrivilege 2700 Idman.exe Token: SeSecurityPrivilege 2700 Idman.exe Token: SeTakeOwnershipPrivilege 2700 Idman.exe Token: SeLoadDriverPrivilege 2700 Idman.exe Token: SeSystemProfilePrivilege 2700 Idman.exe Token: SeSystemtimePrivilege 2700 Idman.exe Token: SeProfSingleProcessPrivilege 2700 Idman.exe Token: SeIncBasePriorityPrivilege 2700 Idman.exe Token: SeCreatePagefilePrivilege 2700 Idman.exe Token: SeBackupPrivilege 2700 Idman.exe Token: SeRestorePrivilege 2700 Idman.exe Token: SeShutdownPrivilege 2700 Idman.exe Token: SeDebugPrivilege 2700 Idman.exe Token: SeSystemEnvironmentPrivilege 2700 Idman.exe Token: SeChangeNotifyPrivilege 2700 Idman.exe Token: SeRemoteShutdownPrivilege 2700 Idman.exe Token: SeUndockPrivilege 2700 Idman.exe Token: SeManageVolumePrivilege 2700 Idman.exe Token: SeImpersonatePrivilege 2700 Idman.exe Token: SeCreateGlobalPrivilege 2700 Idman.exe Token: 33 2700 Idman.exe Token: 34 2700 Idman.exe Token: 35 2700 Idman.exe Token: SeIncreaseQuotaPrivilege 3000 winupdate.exe Token: SeSecurityPrivilege 3000 winupdate.exe Token: SeTakeOwnershipPrivilege 3000 winupdate.exe Token: SeLoadDriverPrivilege 3000 winupdate.exe Token: SeSystemProfilePrivilege 3000 winupdate.exe Token: SeSystemtimePrivilege 3000 winupdate.exe Token: SeProfSingleProcessPrivilege 3000 winupdate.exe Token: SeIncBasePriorityPrivilege 3000 winupdate.exe Token: SeCreatePagefilePrivilege 3000 winupdate.exe Token: SeBackupPrivilege 3000 winupdate.exe Token: SeRestorePrivilege 3000 winupdate.exe Token: SeShutdownPrivilege 3000 winupdate.exe Token: SeDebugPrivilege 3000 winupdate.exe Token: SeSystemEnvironmentPrivilege 3000 winupdate.exe Token: SeChangeNotifyPrivilege 3000 winupdate.exe Token: SeRemoteShutdownPrivilege 3000 winupdate.exe Token: SeUndockPrivilege 3000 winupdate.exe Token: SeManageVolumePrivilege 3000 winupdate.exe Token: SeImpersonatePrivilege 3000 winupdate.exe Token: SeCreateGlobalPrivilege 3000 winupdate.exe Token: 33 3000 winupdate.exe Token: 34 3000 winupdate.exe Token: 35 3000 winupdate.exe Token: SeIncreaseQuotaPrivilege 1312 explorer.exe Token: SeSecurityPrivilege 1312 explorer.exe Token: SeTakeOwnershipPrivilege 1312 explorer.exe Token: SeLoadDriverPrivilege 1312 explorer.exe Token: SeSystemProfilePrivilege 1312 explorer.exe Token: SeSystemtimePrivilege 1312 explorer.exe Token: SeProfSingleProcessPrivilege 1312 explorer.exe Token: SeIncBasePriorityPrivilege 1312 explorer.exe Token: SeCreatePagefilePrivilege 1312 explorer.exe Token: SeBackupPrivilege 1312 explorer.exe Token: SeRestorePrivilege 1312 explorer.exe Token: SeShutdownPrivilege 1312 explorer.exe Token: SeDebugPrivilege 1312 explorer.exe Token: SeSystemEnvironmentPrivilege 1312 explorer.exe Token: SeChangeNotifyPrivilege 1312 explorer.exe Token: SeRemoteShutdownPrivilege 1312 explorer.exe Token: SeUndockPrivilege 1312 explorer.exe Token: SeManageVolumePrivilege 1312 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
0mbblnme.aky.exeexplorer.exepid Process 372 0mbblnme.aky.exe 1312 explorer.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
