Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/10/2024, 18:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
19 signatures
150 seconds
General
-
Target
23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe
-
Size
731KB
-
MD5
23a2f651f393bfcb0232d33c2b2f87a4
-
SHA1
e3787ca1dceb0910a26525e6828f16112d7f58fa
-
SHA256
d9dd37d60ebed8ec37f180ff4c026f04f76f84280aaad865da886b21544019f5
-
SHA512
8c8f25783573da53c61c692159b7645855b623fdba0f82d00c487d6e2f893b4b4ef940661168a452459d10e5bf8889dae552ec069d5b3ce23543466b841972d9
-
SSDEEP
12288:Ro6QZKN8RMELcXfMOBw+NF+9cIdTAN/9x/rsIMNoUMCOvCCSFFzBm//AAyX71aIt:WbjRmXUOod6V+IMNbOvvSbB4/cZ
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe -
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" winupdate.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" winupdate.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 1524 winupdate.exe 1856 winupdate.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 460 set thread context of 1376 460 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 84 PID 1524 set thread context of 1856 1524 winupdate.exe 93 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3404 2828 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1856 winupdate.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe Token: SeSecurityPrivilege 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe Token: SeLoadDriverPrivilege 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe Token: SeSystemProfilePrivilege 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe Token: SeSystemtimePrivilege 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe Token: SeBackupPrivilege 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe Token: SeRestorePrivilege 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe Token: SeShutdownPrivilege 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe Token: SeDebugPrivilege 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe Token: SeUndockPrivilege 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe Token: SeManageVolumePrivilege 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe Token: SeImpersonatePrivilege 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe Token: 33 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe Token: 34 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe Token: 35 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe Token: 36 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 1856 winupdate.exe Token: SeSecurityPrivilege 1856 winupdate.exe Token: SeTakeOwnershipPrivilege 1856 winupdate.exe Token: SeLoadDriverPrivilege 1856 winupdate.exe Token: SeSystemProfilePrivilege 1856 winupdate.exe Token: SeSystemtimePrivilege 1856 winupdate.exe Token: SeProfSingleProcessPrivilege 1856 winupdate.exe Token: SeIncBasePriorityPrivilege 1856 winupdate.exe Token: SeCreatePagefilePrivilege 1856 winupdate.exe Token: SeBackupPrivilege 1856 winupdate.exe Token: SeRestorePrivilege 1856 winupdate.exe Token: SeShutdownPrivilege 1856 winupdate.exe Token: SeDebugPrivilege 1856 winupdate.exe Token: SeSystemEnvironmentPrivilege 1856 winupdate.exe Token: SeChangeNotifyPrivilege 1856 winupdate.exe Token: SeRemoteShutdownPrivilege 1856 winupdate.exe Token: SeUndockPrivilege 1856 winupdate.exe Token: SeManageVolumePrivilege 1856 winupdate.exe Token: SeImpersonatePrivilege 1856 winupdate.exe Token: SeCreateGlobalPrivilege 1856 winupdate.exe Token: 33 1856 winupdate.exe Token: 34 1856 winupdate.exe Token: 35 1856 winupdate.exe Token: 36 1856 winupdate.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 460 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 1524 winupdate.exe 1856 winupdate.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 460 wrote to memory of 1376 460 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 84 PID 460 wrote to memory of 1376 460 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 84 PID 460 wrote to memory of 1376 460 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 84 PID 460 wrote to memory of 1376 460 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 84 PID 460 wrote to memory of 1376 460 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 84 PID 460 wrote to memory of 1376 460 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 84 PID 460 wrote to memory of 1376 460 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 84 PID 460 wrote to memory of 1376 460 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 84 PID 460 wrote to memory of 1376 460 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 84 PID 460 wrote to memory of 1376 460 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 84 PID 460 wrote to memory of 1376 460 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 84 PID 460 wrote to memory of 1376 460 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 84 PID 460 wrote to memory of 1376 