Analysis
-
max time kernel
18s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04/10/2024, 18:41
Static task
static1
Behavioral task
behavioral1
Sample
148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
-
Size
2.3MB
-
MD5
148327a59b3f1020a2f2cccc47d19dfb
-
SHA1
4bf8542cf745ab80bb8e08ad7c9effd8a918b59f
-
SHA256
9c2c0be7f6fc2a252852d108251c01f65ccc53ad81e75235608a33db5d44a677
-
SHA512
b6a097a5b5971cc7fedac0d9104e3a359652766bdf8df9d7d772c480cb9a595d78e0003bcca357696cf97e714056c36782e4319d859b3628ce22982aca320af0
-
SSDEEP
49152:Y8ev4j/fTa2Nj0YRJ+tqb+U/f6pN4yhW8Chlsu4I:Bev4jX7IYRJ+C+UfShWdh/j
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "2" 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "2" 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe -
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe -
Drops file in Drivers directory 4 IoCs
description ioc Process File created C:\Windows\system32\drivers\etc\host_new 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe File created C:\Windows\System32\drivers\etc\hosts 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe File opened for modification C:\Windows\system32\drivers\etc\hosts 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe File opened for modification C:\Windows\System32\drivers\etc\hosts 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe -
Checks for any installed AV software in registry 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Eset\Nod\ 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe File opened (read-only) \??\T: 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe File opened (read-only) \??\U: 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe File opened (read-only) \??\G: 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe File opened (read-only) \??\I: 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe File opened (read-only) \??\J: 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe File opened (read-only) \??\M: 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe File opened (read-only) \??\R: 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe File opened (read-only) \??\S: 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe File opened (read-only) \??\Y: 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe File opened (read-only) \??\Z: 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe File opened (read-only) \??\E: 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe File opened (read-only) \??\H: 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe File opened (read-only) \??\L: 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe File opened (read-only) \??\N: 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe File opened (read-only) \??\Q: 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe File opened (read-only) \??\W: 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe File opened (read-only) \??\K: 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe File opened (read-only) \??\O: 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe File opened (read-only) \??\V: 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe File opened (read-only) \??\X: 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2180 set thread context of 2480 2180 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe 29 -
resource yara_rule behavioral1/memory/2480-3-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2480-6-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2480-8-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2480-7-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2480-135-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2480-136-0x0000000013140000-0x000000001372D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2504 2480 WerFault.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IIL = "0" 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\ltHI = "0" 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\ltTST = "1744" 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 2480 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe 2480 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe 2480 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe 2480 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe 2480 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe 2480 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe 2480 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe 2480 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe 2480 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe 2480 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe 2480 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe 2480 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe 2480 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe 2480 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe 2480 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe 2480 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe 2480 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2180 wrote to memory of 2480 2180 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe 29 PID 2180 wrote to memory of 2480 2180 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe 29 PID 2180 wrote to memory of 2480 2180 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe 29 PID 2180 wrote to memory of 2480 2180 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe 29 PID 2180 wrote to memory of 2480 2180 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe 29 PID 2180 wrote to memory of 2480 2180 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe 29 PID 2480 wrote to memory of 2504 2480 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe 30 PID 2480 wrote to memory of 2504 2480 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe 30 PID 2480 wrote to memory of 2504 2480 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe 30 PID 2480 wrote to memory of 2504 2480 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe 30 -
System policy modification 1 TTPs 7 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "2" 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "2" 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Users\Admin\AppData\Local\Temp\148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\Temp\148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe"2⤵
- UAC bypass
- Enumerates VirtualBox registry keys
- Drops file in Drivers directory
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2480 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 8963⤵
- Program crash
PID:2504
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
185B
MD5b8224e5293d4fad1927c751cc00c80e7
SHA1270b8c752c7e93ec5485361fe6ef7b37f0b4513b
SHA256c47da9be4fc4d757add73c49654c9179067af547d0cc758d6356e2955bbfcb61
SHA5128fed9a509e46319529145fa2159251e43040d26080af84e44badaab1dd339c767ff75a2c473bc0abfb448b03beb96718ee34ba6bc150ed3085322878b55a22f2
-
Filesize
977B
MD553316bc0c42b9d65743709021f1d03c7
SHA144cfe377bf7fedee2ce8f888cfacefd283e924e6
SHA256600d914eb6b9ffb387be5b7300ca138192a4e86c4679c9bff36bcf0364e74b36
SHA5129b390f6d7955413c8d63d02dff6988442cf78bbfb72e12f7deab56b190c1a7f455c5af3344ee5a1f7477d383c24e567af4fb7639ab6d9f014935418bf1cf00f6