Analysis
-
max time kernel
6s -
max time network
7s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/10/2024, 09:54
Static task
static1
Behavioral task
behavioral1
Sample
179c2faa9546deb40320c58bf96274dd_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
179c2faa9546deb40320c58bf96274dd_JaffaCakes118.exe
Resource
win10v2004-20240802-en
Errors
General
-
Target
179c2faa9546deb40320c58bf96274dd_JaffaCakes118.exe
-
Size
338KB
-
MD5
179c2faa9546deb40320c58bf96274dd
-
SHA1
347fb8706663918664f8dee19ad9f21093e592ec
-
SHA256
76030caef17f1129f72815a99c53e5fdc0e15ac6e8252aaa5e6053217c494d93
-
SHA512
3986a40bcf4b75b13bfed4fac6198dad989a6fc46998526b0816f97486540604e337cce2204f98d077534e464a9aca415d3a084f2da31f1365a3147be037e910
-
SSDEEP
6144:qCwJtdsVlKCKe9djM6Y4wFd1kVYfXU0om0min1sVV57p0VIH0ymYq:9808CKeXjTxwFd+IImdVr7p0VIH0ymf
Malware Config
Signatures
-
Modifies boot configuration data using bcdedit 1 TTPs 10 IoCs
pid Process 2168 bcdedit.exe 2712 bcdedit.exe 2268 bcdedit.exe 2256 bcdedit.exe 1300 bcdedit.exe 2340 bcdedit.exe 1516 bcdedit.exe 2332 bcdedit.exe 2316 bcdedit.exe 2160 bcdedit.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\f76a5a2.sys syshost.exe -
Enables test signing to bypass driver trust controls 1 TTPs 10 IoCs
Allows any signed driver to load without validation against a trusted certificate authority.
pid Process 2168 bcdedit.exe 2256 bcdedit.exe 2340 bcdedit.exe 2332 bcdedit.exe 2712 bcdedit.exe 2268 bcdedit.exe 1300 bcdedit.exe 1516 bcdedit.exe 2316 bcdedit.exe 2160 bcdedit.exe -
Deletes itself 1 IoCs
pid Process 2112 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1736 syshost.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Installer\{B4C4F5B8-CBC1-CCEE-C8F4-0806A8D27EB5}\syshost.exe 179c2faa9546deb40320c58bf96274dd_JaffaCakes118.exe File opened for modification C:\Windows\Installer\{B4C4F5B8-CBC1-CCEE-C8F4-0806A8D27EB5}\syshost.exe 179c2faa9546deb40320c58bf96274dd_JaffaCakes118.exe File opened for modification C:\Windows\Installer\{B4C4F5B8-CBC1-CCEE-C8F4-0806A8D27EB5}\syshost.exe.tmp syshost.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 179c2faa9546deb40320c58bf96274dd_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language syshost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 476 Process not Found -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2532 179c2faa9546deb40320c58bf96274dd_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 1736 syshost.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 2532 wrote to memory of 2112 2532 179c2faa9546deb40320c58bf96274dd_JaffaCakes118.exe 31 PID 2532 wrote to memory of 2112 2532 179c2faa9546deb40320c58bf96274dd_JaffaCakes118.exe 31 PID 2532 wrote to memory of 2112 2532 179c2faa9546deb40320c58bf96274dd_JaffaCakes118.exe 31 PID 2532 wrote to memory of 2112 2532 179c2faa9546deb40320c58bf96274dd_JaffaCakes118.exe 31 PID 1736 wrote to memory of 2160 1736 syshost.exe 32 PID 1736 wrote to memory of 2160 1736 syshost.exe 32 PID 1736 wrote to memory of 2160 1736 syshost.exe 32 PID 1736 wrote to memory of 2160 1736 syshost.exe 32 PID 1736 wrote to memory of 2316 1736 syshost.exe 33 PID 1736 wrote to memory of 2316 1736 syshost.exe 33 PID 1736 wrote to memory of 2316 1736 syshost.exe 33 PID 1736 wrote to memory of 2316 1736 syshost.exe 33 PID 1736 wrote to memory of 2332 1736 syshost.exe 34 PID 1736 wrote to memory of 2332 1736 syshost.exe 34 PID 1736 wrote to memory of 2332 1736 syshost.exe 34 PID 1736 wrote to memory of 2332 1736 syshost.exe 34 PID 1736 wrote to memory of 1516 1736 syshost.exe 35 PID 1736 wrote to memory of 1516 1736 syshost.exe 