Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17-09-2024 06:29
Static task
static1
Behavioral task
behavioral1
Sample
e63ac5e07f37c1b181aa02d04743c49d_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
e63ac5e07f37c1b181aa02d04743c49d_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
e63ac5e07f37c1b181aa02d04743c49d
-
SHA1
45025e5457cf4883acaf32db083a72cbe91532e0
-
SHA256
2d54f8acc24d92b01e76b7e588795fcf4c6767d91af149230b2ff0adedc5593b
-
SHA512
468c9f9f93dd06c457ab135cd7f190c3c0f34030e61add8eb74e176deec68ce07f1dc4884fa94b46ae0520ce3a73f9ca49affc3e5b404d055adaa7355f90971a
-
SSDEEP
12288:/1jNhRmGWxuIOlYddlH6fQni2CVNQdOFyR78RdIHGD84O+XXdNKUL9LJwDu0cwS7:oOWXa4tr8zIHGD/LoJLb70g/F8i4h
Malware Config
Extracted
latentbot
pleasework1.zapto.org
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Idman.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" Idman.exe -
Modifies firewall policy service 3 TTPs 3 IoCs
Processes:
winupdate.exedescription ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "1" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winupdate.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Idman.exewinupdate.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Idman.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e63ac5e07f37c1b181aa02d04743c49d_JaffaCakes118.exem4oyvyeo.b4o.exeIdman.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation e63ac5e07f37c1b181aa02d04743c49d_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation m4oyvyeo.b4o.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation Idman.exe -
Executes dropped EXE 4 IoCs
Processes:
2ixdjtyz.kdl.exem4oyvyeo.b4o.exeIdman.exewinupdate.exepid Process 4088 2ixdjtyz.kdl.exe 4704 m4oyvyeo.b4o.exe 3736 Idman.exe 3348 winupdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Idman.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" Idman.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
2ixdjtyz.kdl.exeIdman.exewinupdate.exee63ac5e07f37c1b181aa02d04743c49d_JaffaCakes118.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2ixdjtyz.kdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idman.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e63ac5e07f37c1b181aa02d04743c49d_JaffaCakes118.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
winupdate.exeIdman.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Idman.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Idman.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Idman.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Idman.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
Idman.exewinupdate.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier Idman.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
Idman.exewinupdate.exedescription pid Process Token: SeIncreaseQuotaPrivilege 3736 Idman.exe Token: SeSecurityPrivilege 3736 Idman.exe Token: SeTakeOwnershipPrivilege 3736 Idman.exe Token: SeLoadDriverPrivilege 3736 Idman.exe Token: SeSystemProfilePrivilege 3736 Idman.exe Token: SeSystemtimePrivilege 3736 Idman.exe Token: SeProfSingleProcessPrivilege 3736 Idman.exe Token: SeIncBasePriorityPrivilege 3736 Idman.exe Token: SeCreatePagefilePrivilege 3736 Idman.exe Token: SeBackupPrivilege 3736 Idman.exe Token: SeRestorePrivilege 3736 Idman.exe Token: SeShutdownPrivilege 3736 Idman.exe Token: SeDebugPrivilege 3736 Idman.exe Token: SeSystemEnvironmentPrivilege 3736 Idman.exe Token: SeChangeNotifyPrivilege 3736 Idman.exe Token: SeRemoteShutdownPrivilege 3736 Idman.exe Token: SeUndockPrivilege 3736 Idman.exe Token: SeManageVolumePrivilege 3736 Idman.exe Token: SeImpersonatePrivilege 3736 Idman.exe Token: SeCreateGlobalPrivilege 3736 Idman.exe Token: 33 3736 Idman.exe Token: 34 3736 Idman.exe Token: 35 3736 Idman.exe Token: 36 3736 Idman.exe Token: SeIncreaseQuotaPrivilege 3348 winupdate.exe Token: SeSecurityPrivilege 3348 winupdate.exe Token: SeTakeOwnershipPrivilege 3348 winupdate.exe Token: SeLoadDriverPrivilege 3348 winupdate.exe Token: SeSystemProfilePrivilege 3348 