Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-10-2024 03:40
Static task
static1
Behavioral task
behavioral1
Sample
45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe
-
Size
264KB
-
MD5
45a7e70ef28d9d8504c5bd72ba13f3be
-
SHA1
573a04603fdc55e04307727dd3816f316b894680
-
SHA256
6a95367b492ae4c76fcba7778a7f5bd6a4161840eb44f7f57ac895e2c73f835b
-
SHA512
fb4e701a2944d208a2a9904f894450fa7fb66b40cb7e0f19964866768e62f50569acee4e04c2ecbb8008eaeea122ca62d587f6a31f677f3bb48fa34359fda2eb
-
SSDEEP
6144:sBDPC5+0V/3U5xifUntIIHFteqMTENVYvKMyHhRE4adf3aGfrfiFOl:sp++0V/3ojtsqMTEsvm4DikbiUl
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\driver\\winupdate.exe" 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe -
Modifies firewall policy service 3 TTPs 3 IoCs
Processes:
winupdate.exedescription ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "1" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winupdate.exe -
Processes:
winupdate.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exewinupdate.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
winupdate.exewinupdate.exepid Process 4036 winupdate.exe 1140 winupdate.exe -
Processes:
winupdate.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\driver\\winupdate.exe" 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe -
Drops file in System32 directory 1 IoCs
Processes:
explorer.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exewinupdate.exedescription pid Process procid_target PID 3652 set thread context of 3048 3652 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe 85 PID 3048 set thread context of 4808 3048 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe 94 PID 4036 set thread context of 1140 4036 winupdate.exe 98 -
Processes:
resource yara_rule behavioral2/memory/3048-4-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/3048-5-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/3048-6-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/3048-8-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/3048-9-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/3048-11-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/3048-10-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/3048-51-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/1140-60-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/1140-61-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/1140-63-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/1140-66-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/1140-64-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/1140-62-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/1140-65-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/1140-69-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/1140-70-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/1140-71-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/1140-72-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/1140-73-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/1140-74-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/1140-75-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/1140-76-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/1140-77-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/1140-78-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/1140-79-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/1140-80-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/1140-81-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/1140-82-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/1140-83-0x0000000000400000-0x00000000004B5000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
winupdate.exe45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exeexplorer.exewinupdate.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exewinupdate.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
winupdate.exe45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe -
Modifies registry class 1 IoCs
Processes:
45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exewinupdate.exedescription pid Process Token: SeIncreaseQuotaPrivilege 3048 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe Token: SeSecurityPrivilege 3048 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 3048 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe Token: SeLoadDriverPrivilege 3048 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe Token: SeSystemProfilePrivilege 3048 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe Token: SeSystemtimePrivilege 3048 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 3048 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 3048 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 3048 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe Token: SeBackupPrivilege 3048 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe Token: SeRestorePrivilege 3048 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe Token: SeShutdownPrivilege 3048 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe Token: SeDebugPrivilege 3048 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 3048 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 3048 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 3048 