Analysis
-
max time kernel
6s -
max time network
6s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 20:34
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_4373196495fd5bd61a3ca0dd086b415d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_4373196495fd5bd61a3ca0dd086b415d.exe
Resource
win10v2004-20241007-en
Errors
General
-
Target
JaffaCakes118_4373196495fd5bd61a3ca0dd086b415d.exe
-
Size
344KB
-
MD5
4373196495fd5bd61a3ca0dd086b415d
-
SHA1
7e80f5e068643383fc29991333a23608ed322976
-
SHA256
ba531df27744b17a0006cda3da7751903ad9354cb5740c41a35913df05be0830
-
SHA512
8576c0301afa4780e1637ba40fddba2c20075122273d7c95831ff782d2359c842e8e41066b1202937baefeff833b1163da1b883255bb0d81c940d817dc8ad7a8
-
SSDEEP
6144:rlwEIOLQRCQ5Af7kkAsntTQubE1/K5blopzcbbw:rloDRCQMNAstTQajopf
Malware Config
Signatures
-
Modifies boot configuration data using bcdedit 1 TTPs 10 IoCs
pid Process 2696 bcdedit.exe 2864 bcdedit.exe 1900 bcdedit.exe 2972 bcdedit.exe 2680 bcdedit.exe 2588 bcdedit.exe 2700 bcdedit.exe 2916 bcdedit.exe 2908 bcdedit.exe 2892 bcdedit.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\f76f122.sys syshost.exe -
Enables test signing to bypass driver trust controls 1 TTPs 10 IoCs
Allows any signed driver to load without validation against a trusted certificate authority.
pid Process 2588 bcdedit.exe 2700 bcdedit.exe 2680 bcdedit.exe 2864 bcdedit.exe 1900 bcdedit.exe 2972 bcdedit.exe 2916 bcdedit.exe 2908 bcdedit.exe 2892 bcdedit.exe 2696 bcdedit.exe -
Deletes itself 1 IoCs
pid Process 2080 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2848 syshost.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Installer\{58064C04-220B-1AD9-A674-F7A386535C23}\syshost.exe JaffaCakes118_4373196495fd5bd61a3ca0dd086b415d.exe File opened for modification C:\Windows\Installer\{58064C04-220B-1AD9-A674-F7A386535C23}\syshost.exe JaffaCakes118_4373196495fd5bd61a3ca0dd086b415d.exe File opened for modification C:\Windows\Installer\{58064C04-220B-1AD9-A674-F7A386535C23}\syshost.exe.tmp syshost.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_4373196495fd5bd61a3ca0dd086b415d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language syshost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 480 Process not Found -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2720 JaffaCakes118_4373196495fd5bd61a3ca0dd086b415d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 2848 syshost.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 2720 wrote to memory of 2080 2720 JaffaCakes118_4373196495fd5bd61a3ca0dd086b415d.exe 31 PID 2720 wrote to memory of 2080 2720 JaffaCakes118_4373196495fd5bd61a3ca0dd086b415d.exe 31 PID 2720 wrote to memory of 2080 2720 JaffaCakes118_4373196495fd5bd61a3ca0dd086b415d.exe 31 PID 2720 wrote to memory of 2080 2720 JaffaCakes118_4373196495fd5bd61a3ca0dd086b415d.exe 31 PID 2848 wrote to memory of 2696 2848 syshost.exe 32 PID 2848 wrote to memory of 2696 2848 syshost.exe 32 PID 2848 wrote to memory of 2696 2848 syshost.exe 32 PID 2848 wrote to memory of 2696 2848 syshost.exe 32 PID 2848 wrote to memory of 2864 2848 syshost.exe 33 PID 2848 wrote to memory of 2864 2848 syshost.exe 33 PID 2848 wrote to memory of 2864 2848 syshost.exe 33 PID 2848 wrote to memory of 2864 2848 syshost.exe 33 PID 2848 wrote to memory of 1900 2848 syshost.exe 34 PID 2848 wrote to memory of 1900 2848 syshost.exe 34 PID 2848 wrote to memory of 1900 2848 syshost.exe 34 PID 2848 wrote to memory of 1900 2848 syshost.exe 34 PID 2848 wrote to memory of 2972 2848 syshost.exe 35 PID 2848 wrote to memory of 2972 2848 syshost.exe 35 PID 2848 