Analysis
-
max time kernel
4s -
max time network
5s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/10/2024, 09:54
Static task
static1
Behavioral task
behavioral1
Sample
179c2faa9546deb40320c58bf96274dd_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
179c2faa9546deb40320c58bf96274dd_JaffaCakes118.exe
Resource
win10v2004-20240802-en
Errors
General
-
Target
179c2faa9546deb40320c58bf96274dd_JaffaCakes118.exe
-
Size
338KB
-
MD5
179c2faa9546deb40320c58bf96274dd
-
SHA1
347fb8706663918664f8dee19ad9f21093e592ec
-
SHA256
76030caef17f1129f72815a99c53e5fdc0e15ac6e8252aaa5e6053217c494d93
-
SHA512
3986a40bcf4b75b13bfed4fac6198dad989a6fc46998526b0816f97486540604e337cce2204f98d077534e464a9aca415d3a084f2da31f1365a3147be037e910
-
SSDEEP
6144:qCwJtdsVlKCKe9djM6Y4wFd1kVYfXU0om0min1sVV57p0VIH0ymYq:9808CKeXjTxwFd+IImdVr7p0VIH0ymf
Malware Config
Signatures
-
Modifies boot configuration data using bcdedit 1 TTPs 10 IoCs
pid Process 344 bcdedit.exe 4484 bcdedit.exe 3524 bcdedit.exe 264 bcdedit.exe 228 bcdedit.exe 4004 bcdedit.exe 5072 bcdedit.exe 2984 bcdedit.exe 3876 bcdedit.exe 4848 bcdedit.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\e576496.sys syshost.exe -
Enables test signing to bypass driver trust controls 1 TTPs 10 IoCs
Allows any signed driver to load without validation against a trusted certificate authority.
pid Process 264 bcdedit.exe 4004 bcdedit.exe 2984 bcdedit.exe 3876 bcdedit.exe 5072 bcdedit.exe 4848 bcdedit.exe 344 bcdedit.exe 4484 bcdedit.exe 3524 bcdedit.exe 228 bcdedit.exe -
Executes dropped EXE 1 IoCs
pid Process 2212 syshost.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Installer\{D33686E8-3C91-982B-9D7B-CEF37D835285}\syshost.exe 179c2faa9546deb40320c58bf96274dd_JaffaCakes118.exe File opened for modification C:\Windows\Installer\{D33686E8-3C91-982B-9D7B-CEF37D835285}\syshost.exe 179c2faa9546deb40320c58bf96274dd_JaffaCakes118.exe File opened for modification C:\Windows\Installer\{D33686E8-3C91-982B-9D7B-CEF37D835285}\syshost.exe.tmp syshost.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language syshost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 179c2faa9546deb40320c58bf96274dd_JaffaCakes118.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "126" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 656 Process not Found -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1616 179c2faa9546deb40320c58bf96274dd_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 2212 syshost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2572 LogonUI.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2212 wrote to memory of 228 2212 syshost.exe 84 PID 2212 wrote to memory of 228 2212 syshost.exe 84 PID 2212 wrote to memory of 264 2212 syshost.exe 85 PID 2212 wrote to memory of 264 2212 syshost.exe 85 PID 1616 wrote to memory of 1120 1616 179c2faa9546deb40320c58bf96274dd_JaffaCakes118.exe 83 PID 1616 wrote to memory of 1120 1616 179c2faa9546deb40320c58bf96274dd_JaffaCakes118.exe 83 PID 1616 wrote to memory of 1120 1616 179c2faa9546deb40320c58bf96274dd_JaffaCakes118.exe 83 PID 2212 wrote to memory of 3524 2212 syshost.exe 86 PID 2212 wrote to memory of 3524 2212 syshost.exe 86 PID 2212 wrote to memory of 344 2212 syshost.exe 87 PID 2212 wrote to memory of 344 2212 syshost.exe 87 PID 2212 wrote to memory of 4484 2212 syshost.exe 88 PID 2212 wrote to memory of 4484 2212 syshost.exe 88 PID 2212 wrote to memory of 4004 2212 syshost.exe 89 PID 2212 wrote to memory of 4004 2212 syshost.exe 89 PID 2212 wrote to memory of 5072 2212 syshost.exe 90 PID 2212 wrote to memory of 5072 2212 syshost.exe 90 PID 2212 wrote to memory of 2984 2212 syshost.exe 91 PID 2212 wrote to memory of 2984 2212 syshost.exe 91 PID 2212 wrote to memory of 3876 2212 syshost.exe 92 PID 2212 wrote to memory of 3876 2212 syshost.exe 92 PID 2212 wrote to memory of 4848 2212 syshost.exe 93 PID 2212 wrote to memory of 4848 2212 syshost.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\179c2faa9546deb40320c58bf96274dd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\179c2faa9546deb40320c58bf96274dd_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\cmd.execmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\700aaf10.tmp"2⤵
- System Location Discovery: System Language Discovery
PID:1120
-
-
C:\Windows\Installer\{D33686E8-3C91-982B-9D7B-CEF37D835285}\syshost.exe"C:\Windows\Installer\{D33686E8-3C91-982B-9D7B-CEF37D835285}\syshost.exe" /service1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
- Enables test signing to bypass driver trust controls
PID:228
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
- Enables test signing to bypass driver trust controls
PID:264
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
- Enables test signing to bypass driver trust controls
PID:3524
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
- Enables test signing to bypass driver trust controls
PID:344
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
- Enables test signing to bypass driver trust controls
PID:4484
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
- Enables test signing to bypass driver trust controls
PID:4004
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
- Enables test signing to bypass driver trust controls
PID:5072
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
- Enables test signing to bypass driver trust controls
PID:2984
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
- Enables test signing to bypass driver trust controls
PID:3876
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
- Enables test signing to bypass driver trust controls
PID:4848
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39ac055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2572
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
338KB
MD5179c2faa9546deb40320c58bf96274dd
SHA1347fb8706663918664f8dee19ad9f21093e592ec
SHA25676030caef17f1129f72815a99c53e5fdc0e15ac6e8252aaa5e6053217c494d93
SHA5123986a40bcf4b75b13bfed4fac6198dad989a6fc46998526b0816f97486540604e337cce2204f98d077534e464a9aca415d3a084f2da31f1365a3147be037e910