Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-09-2024 22:16
Static task
static1
Behavioral task
behavioral1
Sample
ee87a0dadd178e77d3c282436ded4b2b_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
ee87a0dadd178e77d3c282436ded4b2b_JaffaCakes118.exe
-
Size
268KB
-
MD5
ee87a0dadd178e77d3c282436ded4b2b
-
SHA1
06e39265a370e36e9af5a9ee5006642a6dfe3265
-
SHA256
a0f7b9bde7cd4d51f5c53358a7472fb02a06beafec41747e22d0ae4a48a8f327
-
SHA512
5eebb63fdd126d9f3342c270e27db24df5a2d8a2950594079b251be489978dfd721edecaf31e9fe689f8361cacd1b212cc5d9ead509083796d480b41c5d6b3b5
-
SSDEEP
1536:f6MJ249icel/Z01/NBX4UDpegM3zwACUJGLq42GrElP2T/1oHd5RVJujb3K+Z1Pa:fdX0e1FB/DpKjCLHfb3XMbh
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ee87a0dadd178e77d3c282436ded4b2b_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" ee87a0dadd178e77d3c282436ded4b2b_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" ee87a0dadd178e77d3c282436ded4b2b_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ee87a0dadd178e77d3c282436ded4b2b_JaffaCakes118.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 ee87a0dadd178e77d3c282436ded4b2b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum ee87a0dadd178e77d3c282436ded4b2b_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ee87a0dadd178e77d3c282436ded4b2b_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeBackupPrivilege 2096 ee87a0dadd178e77d3c282436ded4b2b_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2096 ee87a0dadd178e77d3c282436ded4b2b_JaffaCakes118.exe -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ee87a0dadd178e77d3c282436ded4b2b_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee87a0dadd178e77d3c282436ded4b2b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ee87a0dadd178e77d3c282436ded4b2b_JaffaCakes118.exe"1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2096
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
4