Analysis

  • max time kernel
    149s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/01/2025, 12:28

General

  • Target

    JaffaCakes118_c7cc5b796b801f884c8d40ef75081268.exe

  • Size

    809KB

  • MD5

    c7cc5b796b801f884c8d40ef75081268

  • SHA1

    aa8b959fe7dfe8e8f3e2fa1be91bf2b2e6fe55be

  • SHA256

    28260c2eb652e78ad2b1881dfb742bebfd46711bb81ce0b3fb232800ae174fe0

  • SHA512

    397b9dd4ebabeab1a401cdbaed0f09101a32c501d052e3475dde83a838a3187fd5ef1d7310c238e35ce282959ca4160d64231f4428cf078e54e0c1b78a307e50

  • SSDEEP

    12288:VRi4IizlvxRZqANc9EmeQ2c4vXAlr6Iuvr9qT1hqjdZPQvoGcbC/FAZ3:VTIulJDR6E2prlgjdydcuN+3

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 31 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cc5b796b801f884c8d40ef75081268.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cc5b796b801f884c8d40ef75081268.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:1632
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:3644
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:1928
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1624
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:5088
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:3900
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1408
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SendNotifyMessage
      PID:960
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:408
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SendNotifyMessage
      PID:5024
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4596
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SendNotifyMessage
      PID:4060
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:644
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4088

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

          Filesize

          471B

          MD5

          959d2a9c777132fe5498a165d5bbaaf7

          SHA1

          5cd8dd5a857fd362647a22ec0732207888f29bb9

          SHA256

          8bf88caa748bd496eb1290b073a40bc4d595a64ee5be59bd001826c5ec9befba

          SHA512

          66b2f65cb3ca7bf905aea846fc34ed6b818174438f4277114784162ed0b2e8bd18b54f195847ee765889750e8ddb903615367d71dbe0a12cc28cf1f07bcca923

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

          Filesize

          412B

          MD5

          af4b4ffd10c1b63f1eb5bca0612ede3f

          SHA1

          e9bf8780b0e0d235710b28b43f35468a2ca78825

          SHA256

          68be254b23399f2047c56851650ba0f734b69933cc180676032fdacdf865b923

          SHA512

          2208d6babbf0036cb6ff2a2d1d74ba15bfb058f5d94d350df3bd2c2550093f21379f61cc63b4866134c3e01b58cc111b6fbdf124e9ce99bbbbb5f6dd503b9a0b

        • C:\Users\Admin\AppData\Local\IconCache.db

          Filesize

          15KB

          MD5

          f597c7cbc112607a180972c43ea37ebe

          SHA1

          6e8ed491cd02750114f7b6c107ae4e0d7a92b3c5

          SHA256

          36cca24f4a03e13e05bafa90bbe56f7c0d279172ed236d07d6d485e1bec778e6

          SHA512

          7700f100bd51e78f57976896f176548ed124839e970b2ea043bc0a6fd4e89fb97d38d1db6b27d5be3903bd3e06f984427995291af69cea4d57194bb602895317

        • C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

          Filesize

          1022B

          MD5

          557c4dafbb2a694744fa0557a8220e89

          SHA1

          dcd67a5aa65769afbae72c6cf5f92c9f50c99725

          SHA256

          55bef33950f6f5e3cb0d37d7866bc8734d00c5cc9af82b9d1ab798471a9189f5

          SHA512

          ffe538def93c12d0e765a95ce986d3b3cb7eb0be5bb981176b191a54556a011364269222bd7c6677a9441b2f44232ded6197208b0a9614532fcae5785e282621

        • C:\Users\Admin\AppData\Local\Temp\{45D93AEA-ED43-463C-9AE2-538FE0206B1D}.png

          Filesize

          6KB

          MD5

          099ba37f81c044f6b2609537fdb7d872

          SHA1

          470ef859afbce52c017874d77c1695b7b0f9cb87

          SHA256

          8c98c856e4d43f705ff9a5c9a55f92e1885765654912b4c75385c3ea2fdef4a7

          SHA512

          837e1ad7fe4f5cbc0a87f3703ba211c18f32b20df93b23f681cbd0390d8077adba64cf6454a1bb28df1f7df4cb2cdc021d826b6ef8db890e40f21d618d5eb07a

        • memory/960-24-0x00000000049A0000-0x00000000049A1000-memory.dmp

          Filesize

          4KB

        • memory/1632-25-0x0000000000400000-0x0000000000B09000-memory.dmp

          Filesize

          7.0MB

        • memory/1632-46-0x0000000000400000-0x0000000000B09000-memory.dmp

          Filesize

          7.0MB

        • memory/1632-17-0x0000000000400000-0x0000000000B09000-memory.dmp

          Filesize

          7.0MB

        • memory/1632-11-0x00000000028F0000-0x00000000028F9000-memory.dmp

          Filesize

          36KB

        • memory/1632-69-0x0000000000400000-0x0000000000B09000-memory.dmp

          Filesize

          7.0MB

        • memory/1632-5-0x0000000000400000-0x0000000000B09000-memory.dmp

          Filesize

          7.0MB

        • memory/1632-4-0x0000000000400000-0x0000000000B09000-memory.dmp

          Filesize

          7.0MB

        • memory/1632-3-0x00000000009F1000-0x00000000009F2000-memory.dmp

          Filesize

          4KB

        • memory/1632-0-0x00000000028F0000-0x00000000028F9000-memory.dmp

          Filesize

          36KB

        • memory/1632-26-0x0000000000400000-0x0000000000B09000-memory.dmp

          Filesize

          7.0MB

        • memory/1632-68-0x0000000000400000-0x0000000000B09000-memory.dmp

          Filesize

          7.0MB

        • memory/1632-39-0x0000000000400000-0x0000000000B09000-memory.dmp

          Filesize

          7.0MB

        • memory/1632-1-0x0000000000400000-0x0000000000B09000-memory.dmp

          Filesize

          7.0MB

        • memory/1632-16-0x00000000009F1000-0x00000000009F2000-memory.dmp

          Filesize

          4KB

        • memory/1632-53-0x0000000000400000-0x0000000000B09000-memory.dmp

          Filesize

          7.0MB

        • memory/1632-54-0x0000000000400000-0x0000000000B09000-memory.dmp

          Filesize

          7.0MB

        • memory/1632-55-0x0000000000400000-0x0000000000B09000-memory.dmp

          Filesize

          7.0MB

        • memory/1632-56-0x0000000000400000-0x0000000000B09000-memory.dmp

          Filesize

          7.0MB

        • memory/1632-61-0x0000000000400000-0x0000000000B09000-memory.dmp

          Filesize

          7.0MB

        • memory/1632-62-0x0000000000400000-0x0000000000B09000-memory.dmp

          Filesize

          7.0MB

        • memory/1632-63-0x0000000000400000-0x0000000000B09000-memory.dmp

          Filesize

          7.0MB

        • memory/1632-66-0x0000000000400000-0x0000000000B09000-memory.dmp

          Filesize

          7.0MB

        • memory/1632-67-0x0000000000400000-0x0000000000B09000-memory.dmp

          Filesize

          7.0MB

        • memory/4088-37-0x0000000004280000-0x0000000004281000-memory.dmp

          Filesize

          4KB

        • memory/5088-10-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

          Filesize

          4KB