Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20-09-2024 19:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ee4aaba00083dd1b8a9495b80b3f7a9a_JaffaCakes118.exe
Resource
win7-20240729-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
ee4aaba00083dd1b8a9495b80b3f7a9a_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
ee4aaba00083dd1b8a9495b80b3f7a9a_JaffaCakes118.exe
-
Size
99KB
-
MD5
ee4aaba00083dd1b8a9495b80b3f7a9a
-
SHA1
42b64263cab6c2ed180cf3cadea00fe6765361c6
-
SHA256
6c10a38e802c130022c063caaefbf4a52e2cd257f8d76a1abe4e74067e1329f7
-
SHA512
b1708cd8153d4649c014d156ba212a2af38bcd6bddd13db0643d0b754348c89d13e2efaa8de862a583bc7ea08bc8703aa399103edcecff2e8cefa11f02fe9222
-
SSDEEP
768:EMm6jQusmj3H8nxGLCktJNB7cMatjMga8aTmjI3nqqPt:faRxGJNB7BeIDCWqQ
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\winlogon32.exe" ee4aaba00083dd1b8a9495b80b3f7a9a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\winlogon32.exe" smss32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ee4aaba00083dd1b8a9495b80b3f7a9a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss32.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 3588 smss32.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\smss32.exe = "C:\\Windows\\system32\\smss32.exe" ee4aaba00083dd1b8a9495b80b3f7a9a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe = "C:\\Windows\\system32\\smss32.exe" ee4aaba00083dd1b8a9495b80b3f7a9a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\smss32.exe = "C:\\Windows\\system32\\smss32.exe" smss32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe = "C:\\Windows\\system32\\smss32.exe" smss32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ee4aaba00083dd1b8a9495b80b3f7a9a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss32.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\smss32.exe smss32.exe File opened for modification C:\Windows\SysWOW64\winlogon32.exe smss32.exe File opened for modification C:\Windows\SysWOW64\warning.html smss32.exe File created C:\Windows\SysWOW64\41.exe smss32.exe File created C:\Windows\SysWOW64\smss32.exe ee4aaba00083dd1b8a9495b80b3f7a9a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\smss32.exe ee4aaba00083dd1b8a9495b80b3f7a9a_JaffaCakes118.exe File created C:\Windows\SysWOW64\IS15.exe smss32.exe File created C:\Windows\SysWOW64\winlogon32.exe ee4aaba00083dd1b8a9495b80b3f7a9a_JaffaCakes118.exe File created C:\Windows\SysWOW64\helper32.dll smss32.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ee4aaba00083dd1b8a9495b80b3f7a9a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\PhishingFilter ee4aaba00083dd1b8a9495b80b3f7a9a_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" ee4aaba00083dd1b8a9495b80b3f7a9a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" ee4aaba00083dd1b8a9495b80b3f7a9a_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\Enabled = "0" smss32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" smss32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" smss32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\Enabled = "0" ee4aaba00083dd1b8a9495b80b3f7a9a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\PhishingFilter ee4aaba00083dd1b8a9495b80b3f7a9a_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\PhishingFilter smss32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\PhishingFilter smss32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe 3588 smss32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3588 smss32.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 3588 smss32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1616 wrote to memory of 3588 1616 ee4aaba00083dd1b8a9495b80b3f7a9a_JaffaCakes118.exe 82 PID 1616 wrote to memory of 3588 1616 ee4aaba00083dd1b8a9495b80b3f7a9a_JaffaCakes118.exe 82 PID 1616 wrote to memory of 3588 1616 ee4aaba00083dd1b8a9495b80b3f7a9a_JaffaCakes118.exe 82 PID 3588 wrote to memory of 2360 3588 smss32.exe 83 PID 3588 wrote to memory of 2360 3588 smss32.exe 83 PID 3588 wrote to memory of 2360 3588 smss32.exe 83 -
System policy modification 1 TTPs 14 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop = "1" ee4aaba00083dd1b8a9495b80b3f7a9a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop ee4aaba00083dd1b8a9495b80b3f7a9a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop smss32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer ee4aaba00083dd1b8a9495b80b3f7a9a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer smss32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ee4aaba00083dd1b8a9495b80b3f7a9a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper = "1" ee4aaba00083dd1b8a9495b80b3f7a9a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges = "1" ee4aaba00083dd1b8a9495b80b3f7a9a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop = "1" smss32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ee4aaba00083dd1b8a9495b80b3f7a9a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper = "1" smss32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges = "1" smss32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee4aaba00083dd1b8a9495b80b3f7a9a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ee4aaba00083dd1b8a9495b80b3f7a9a_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Phishing Filter
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1616 -
C:\Windows\SysWOW64\smss32.exeC:\Windows\system32\smss32.exe2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Phishing Filter
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3588 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\system32\helper32.dll3⤵
- System Location Discovery: System Language Discovery
PID:2360
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99KB
MD5ee4aaba00083dd1b8a9495b80b3f7a9a
SHA142b64263cab6c2ed180cf3cadea00fe6765361c6
SHA2566c10a38e802c130022c063caaefbf4a52e2cd257f8d76a1abe4e74067e1329f7
SHA512b1708cd8153d4649c014d156ba212a2af38bcd6bddd13db0643d0b754348c89d13e2efaa8de862a583bc7ea08bc8703aa399103edcecff2e8cefa11f02fe9222