Analysis Overview
SHA256
76030caef17f1129f72815a99c53e5fdc0e15ac6e8252aaa5e6053217c494d93
Threat Level: Likely malicious
The file 179c2faa9546deb40320c58bf96274dd_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Modifies boot configuration data using bcdedit
Enables test signing to bypass driver trust controls
Drops file in Drivers directory
Executes dropped EXE
Deletes itself
Indicator Removal: File Deletion
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: RenamesItself
Modifies data under HKEY_USERS
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-06 09:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-06 09:54
Reported
2024-10-06 09:55
Platform
win7-20240903-en
Max time kernel
6s
Max time network
7s
Command Line
Signatures
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\f76a5a2.sys | C:\Windows\Installer\{B4C4F5B8-CBC1-CCEE-C8F4-0806A8D27EB5}\syshost.exe | N/A |
Enables test signing to bypass driver trust controls
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Installer\{B4C4F5B8-CBC1-CCEE-C8F4-0806A8D27EB5}\syshost.exe | N/A |
Indicator Removal: File Deletion
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\{B4C4F5B8-CBC1-CCEE-C8F4-0806A8D27EB5}\syshost.exe | C:\Users\Admin\AppData\Local\Temp\179c2faa9546deb40320c58bf96274dd_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\Installer\{B4C4F5B8-CBC1-CCEE-C8F4-0806A8D27EB5}\syshost.exe | C:\Users\Admin\AppData\Local\Temp\179c2faa9546deb40320c58bf96274dd_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\Installer\{B4C4F5B8-CBC1-CCEE-C8F4-0806A8D27EB5}\syshost.exe.tmp | C:\Windows\Installer\{B4C4F5B8-CBC1-CCEE-C8F4-0806A8D27EB5}\syshost.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\179c2faa9546deb40320c58bf96274dd_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Installer\{B4C4F5B8-CBC1-CCEE-C8F4-0806A8D27EB5}\syshost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\179c2faa9546deb40320c58bf96274dd_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Installer\{B4C4F5B8-CBC1-CCEE-C8F4-0806A8D27EB5}\syshost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\179c2faa9546deb40320c58bf96274dd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\179c2faa9546deb40320c58bf96274dd_JaffaCakes118.exe"
C:\Windows\Installer\{B4C4F5B8-CBC1-CCEE-C8F4-0806A8D27EB5}\syshost.exe
"C:\Windows\Installer\{B4C4F5B8-CBC1-CCEE-C8F4-0806A8D27EB5}\syshost.exe" /service
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\ed7d0cbf.tmp"
C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
Network
Files
memory/2532-3-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2532-2-0x0000000000220000-0x0000000000226000-memory.dmp
memory/2532-1-0x0000000000610000-0x0000000000710000-memory.dmp
C:\Windows\Installer\{B4C4F5B8-CBC1-CCEE-C8F4-0806A8D27EB5}\syshost.exe
| MD5 | 179c2faa9546deb40320c58bf96274dd |
| SHA1 | 347fb8706663918664f8dee19ad9f21093e592ec |
| SHA256 | 76030caef17f1129f72815a99c53e5fdc0e15ac6e8252aaa5e6053217c494d93 |
| SHA512 | 3986a40bcf4b75b13bfed4fac6198dad989a6fc46998526b0816f97486540604e337cce2204f98d077534e464a9aca415d3a084f2da31f1365a3147be037e910 |
memory/1736-5-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2532-8-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2532-7-0x0000000000400000-0x0000000000458000-memory.dmp
memory/1736-9-0x0000000000400000-0x0000000000458000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-06 09:54
Reported
2024-10-06 09:55
Platform
win10v2004-20240802-en
Max time kernel
4s
Max time network
5s
Command Line
Signatures
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\e576496.sys | C:\Windows\Installer\{D33686E8-3C91-982B-9D7B-CEF37D835285}\syshost.exe | N/A |
Enables test signing to bypass driver trust controls
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Installer\{D33686E8-3C91-982B-9D7B-CEF37D835285}\syshost.exe | N/A |
Indicator Removal: File Deletion
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\{D33686E8-3C91-982B-9D7B-CEF37D835285}\syshost.exe | C:\Users\Admin\AppData\Local\Temp\179c2faa9546deb40320c58bf96274dd_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\Installer\{D33686E8-3C91-982B-9D7B-CEF37D835285}\syshost.exe | C:\Users\Admin\AppData\Local\Temp\179c2faa9546deb40320c58bf96274dd_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\Installer\{D33686E8-3C91-982B-9D7B-CEF37D835285}\syshost.exe.tmp | C:\Windows\Installer\{D33686E8-3C91-982B-9D7B-CEF37D835285}\syshost.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Installer\{D33686E8-3C91-982B-9D7B-CEF37D835285}\syshost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\179c2faa9546deb40320c58bf96274dd_JaffaCakes118.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "126" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\179c2faa9546deb40320c58bf96274dd_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Installer\{D33686E8-3C91-982B-9D7B-CEF37D835285}\syshost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\179c2faa9546deb40320c58bf96274dd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\179c2faa9546deb40320c58bf96274dd_JaffaCakes118.exe"
C:\Windows\Installer\{D33686E8-3C91-982B-9D7B-CEF37D835285}\syshost.exe
"C:\Windows\Installer\{D33686E8-3C91-982B-9D7B-CEF37D835285}\syshost.exe" /service
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\700aaf10.tmp"
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39ac055 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| N/A | 13.89.179.10:443 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/1616-0-0x00000000026A0000-0x0000000002700000-memory.dmp
memory/1616-1-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1616-2-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Windows\Installer\{D33686E8-3C91-982B-9D7B-CEF37D835285}\syshost.exe
| MD5 | 179c2faa9546deb40320c58bf96274dd |
| SHA1 | 347fb8706663918664f8dee19ad9f21093e592ec |
| SHA256 | 76030caef17f1129f72815a99c53e5fdc0e15ac6e8252aaa5e6053217c494d93 |
| SHA512 | 3986a40bcf4b75b13bfed4fac6198dad989a6fc46998526b0816f97486540604e337cce2204f98d077534e464a9aca415d3a084f2da31f1365a3147be037e910 |
memory/2212-6-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2212-7-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2212-8-0x0000000000400000-0x0000000000458000-memory.dmp
memory/1616-10-0x0000000000400000-0x0000000000458000-memory.dmp
memory/1616-11-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2212-13-0x0000000000400000-0x0000000000458000-memory.dmp