Analysis
-
max time kernel
125s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21-09-2024 05:05
Behavioral task
behavioral1
Sample
ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe
-
Size
12KB
-
MD5
ef1e383f9e6bbd9468f73acfbd60d03f
-
SHA1
1616e1e046666d283259d41882aa2d5f602be4ec
-
SHA256
958aefeb11c3c540a20f840031b201a2c66e524bb4a4ed8d9f4f17d76d6a4a85
-
SHA512
99b46e64287b2ec036f6a12d2ce8d20160eafb0d4512ca5d976c7676234bf0a912f55ebf1fa0c2f75fd97ab77f2ec65b9f97ed0865aea88e2d21e44ef605b43c
-
SSDEEP
192:7WsnGNS9NYmsRWecp1xmQEaez0jYN2HmSmQcR+hbBHA6hnTWL82xW7:BGs7GWecpvmQlaZEPXg6hnTWL82xW7
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\rundll16.exe C:\\Windows\\system32\\c_10083.nls" ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2824 npkpdb.dll -
resource yara_rule behavioral2/memory/3476-0-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/files/0x00070000000235f0-15.dat upx behavioral2/memory/3476-31-0x0000000000400000-0x0000000000416000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\system32\\rundll.exe" ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Run a DLL as an App = "C:\\Windows\\system32\\rundll16.exe" ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 24 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\H:\Autorun.inf ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe File opened for modification \??\J:\Autorun.inf ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe File opened for modification \??\K:\Autorun.inf ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe File opened for modification \??\R:\Autorun.inf ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe File opened for modification \??\E:\Autorun.inf ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe File opened for modification F:\Autorun.inf ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe File opened for modification \??\G:\Autorun.inf ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe File opened for modification \??\I:\Autorun.inf ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe File opened for modification \??\N:\Autorun.inf ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe File opened for modification C:\Autorun.inf ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe File opened for modification \??\L:\Autorun.inf ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe File opened for modification \??\M:\Autorun.inf ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe File opened for modification \??\O:\Autorun.inf ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe File opened for modification \??\U:\Autorun.inf ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe File opened for modification \??\V:\Autorun.inf ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe File opened for modification \??\X:\Autorun.inf ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe File opened for modification D:\Autorun.inf ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe File opened for modification \??\Q:\Autorun.inf ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe File opened for modification \??\S:\Autorun.inf ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe File opened for modification \??\T:\Autorun.inf ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe File opened for modification \??\W:\Autorun.inf ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe File opened for modification \??\Y:\Autorun.inf ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe File opened for modification \??\Z:\Autorun.inf ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe File opened for modification \??\P:\Autorun.inf ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe -
Drops file in System32 directory 10 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll86.exe ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe File created C:\Windows\SysWOW64\rundll32.exe ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\npkpdb.dll ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe File created C:\Windows\SysWOW64\rundll.exe ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\rundll.exe ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe File created C:\Windows\SysWOW64\UTF-8.nls ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\rundll86.exe ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe File created C:\Windows\SysWOW64\c_10083.nls ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\c_10083.nls ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\UTF-8.nls ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npkpdb.dll Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4284 explorer.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3476 ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe 2824 npkpdb.dll 4284 explorer.exe 4284 explorer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3476 wrote to memory of 2824 3476 ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe 89 PID 3476 wrote to memory of 2824 3476 ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe 89 PID 3476 wrote to memory of 2824 3476 ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe 89 PID 3476 wrote to memory of 3732 3476 ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe 90 PID 3476 wrote to memory of 3732 3476 ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe 90 PID 3476 wrote to memory of 3732 3476 ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ef1e383f9e6bbd9468f73acfbd60d03f_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\npkpdb.dllC:\Windows\system32\npkpdb.dll2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2824
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe C:\2⤵
- System Location Discovery: System Language Discovery
PID:3732
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4284
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4020,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4108 /prefetch:81⤵PID:4272
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5ef1e383f9e6bbd9468f73acfbd60d03f
SHA11616e1e046666d283259d41882aa2d5f602be4ec
SHA256958aefeb11c3c540a20f840031b201a2c66e524bb4a4ed8d9f4f17d76d6a4a85
SHA51299b46e64287b2ec036f6a12d2ce8d20160eafb0d4512ca5d976c7676234bf0a912f55ebf1fa0c2f75fd97ab77f2ec65b9f97ed0865aea88e2d21e44ef605b43c
-
Filesize
20KB
MD5e53c109deddc2d3f3ec7953738a03c38
SHA189d0f68bfae88a2d7f1e9aadd1d629a40f4477f3
SHA256692efe76420bb927712bd35a472614f9d12550c512090b7a55c2171d2e28ea8f
SHA512d0a12d3b55763fc061ff5a7649f23e632ae8ea0d320f30c9c9ef3c11921b4e0366508d9c18df073c51e0222e44f1ffea902d59ee6424e53c07d935db7ece5bf4