460 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 84 PID 460 wrote to memory of 1376 460 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 84 PID 1376 wrote to memory of 2828 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 86 PID 1376 wrote to memory of 2828 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 86 PID 1376 wrote to memory of 2828 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 86 PID 1376 wrote to memory of 2828 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 86 PID 1376 wrote to memory of 2828 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 86 PID 1376 wrote to memory of 2828 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 86 PID 1376 wrote to memory of 2828 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 86 PID 1376 wrote to memory of 2828 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 86 PID 1376 wrote to memory of 2828 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 86 PID 1376 wrote to memory of 2828 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 86 PID 1376 wrote to memory of 2828 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 86 PID 1376 wrote to memory of 2828 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 86 PID 1376 wrote to memory of 2828 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 86 PID 1376 wrote to memory of 2828 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 86 PID 1376 wrote to memory of 2828 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 86 PID 1376 wrote to memory of 2828 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 86 PID 1376 wrote to memory of 2828 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 86 PID 1376 wrote to memory of 2828 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 86 PID 1376 wrote to memory of 2828 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 86 PID 1376 wrote to memory of 2828 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 86 PID 1376 wrote to memory of 2828 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 86 PID 1376 wrote to memory of 2828 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 86 PID 1376 wrote to memory of 2828 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 86 PID 1376 wrote to memory of 4660 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 88 PID 1376 wrote to memory of 4660 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 88 PID 1376 wrote to memory of 4660 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 88 PID 1376 wrote to memory of 1524 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 92 PID 1376 wrote to memory of 1524 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 92 PID 1376 wrote to memory of 1524 1376 23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe 92 PID 1524 wrote to memory of 1856 1524 winupdate.exe 93 PID 1524 wrote to memory of 1856 1524 winupdate.exe 93 PID 1524 wrote to memory of 1856 1524 winupdate.exe 93 PID 1524 wrote to memory of 1856 1524 winupdate.exe 93 PID 1524 wrote to memory of 1856 1524 winupdate.exe 93 PID 1524 wrote to memory of 1856 1524 winupdate.exe 93 PID 1524 wrote to memory of 1856 1524 winupdate.exe 93 PID 1524 wrote to memory of 1856 1524 winupdate.exe 93 PID 1524 wrote to memory of 1856 1524 winupdate.exe 93 PID 1524 wrote to memory of 1856 1524 winupdate.exe 93 PID 1524 wrote to memory of 1856 1524 winupdate.exe 93 PID 1524 wrote to memory of 1856 1524 winupdate.exe 93 PID 1524 wrote to memory of 1856 1524 winupdate.exe 93 PID 1524 wrote to memory of 1856 1524 winupdate.exe 93 PID 1856 wrote to memory of 2680 1856 winupdate.exe 94 PID 1856 wrote to memory of 2680 1856 winupdate.exe 94 PID 1856 wrote to memory of 2680 1856 winupdate.exe 94 PID 1856 wrote to memory of 2680 1856 winupdate.exe 94 PID 1856 wrote to memory of 2680 1856 winupdate.exe 94 PID 1856 wrote to memory of 2680 1856 winupdate.exe 94 PID 1856 wrote to memory of 2680 1856 winupdate.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Users\Admin\AppData\Local\Temp\23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118.exe"2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:2828
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 764⤵
- Program crash
PID:3404
-
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵PID:4660
-
-
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"4⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe5⤵
- System Location Discovery: System Language Discovery
PID:2680
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2828 -ip 28281⤵PID:3564
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
731KB
MD523a2f651f393bfcb0232d33c2b2f87a4
SHA1e3787ca1dceb0910a26525e6828f16112d7f58fa
SHA256d9dd37d60ebed8ec37f180ff4c026f04f76f84280aaad865da886b21544019f5
SHA5128c8f25783573da53c61c692159b7645855b623fdba0f82d00c487d6e2f893b4b4ef940661168a452459d10e5bf8889dae552ec069d5b3ce23543466b841972d9