25268c705039aa0e6244cc144887b54ff76e1fafabd2bcf32e9d9f4f2611ee8f

Analysis

max time kernel
141s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
Size

31KB
MD5

ed2b0b7ce80f2bb96287375bdbbb94be
SHA1

3f12f4ee68850366cc304286d2df6e4cfcc0579c
SHA256

25268c705039aa0e6244cc144887b54ff76e1fafabd2bcf32e9d9f4f2611ee8f
SHA512

8ee765e07c800b600b80db95bab2d827d8266de5e6ddd429f79bfea586bd9aa9848af05d70dee09f616e0c60878ebb98d2648f14d0c0a7e8d327ef6423b8ddec
SSDEEP

768:ZzKPF9N7wNFHTM5IuWABIpcg8NgoLhn0a/nbcuyD7UoNWGb:JKPDN7sFzyZWAg8NgWR/nouy84t

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360se = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe"	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\m:	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
File opened (read-only)	\??\s:	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
File opened (read-only)	\??\t:	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
File opened (read-only)	\??\u:	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
File opened (read-only)	\??\i:	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
File opened (read-only)	\??\k:	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
File opened (read-only)	\??\o:	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
File opened (read-only)	\??\p:	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
File opened (read-only)	\??\r:	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
File opened (read-only)	\??\x:	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
File opened (read-only)	\??\z:	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
File opened (read-only)	\??\h:	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
File opened (read-only)	\??\j:	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
File opened (read-only)	\??\l:	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
File opened (read-only)	\??\n:	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
File opened (read-only)	\??\q:	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
File opened (read-only)	\??\y:	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
File opened (read-only)	\??\e:	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
File opened (read-only)	\??\g:	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
File opened (read-only)	\??\v:	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
File opened (read-only)	\??\w:	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\259444654.DEP	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\rgdltecq\ohoifz.pif	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\rgdltecq\ohoifz.pif	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
Token: SeDebugPrivilege	2904	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ed2b0b7ce80f2bb96287375bdbbb94be_JaffaCakes118.exe"
1⤵
- UAC bypass
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\259444654.DEP

Filesize
12.1MB

MD5
67c884dc6b5482f10ef8039fa6b9d92b

SHA1
6f2d30e613f7a1496ab90446a7f5f06e3917af31

SHA256
6726c21268bd384ab916591b4624d6dffbe6a5815ee96cc1ed9b7f6a846818eb

SHA512
39655cadb929b5813c1ef9fb7c59fbf117e74de6ebe27cd21838ebef1b346b0aac2c1952994f0ab4e8db52440775f4911819b7ad5362687dba338f9a9f161b1f

Download Submit
memory/2904-1-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2904-5-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download