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe Token: SeUndockPrivilege 3048 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe Token: SeManageVolumePrivilege 3048 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe Token: SeImpersonatePrivilege 3048 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 3048 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe Token: 33 3048 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe Token: 34 3048 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe Token: 35 3048 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe Token: 36 3048 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 1140 winupdate.exe Token: SeSecurityPrivilege 1140 winupdate.exe Token: SeTakeOwnershipPrivilege 1140 winupdate.exe Token: SeLoadDriverPrivilege 1140 winupdate.exe Token: SeSystemProfilePrivilege 1140 winupdate.exe Token: SeSystemtimePrivilege 1140 winupdate.exe Token: SeProfSingleProcessPrivilege 1140 winupdate.exe Token: SeIncBasePriorityPrivilege 1140 winupdate.exe Token: SeCreatePagefilePrivilege 1140 winupdate.exe Token: SeBackupPrivilege 1140 winupdate.exe Token: SeRestorePrivilege 1140 winupdate.exe Token: SeShutdownPrivilege 1140 winupdate.exe Token: SeDebugPrivilege 1140 winupdate.exe Token: SeSystemEnvironmentPrivilege 1140 winupdate.exe Token: SeChangeNotifyPrivilege 1140 winupdate.exe Token: SeRemoteShutdownPrivilege 1140 winupdate.exe Token: SeUndockPrivilege 1140 winupdate.exe Token: SeManageVolumePrivilege 1140 winupdate.exe Token: SeImpersonatePrivilege 1140 winupdate.exe Token: SeCreateGlobalPrivilege 1140 winupdate.exe Token: 33 1140 winupdate.exe Token: 34 1140 winupdate.exe Token: 35 1140 winupdate.exe Token: 36 1140 winupdate.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exeexplorer.exewinupdate.exewinupdate.exepid Process 3652 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe 4808 explorer.exe 4036 winupdate.exe 1140 winupdate.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exewinupdate.exedescription pid Process procid_target PID 3652 wrote to memory of 3048 3652 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe 85 PID 3652 wrote to memory of 3048 3652 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe 85 PID 3652 wrote to memory of 3048 3652 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe 85 PID 3652 wrote to memory of 3048 3652 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe 85 PID 3652 wrote to memory of 3048 3652 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe 85 PID 3652 wrote to memory of 3048 3652 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe 85 PID 3652 wrote to memory of 3048 3652 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe 85 PID 3652 wrote to memory of 3048 3652 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe 85 PID 3048 wrote to memory of 4808 3048 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe 94 PID 3048 wrote to memory of 4808 3048 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe 94 PID 3048 wrote to memory of 4808 3048 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe 94 PID 3048 wrote to memory of 4808 3048 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe 94 PID 3048 wrote to memory of 4808 3048 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe 94 PID 3048 wrote to memory of 4036 3048 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe 97 PID 3048 wrote to memory of 4036 3048 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe 97 PID 3048 wrote to memory of 4036 3048 45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe 97 PID 4036 wrote to memory of 1140 4036 winupdate.exe 98 PID 4036 wrote to memory of 1140 4036 winupdate.exe 98 PID 4036 wrote to memory of 1140 4036 winupdate.exe 98 PID 4036 wrote to memory of 1140 4036 winupdate.exe 98 PID 4036 wrote to memory of 1140 4036 winupdate.exe 98 PID 4036 wrote to memory of 1140 4036 winupdate.exe 98 PID 4036 wrote to memory of 1140 4036 winupdate.exe 98 PID 4036 wrote to memory of 1140 4036 winupdate.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Users\Admin\AppData\Local\Temp\45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe"2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4808
-
-
C:\driver\winupdate.exe"C:\driver\winupdate.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\driver\winupdate.exe"C:\driver\winupdate.exe"4⤵
- Modifies firewall policy service
- Windows security bypass
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1140
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3350944739-639801879-157714471-1000\88603cb2913a7df3fbd16b5f958e6447_dd2803c7-d377-4f06-bdfe-aea230fc7b0e
Filesize51B
MD55fc2ac2a310f49c14d195230b91a8885
SHA190855cc11136ba31758fe33b5cf9571f9a104879
SHA256374e0e2897a7a82e0e44794cad89df0f3cdd7703886239c1fe06d625efd48092
SHA512ab46554df9174b9fe9beba50a640f67534c3812f64d96a1fb8adfdc136dfe730ca2370825cd45b7f87a544d6a58dd868cb5a3a7f42e2789f6d679dbc0fdd52c3
-
Filesize
264KB
MD545a7e70ef28d9d8504c5bd72ba13f3be
SHA1573a04603fdc55e04307727dd3816f316b894680
SHA2566a95367b492ae4c76fcba7778a7f5bd6a4161840eb44f7f57ac895e2c73f835b
SHA512fb4e701a2944d208a2a9904f894450fa7fb66b40cb7e0f19964866768e62f50569acee4e04c2ecbb8008eaeea122ca62d587f6a31f677f3bb48fa34359fda2eb