e63ac5e07f37c1b181aa02d04743c49d_JaffaCakes118.exefxa2txpp.crf.exeIdman.exewinupdate.exedescription pid Process procid_target PID 2716 wrote to memory of 372 2716 e63ac5e07f37c1b181aa02d04743c49d_JaffaCakes118.exe 31 PID 2716 wrote to memory of 372 2716 e63ac5e07f37c1b181aa02d04743c49d_JaffaCakes118.exe 31 PID 2716 wrote to memory of 372 2716 e63ac5e07f37c1b181aa02d04743c49d_JaffaCakes118.exe 31 PID 2716 wrote to memory of 372 2716 e63ac5e07f37c1b181aa02d04743c49d_JaffaCakes118.exe 31 PID 2716 wrote to memory of 2692 2716 e63ac5e07f37c1b181aa02d04743c49d_JaffaCakes118.exe 32 PID 2716 wrote to memory of 2692 2716 e63ac5e07f37c1b181aa02d04743c49d_JaffaCakes118.exe 32 PID 2716 wrote to memory of 2692 2716 e63ac5e07f37c1b181aa02d04743c49d_JaffaCakes118.exe 32 PID 2716 wrote to memory of 2692 2716 e63ac5e07f37c1b181aa02d04743c49d_JaffaCakes118.exe 32 PID 2692 wrote to memory of 2700 2692 fxa2txpp.crf.exe 33 PID 2692 wrote to memory of 2700 2692 fxa2txpp.crf.exe 33 PID 2692 wrote to memory of 2700 2692 fxa2txpp.crf.exe 33 PID 2692 wrote to memory of 2700 2692 fxa2txpp.crf.exe 33 PID 2700 wrote to memory of 2608 2700 Idman.exe 34 PID 2700 wrote to memory of 2608 2700 Idman.exe 34 PID 2700 wrote to memory of 2608 2700 Idman.exe 34 PID 2700 wrote to memory of 2608 2700 Idman.exe 34 PID 2700 wrote to memory of 3000 2700 Idman.exe 35 PID 2700 wrote to memory of 3000 2700 Idman.exe 35 PID 2700 wrote to memory of 3000 2700 Idman.exe 35 PID 2700 wrote to memory of 3000 2700 Idman.exe 35 PID 2700 wrote to memory of 3000 2700 Idman.exe 35 PID 2700 wrote to memory of 3000 2700 Idman.exe 35 PID 2700 wrote to memory of 3000 2700 Idman.exe 35 PID 3000 wrote to memory of 1312 3000 winupdate.exe 36 PID 3000 wrote to memory of 1312 3000 winupdate.exe 36 PID 3000 wrote to memory of 1312 3000 winupdate.exe 36 PID 3000 wrote to memory of 1312 3000 winupdate.exe 36 PID 3000 wrote to memory of 1312 3000 winupdate.exe 36 PID 3000 wrote to memory of 1312 3000 winupdate.exe 36 PID 3000 wrote to memory of 1312 3000 winupdate.exe 36 PID 3000 wrote to memory of 1312 3000 winupdate.exe 36 PID 3000 wrote to memory of 1312 3000 winupdate.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\e63ac5e07f37c1b181aa02d04743c49d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e63ac5e07f37c1b181aa02d04743c49d_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Users\Admin\AppData\Local\Temp\0mbblnme.aky.exe"C:\Users\Admin\AppData\Local\Temp\0mbblnme.aky.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:372
-
-
C:\Users\Admin\AppData\Local\Temp\fxa2txpp.crf.exe"C:\Users\Admin\AppData\Local\Temp\fxa2txpp.crf.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\Idman.exe"C:\Users\Admin\AppData\Local\Temp\Idman.exe"3⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"4⤵PID:2608
-
-
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"4⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"5⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1312
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
635KB
MD55fc4471359c1b38413f55ed49e148d8c
SHA12894ddb54588c245d8bc0abd6e388805565163ed
SHA25682310b79e2c1a247f237e1a60423c33550a8599fb494f3c05b834d3f67b80c3f
SHA5126a5eb90dfeb11513338ca9e6a3662c5e8fefae88c7361cfe17fe73ba8c690fc2a713cd07b9d48502dab3da74128d2f41104e9c8f3a0e8db7d6ed178a85e1dbd5
-
Filesize
60KB
MD52a7cf13acb76bd371fc77250462deb7d
SHA11cec85761b0d62cf5da744adc2fb7c35a2934779
SHA256787c9933b171b34f77439c729bea9cf121c4d1336c5f037f55bb42115efd286d
SHA512161e315922983a9f729a972a1cb320f1762aff9d0708c68abaf559270ae409454af4496fd076c95ea219a3d9ca2794a0a934c6d4b539899617ff33f6638d8238
-
Filesize
694KB
MD5074bd26c85692fb8f962777e4eb9e19b
SHA11f6eb86694c00fa3a1a54ca7e1c9231ebe0fc628
SHA2566fb8f3cea82b0a54eb0b23953d72fd7ff0b19e1e6eaa59dafb712d47f842635a
SHA512a87b50837df3f189770920271e1283891e0c4092f108cb44a89352e2c5afe4b88fc78e8324348ea6069f99604d1a37b7b24cd7073439783c1f49a92c6ef0e46b