Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-10-2024 18:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
22 signatures
150 seconds
General
-
Target
639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe
-
Size
3.4MB
-
MD5
639c5176777eb4d0d8e4b2a15d1601d4
-
SHA1
54bb7638c3e1f2159644b86df0a3c22488c9ce38
-
SHA256
6b6cafa9c7bc66f4b11ba4f9254f099b0b6773f497b713cb45ee7072bd2cd717
-
SHA512
96f819a161d24332671cd3b49dc59a42c3000fe23c120cf44bedabedd85dd7956a424ab03fc72eb49a46fa7da3b26ffedf4935c38e62941acb5250e09dde70e6
-
SSDEEP
49152:zpkaSo/WYCIuxQLytxkOL0QRncMtMD6UJwINhtiAlZQOf/6k1l1:zn9GjASkDMtGNh9ZpZ1l1
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
Processes:
639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exewinupdate.exewinupdate.exewinupdate.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe -
Modifies firewall policy service 3 TTPs 3 IoCs
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" explorer.exe -
Checks BIOS information in registry 2 TTPs 5 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exewinupdate.exewinupdate.exewinupdate.exeexplorer.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe -
Executes dropped EXE 3 IoCs
Processes:
winupdate.exewinupdate.exewinupdate.exepid Process 2948 winupdate.exe 980 winupdate.exe 2856 winupdate.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorer.exe639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exewinupdate.exewinupdate.exewinupdate.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine explorer.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine winupdate.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine winupdate.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine winupdate.exe -
Loads dropped DLL 12 IoCs
Processes:
639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exewinupdate.exewinupdate.exewinupdate.exepid Process 2236 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe 2948 winupdate.exe 2948 winupdate.exe 2948 winupdate.exe 2948 winupdate.exe 980 winupdate.exe 980 winupdate.exe 980 winupdate.exe 980 winupdate.exe 2856 winupdate.exe 2856 winupdate.exe 2856 winupdate.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
winupdate.exewinupdate.exe639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exewinupdate.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe -
Processes:
winupdate.exewinupdate.exe639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exewinupdate.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winupdate.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winupdate.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winupdate.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exewinupdate.exewinupdate.exewinupdate.exeexplorer.exedescription ioc Process File opened for modification \??\PhysicalDrive0 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe File opened for modification \??\PhysicalDrive0 winupdate.exe File opened for modification \??\PhysicalDrive0 winupdate.exe File opened for modification \??\PhysicalDrive0 winupdate.exe File opened for modification \??\PhysicalDrive0 explorer.exe -
Drops file in System32 directory 12 IoCs
Processes:
winupdate.exewinupdate.exe639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exewinupdate.exedescription ioc Process File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exewinupdate.exewinupdate.exewinupdate.exeexplorer.exepid Process 2236 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe 2948 winupdate.exe 980 winupdate.exe 2856 winupdate.exe 2508 explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
winupdate.exedescription pid Process procid_target PID 2856 set thread context of 2508 2856 winupdate.exe 37 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exewinupdate.exewinupdate.exewinupdate.exeexplorer.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Checks processor information in registry 2 TTPs 20 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exewinupdate.exewinupdate.exeexplorer.exewinupdate.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe -
Enumerates system info in registry 2 TTPs 5 IoCs
Processes:
winupdate.exewinupdate.exeexplorer.exe639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exewinupdate.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exewinupdate.exewinupdate.exewinupdate.exeexplorer.exepid Process 2236 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe 2948 winupdate.exe 980 winupdate.exe 2856 winupdate.exe 2508 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid Process 2508 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exewinupdate.exewinupdate.exedescription pid Process Token: SeIncreaseQuotaPrivilege 2236 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe Token: SeSecurityPrivilege 2236 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2236 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2236 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2236 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe Token: SeSystemtimePrivilege 2236 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2236 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2236 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2236 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe Token: SeBackupPrivilege 2236 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe Token: SeRestorePrivilege 2236 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe Token: SeShutdownPrivilege 2236 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe Token: SeDebugPrivilege 2236 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2236 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2236 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2236 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe Token: SeUndockPrivilege 2236 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe Token: SeManageVolumePrivilege 2236 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe Token: SeImpersonatePrivilege 2236 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2236 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe Token: 33 2236 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe Token: 34 2236 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe Token: 35 2236 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2948 winupdate.exe Token: SeSecurityPrivilege 2948 winupdate.exe Token: SeTakeOwnershipPrivilege 2948 winupdate.exe Token: SeLoadDriverPrivilege 2948 winupdate.exe Token: SeSystemProfilePrivilege 2948 winupdate.exe Token: SeSystemtimePrivilege 2948 winupdate.exe Token: SeProfSingleProcessPrivilege 2948 winupdate.exe Token: SeIncBasePriorityPrivilege 2948 winupdate.exe Token: SeCreatePagefilePrivilege 2948 winupdate.exe Token: SeBackupPrivilege 2948 winupdate.exe Token: SeRestorePrivilege 2948 winupdate.exe Token: SeShutdownPrivilege 2948 winupdate.exe Token: SeDebugPrivilege 2948 winupdate.exe Token: SeSystemEnvironmentPrivilege 2948 winupdate.exe Token: SeChangeNotifyPrivilege 2948 winupdate.exe Token: SeRemoteShutdownPrivilege 2948 winupdate.exe Token: SeUndockPrivilege 2948 winupdate.exe Token: SeManageVolumePrivilege 2948 winupdate.exe Token: SeImpersonatePrivilege 2948 winupdate.exe Token: SeCreateGlobalPrivilege 2948 winupdate.exe Token: 33 2948 winupdate.exe Token: 34 2948 winupdate.exe Token: 35 2948 winupdate.exe Token: SeIncreaseQuotaPrivilege 980 winupdate.exe Token: SeSecurityPrivilege 980 winupdate.exe Token: SeTakeOwnershipPrivilege 980 winupdate.exe Token: SeLoadDriverPrivilege 980 winupdate.exe Token: SeSystemProfilePrivilege 980 winupdate.exe Token: SeSystemtimePrivilege 980 winupdate.exe Token: SeProfSingleProcessPrivilege 980 winupdate.exe Token: SeIncBasePriorityPrivilege 980 winupdate.exe Token: SeCreatePagefilePrivilege 980 winupdate.exe Token: SeBackupPrivilege 980 winupdate.exe Token: SeRestorePrivilege 980 winupdate.exe Token: SeShutdownPrivilege 980 winupdate.exe Token: SeDebugPrivilege 980 winupdate.exe Token: SeSystemEnvironmentPrivilege 980 winupdate.exe Token: SeChangeNotifyPrivilege 980 winupdate.exe Token: SeRemoteShutdownPrivilege 980 winupdate.exe Token: SeUndockPrivilege 980 winupdate.exe Token: SeManageVolumePrivilege 980 winupdate.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
explorer.exepid Process 2508 explorer.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exewinupdate.exewinupdate.exewinupdate.exedescription pid Process procid_target PID 2236 wrote to memory of 2748 2236 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe 31 PID 2236 wrote to memory of 2748 2236 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe 31 PID 2236 wrote to memory of 2748 2236 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe 31 PID 2236 wrote to memory of 2748 2236 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe 31 PID 2236 wrote to memory of 2948 2236 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe 32 PID 2236 wrote to memory of 2948 2236 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe 32 PID 2236 wrote to memory of 2948 2236 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe 32 PID 2236 wrote to memory of 2948 2236 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe 32 PID 2236 wrote to memory of 2948 2236 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe 32 PID 2236 wrote to memory of 2948 2236 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe 32 PID 2236 wrote to memory of 2948 2236 639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe 32 PID 2948 wrote to memory of 2624 2948 winupdate.exe 33 PID 2948 wrote to memory of 2624 2948 winupdate.exe 33 PID 2948 wrote to memory of 2624 2948 winupdate.exe 33 PID 2948 wrote to memory of 2624 2948 winupdate.exe 33 PID 2948 wrote to memory of 2624 2948 winupdate.exe 33 PID 2948 wrote to memory of 2624 2948 winupdate.exe 33 PID 2948 wrote to memory of 2624 2948 winupdate.exe 33 PID 2948 wrote to memory of 980 2948 winupdate.exe 34 PID 2948 wrote to memory of 980 2948 winupdate.exe 34 PID 2948 wrote to memory of 980 2948 winupdate.exe 34 PID 2948 wrote to memory of 980 2948 winupdate.exe 34 PID 2948 wrote to memory of 980 2948 winupdate.exe 34 PID 2948 wrote to memory of 980 2948 winupdate.exe 34 PID 2948 wrote to memory of 980 2948 winupdate.exe 34 PID 980 wrote to memory of 2844 980 winupdate.exe 35 PID 980 wrote to memory of 2844 980 winupdate.exe 35 PID 980 wrote to memory of 2844 980 winupdate.exe 35 PID 980 wrote to memory of 2844 980 winupdate.exe 35 PID 980 wrote to memory of 2844 980 winupdate.exe 35 PID 980 wrote to memory of 2844 980 winupdate.exe 35 PID 980 wrote to memory of 2844 980 winupdate.exe 35 PID 980 wrote to memory of 2856 980 winupdate.exe 36 PID 980 wrote to memory of 2856 980 winupdate.exe 36 PID 980 wrote to memory of 2856 980 winupdate.exe 36 PID 980 wrote to memory of 2856 980 winupdate.exe 36 PID 980 wrote to memory of 2856 980 winupdate.exe 36 PID 980 wrote to memory of 2856 980 winupdate.exe 36 PID 980 wrote to memory of 2856 980 winupdate.exe 36 PID 2856 wrote to memory of 2508 2856 winupdate.exe 37 PID 2856 wrote to memory of 2508 2856 winupdate.exe 37 PID 2856 wrote to memory of 2508 2856 winupdate.exe 37 PID 2856 wrote to memory of 2508 2856 winupdate.exe 37 PID 2856 wrote to memory of 2508 2856 winupdate.exe 37 PID 2856 wrote to memory of 2508 2856 winupdate.exe 37 PID 2856 wrote to memory of 2508 2856 winupdate.exe 37 PID 2856 wrote to memory of 2508 2856 winupdate.exe 37 PID 2856 wrote to memory of 2508 2856 winupdate.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\639c5176777eb4d0d8e4b2a15d1601d4_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵PID:2748
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵PID:2624
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"3⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"4⤵PID:2844
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"4⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"5⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2508
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD5639c5176777eb4d0d8e4b2a15d1601d4
SHA154bb7638c3e1f2159644b86df0a3c22488c9ce38
SHA2566b6cafa9c7bc66f4b11ba4f9254f099b0b6773f497b713cb45ee7072bd2cd717
SHA51296f819a161d24332671cd3b49dc59a42c3000fe23c120cf44bedabedd85dd7956a424ab03fc72eb49a46fa7da3b26ffedf4935c38e62941acb5250e09dde70e6