270a803cdac159831da4c03a3781d44c7f088413f210a6503c70ca0d32355d24

Analysis

max time kernel
140s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec983fe90d1e42943bef2675d0e953b0_JaffaCakes118.exe
Size

1.6MB
MD5

ec983fe90d1e42943bef2675d0e953b0
SHA1

c706eb619cd868d5d5fa0ab12438280a0008ceda
SHA256

270a803cdac159831da4c03a3781d44c7f088413f210a6503c70ca0d32355d24
SHA512

c6db382f5d53c5c075eec85131482cf17d06392d7318fe7547abbd30589d48ab00572884f554a775cdb51e685b096337f64671703202ddbc31139e62a71dc380
SSDEEP

24576:neb9EJeZn4Q26a1KWgsLZvA3NSIF2JEuXrgLPbZ6GNoNb/p4cUCkj/gazb:neRGfRgm+3NvUEpjZFaNLp4YgYQ

Score

10^/10

discovery evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	ec983fe90d1e42943bef2675d0e953b0_JaffaCakes118.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	ec983fe90d1e42943bef2675d0e953b0_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ServiceWinlogom = "Winlogom.exe"	ec983fe90d1e42943bef2675d0e953b0_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Winlogom.exe	ec983fe90d1e42943bef2675d0e953b0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Winlogom.exe	ec983fe90d1e42943bef2675d0e953b0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\expressos.cfg	ec983fe90d1e42943bef2675d0e953b0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\pintinhogrande.sys	ec983fe90d1e42943bef2675d0e953b0_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec983fe90d1e42943bef2675d0e953b0_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	ec983fe90d1e42943bef2675d0e953b0_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1"	ec983fe90d1e42943bef2675d0e953b0_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1480	ec983fe90d1e42943bef2675d0e953b0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\ec983fe90d1e42943bef2675d0e953b0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ec983fe90d1e42943bef2675d0e953b0_JaffaCakes118.exe"
1⤵
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
PID:1480