winupdate.exe Token: SeSystemtimePrivilege 3348 winupdate.exe Token: SeProfSingleProcessPrivilege 3348 winupdate.exe Token: SeIncBasePriorityPrivilege 3348 winupdate.exe Token: SeCreatePagefilePrivilege 3348 winupdate.exe Token: SeBackupPrivilege 3348 winupdate.exe Token: SeRestorePrivilege 3348 winupdate.exe Token: SeShutdownPrivilege 3348 winupdate.exe Token: SeDebugPrivilege 3348 winupdate.exe Token: SeSystemEnvironmentPrivilege 3348 winupdate.exe Token: SeChangeNotifyPrivilege 3348 winupdate.exe Token: SeRemoteShutdownPrivilege 3348 winupdate.exe Token: SeUndockPrivilege 3348 winupdate.exe Token: SeManageVolumePrivilege 3348 winupdate.exe Token: SeImpersonatePrivilege 3348 winupdate.exe Token: SeCreateGlobalPrivilege 3348 winupdate.exe Token: 33 3348 winupdate.exe Token: 34 3348 winupdate.exe Token: 35 3348 winupdate.exe Token: 36 3348 winupdate.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
2ixdjtyz.kdl.exewinupdate.exepid Process 4088 2ixdjtyz.kdl.exe 3348 winupdate.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
e63ac5e07f37c1b181aa02d04743c49d_JaffaCakes118.exem4oyvyeo.b4o.exeIdman.exewinupdate.exedescription pid Process procid_target PID 2316 wrote to memory of 4088 2316 e63ac5e07f37c1b181aa02d04743c49d_JaffaCakes118.exe 82 PID 2316 wrote to memory of 4088 2316 e63ac5e07f37c1b181aa02d04743c49d_JaffaCakes118.exe 82 PID 2316 wrote to memory of 4088 2316 e63ac5e07f37c1b181aa02d04743c49d_JaffaCakes118.exe 82 PID 2316 wrote to memory of 4704 2316 e63ac5e07f37c1b181aa02d04743c49d_JaffaCakes118.exe 83 PID 2316 wrote to memory of 4704 2316 e63ac5e07f37c1b181aa02d04743c49d_JaffaCakes118.exe 83 PID 4704 wrote to memory of 3736 4704 m4oyvyeo.b4o.exe 86 PID 4704 wrote to memory of 3736 4704 m4oyvyeo.b4o.exe 86 PID 4704 wrote to memory of 3736 4704 m4oyvyeo.b4o.exe 86 PID 3736 wrote to memory of 4884 3736 Idman.exe 87 PID 3736 wrote to memory of 4884 3736 Idman.exe 87 PID 3736 wrote to memory of 4884 3736 Idman.exe 87 PID 3736 wrote to memory of 3348 3736 Idman.exe 89 PID 3736 wrote to memory of 3348 3736 Idman.exe 89 PID 3736 wrote to memory of 3348 3736 Idman.exe 89 PID 3348 wrote to memory of 4560 3348 winupdate.exe 90 PID 3348 wrote to memory of 4560 3348 winupdate.exe 90 PID 3348 wrote to memory of 4560 3348 winupdate.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\e63ac5e07f37c1b181aa02d04743c49d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e63ac5e07f37c1b181aa02d04743c49d_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Admin\AppData\Local\Temp\2ixdjtyz.kdl.exe"C:\Users\Admin\AppData\Local\Temp\2ixdjtyz.kdl.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4088
-
-
C:\Users\Admin\AppData\Local\Temp\m4oyvyeo.b4o.exe"C:\Users\Admin\AppData\Local\Temp\m4oyvyeo.b4o.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Users\Admin\AppData\Local\Temp\Idman.exe"C:\Users\Admin\AppData\Local\Temp\Idman.exe"3⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"4⤵PID:4884
-
-
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"4⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"5⤵PID:4560
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD52a7cf13acb76bd371fc77250462deb7d
SHA11cec85761b0d62cf5da744adc2fb7c35a2934779
SHA256787c9933b171b34f77439c729bea9cf121c4d1336c5f037f55bb42115efd286d
SHA512161e315922983a9f729a972a1cb320f1762aff9d0708c68abaf559270ae409454af4496fd076c95ea219a3d9ca2794a0a934c6d4b539899617ff33f6638d8238
-
Filesize
635KB
MD55fc4471359c1b38413f55ed49e148d8c
SHA12894ddb54588c245d8bc0abd6e388805565163ed
SHA25682310b79e2c1a247f237e1a60423c33550a8599fb494f3c05b834d3f67b80c3f
SHA5126a5eb90dfeb11513338ca9e6a3662c5e8fefae88c7361cfe17fe73ba8c690fc2a713cd07b9d48502dab3da74128d2f41104e9c8f3a0e8db7d6ed178a85e1dbd5
-
Filesize
694KB
MD5074bd26c85692fb8f962777e4eb9e19b
SHA11f6eb86694c00fa3a1a54ca7e1c9231ebe0fc628
SHA2566fb8f3cea82b0a54eb0b23953d72fd7ff0b19e1e6eaa59dafb712d47f842635a
SHA512a87b50837df3f189770920271e1283891e0c4092f108cb44a89352e2c5afe4b88fc78e8324348ea6069f99604d1a37b7b24cd7073439783c1f49a92c6ef0e46b