35 PID 1736 wrote to memory of 1516 1736 syshost.exe 35 PID 1736 wrote to memory of 1516 1736 syshost.exe 35 PID 1736 wrote to memory of 2340 1736 syshost.exe 36 PID 1736 wrote to memory of 2340 1736 syshost.exe 36 PID 1736 wrote to memory of 2340 1736 syshost.exe 36 PID 1736 wrote to memory of 2340 1736 syshost.exe 36 PID 1736 wrote to memory of 1300 1736 syshost.exe 38 PID 1736 wrote to memory of 1300 1736 syshost.exe 38 PID 1736 wrote to memory of 1300 1736 syshost.exe 38 PID 1736 wrote to memory of 1300 1736 syshost.exe 38 PID 1736 wrote to memory of 2256 1736 syshost.exe 40 PID 1736 wrote to memory of 2256 1736 syshost.exe 40 PID 1736 wrote to memory of 2256 1736 syshost.exe 40 PID 1736 wrote to memory of 2256 1736 syshost.exe 40 PID 1736 wrote to memory of 2268 1736 syshost.exe 41 PID 1736 wrote to memory of 2268 1736 syshost.exe 41 PID 1736 wrote to memory of 2268 1736 syshost.exe 41 PID 1736 wrote to memory of 2268 1736 syshost.exe 41 PID 1736 wrote to memory of 2712 1736 syshost.exe 42 PID 1736 wrote to memory of 2712 1736 syshost.exe 42 PID 1736 wrote to memory of 2712 1736 syshost.exe 42 PID 1736 wrote to memory of 2712 1736 syshost.exe 42 PID 1736 wrote to memory of 2168 1736 syshost.exe 43 PID 1736 wrote to memory of 2168 1736 syshost.exe 43 PID 1736 wrote to memory of 2168 1736 syshost.exe 43 PID 1736 wrote to memory of 2168 1736 syshost.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\179c2faa9546deb40320c58bf96274dd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\179c2faa9546deb40320c58bf96274dd_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\cmd.execmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\ed7d0cbf.tmp"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2112
-
-
C:\Windows\Installer\{B4C4F5B8-CBC1-CCEE-C8F4-0806A8D27EB5}\syshost.exe"C:\Windows\Installer\{B4C4F5B8-CBC1-CCEE-C8F4-0806A8D27EB5}\syshost.exe" /service1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\system32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
- Enables test signing to bypass driver trust controls
PID:2160
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
- Enables test signing to bypass driver trust controls
PID:2316
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
- Enables test signing to bypass driver trust controls
PID:2332
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
- Enables test signing to bypass driver trust controls
PID:1516
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
- Enables test signing to bypass driver trust controls
PID:2340
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
- Enables test signing to bypass driver trust controls
PID:1300
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
- Enables test signing to bypass driver trust controls
PID:2256
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
- Enables test signing to bypass driver trust controls
PID:2268
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
- Enables test signing to bypass driver trust controls
PID:2712
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
- Enables test signing to bypass driver trust controls
PID:2168
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2140
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:1860
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
338KB
MD5179c2faa9546deb40320c58bf96274dd
SHA1347fb8706663918664f8dee19ad9f21093e592ec
SHA25676030caef17f1129f72815a99c53e5fdc0e15ac6e8252aaa5e6053217c494d93
SHA5123986a40bcf4b75b13bfed4fac6198dad989a6fc46998526b0816f97486540604e337cce2204f98d077534e464a9aca415d3a084f2da31f1365a3147be037e910