Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2025, 14:58
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_40c02b9f1d72c8c360c7870305d4e6c2.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_40c02b9f1d72c8c360c7870305d4e6c2.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_40c02b9f1d72c8c360c7870305d4e6c2.exe
-
Size
149KB
-
MD5
40c02b9f1d72c8c360c7870305d4e6c2
-
SHA1
bd44acb510371311ce4ce983db4a6705651b7691
-
SHA256
e6018521e0b9d4e6b635a26b8f4ac296eb9736ea7c2f7f7ccc8174900bdd82a7
-
SHA512
0894d4167a2ef386f138859f46febbe419c1f64ac2f577925b027c1c036e8a76e527351c5dab019a2069605b0ea8e4235a6ac1cb35f841fc59fea0352c638544
-
SSDEEP
3072:rca0/1YUJf7yLLBgvl3AsZog196oyxZOtWZazj:YH/1lf2Ou+oE6jyvj
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" msconfig32x.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msconfig32x.exe -
Executes dropped EXE 1 IoCs
pid Process 4196 msconfig32x.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Intec Service Drivers = "msconfig32x.exe" msconfig32x.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\Intec Service Drivers = "msconfig32x.exe" msconfig32x.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Intec Service Drivers = "msconfig32x.exe" msconfig32x.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Intec Service Drivers = "msconfig32x.exe" msconfig32x.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\msconfig32x.exe JaffaCakes118_40c02b9f1d72c8c360c7870305d4e6c2.exe File opened for modification C:\Windows\msconfig32x.exe JaffaCakes118_40c02b9f1d72c8c360c7870305d4e6c2.exe File opened for modification C:\Windows\127.0.200.200 update.msiservers.lan msconfig32x.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msconfig32x.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_40c02b9f1d72c8c360c7870305d4e6c2.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe 4196 msconfig32x.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4196 msconfig32x.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4812 wrote to memory of 4196 4812 JaffaCakes118_40c02b9f1d72c8c360c7870305d4e6c2.exe 85 PID 4812 wrote to memory of 4196 4812 JaffaCakes118_40c02b9f1d72c8c360c7870305d4e6c2.exe 85 PID 4812 wrote to memory of 4196 4812 JaffaCakes118_40c02b9f1d72c8c360c7870305d4e6c2.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40c02b9f1d72c8c360c7870305d4e6c2.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40c02b9f1d72c8c360c7870305d4e6c2.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\msconfig32x.exeC:\Windows\msconfig32x.exe 1060 "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40c02b9f1d72c8c360c7870305d4e6c2.exe"2⤵
- Modifies security service
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4196
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
149KB
MD540c02b9f1d72c8c360c7870305d4e6c2
SHA1bd44acb510371311ce4ce983db4a6705651b7691
SHA256e6018521e0b9d4e6b635a26b8f4ac296eb9736ea7c2f7f7ccc8174900bdd82a7
SHA5120894d4167a2ef386f138859f46febbe419c1f64ac2f577925b027c1c036e8a76e527351c5dab019a2069605b0ea8e4235a6ac1cb35f841fc59fea0352c638544