wrote to memory of 2972 2848 syshost.exe 35 PID 2848 wrote to memory of 2972 2848 syshost.exe 35 PID 2848 wrote to memory of 2680 2848 syshost.exe 36 PID 2848 wrote to memory of 2680 2848 syshost.exe 36 PID 2848 wrote to memory of 2680 2848 syshost.exe 36 PID 2848 wrote to memory of 2680 2848 syshost.exe 36 PID 2848 wrote to memory of 2892 2848 syshost.exe 37 PID 2848 wrote to memory of 2892 2848 syshost.exe 37 PID 2848 wrote to memory of 2892 2848 syshost.exe 37 PID 2848 wrote to memory of 2892 2848 syshost.exe 37 PID 2848 wrote to memory of 2908 2848 syshost.exe 39 PID 2848 wrote to memory of 2908 2848 syshost.exe 39 PID 2848 wrote to memory of 2908 2848 syshost.exe 39 PID 2848 wrote to memory of 2908 2848 syshost.exe 39 PID 2848 wrote to memory of 2916 2848 syshost.exe 40 PID 2848 wrote to memory of 2916 2848 syshost.exe 40 PID 2848 wrote to memory of 2916 2848 syshost.exe 40 PID 2848 wrote to memory of 2916 2848 syshost.exe 40 PID 2848 wrote to memory of 2588 2848 syshost.exe 43 PID 2848 wrote to memory of 2588 2848 syshost.exe 43 PID 2848 wrote to memory of 2588 2848 syshost.exe 43 PID 2848 wrote to memory of 2588 2848 syshost.exe 43 PID 2848 wrote to memory of 2700 2848 syshost.exe 44 PID 2848 wrote to memory of 2700 2848 syshost.exe 44 PID 2848 wrote to memory of 2700 2848 syshost.exe 44 PID 2848 wrote to memory of 2700 2848 syshost.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4373196495fd5bd61a3ca0dd086b415d.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4373196495fd5bd61a3ca0dd086b415d.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\cmd.execmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\18ef14.tmp"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2080
-
-
C:\Windows\Installer\{58064C04-220B-1AD9-A674-F7A386535C23}\syshost.exe"C:\Windows\Installer\{58064C04-220B-1AD9-A674-F7A386535C23}\syshost.exe" /service1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\system32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
- Enables test signing to bypass driver trust controls
PID:2696
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
- Enables test signing to bypass driver trust controls
PID:2864
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
- Enables test signing to bypass driver trust controls
PID:1900
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
- Enables test signing to bypass driver trust controls
PID:2972
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
- Enables test signing to bypass driver trust controls
PID:2680
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
- Enables test signing to bypass driver trust controls
PID:2892
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
- Enables test signing to bypass driver trust controls
PID:2908
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
- Enables test signing to bypass driver trust controls
PID:2916
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
- Enables test signing to bypass driver trust controls
PID:2588
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
- Enables test signing to bypass driver trust controls
PID:2700
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:3032
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:2552
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344KB
MD54373196495fd5bd61a3ca0dd086b415d
SHA17e80f5e068643383fc29991333a23608ed322976
SHA256ba531df27744b17a0006cda3da7751903ad9354cb5740c41a35913df05be0830
SHA5128576c0301afa4780e1637ba40fddba2c20075122273d7c95831ff782d2359c842e8e41066b1202937baefeff833b1163da1b883255bb0d81c940d817dc8ad7a8