Analysis Overview
SHA256
ba531df27744b17a0006cda3da7751903ad9354cb5740c41a35913df05be0830
Threat Level: Likely malicious
The file JaffaCakes118_4373196495fd5bd61a3ca0dd086b415d was found to be: Likely malicious.
Malicious Activity Summary
Modifies boot configuration data using bcdedit
Drops file in Drivers directory
Enables test signing to bypass driver trust controls
Executes dropped EXE
Deletes itself
Indicator Removal: File Deletion
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: LoadsDriver
Suspicious behavior: RenamesItself
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-27 20:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-27 20:34
Reported
2025-01-27 20:34
Platform
win7-20240903-en
Max time kernel
6s
Max time network
6s
Command Line
Signatures
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\f76f122.sys | C:\Windows\Installer\{58064C04-220B-1AD9-A674-F7A386535C23}\syshost.exe | N/A |
Enables test signing to bypass driver trust controls
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Installer\{58064C04-220B-1AD9-A674-F7A386535C23}\syshost.exe | N/A |
Indicator Removal: File Deletion
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\{58064C04-220B-1AD9-A674-F7A386535C23}\syshost.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4373196495fd5bd61a3ca0dd086b415d.exe | N/A |
| File opened for modification | C:\Windows\Installer\{58064C04-220B-1AD9-A674-F7A386535C23}\syshost.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4373196495fd5bd61a3ca0dd086b415d.exe | N/A |
| File opened for modification | C:\Windows\Installer\{58064C04-220B-1AD9-A674-F7A386535C23}\syshost.exe.tmp | C:\Windows\Installer\{58064C04-220B-1AD9-A674-F7A386535C23}\syshost.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4373196495fd5bd61a3ca0dd086b415d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Installer\{58064C04-220B-1AD9-A674-F7A386535C23}\syshost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4373196495fd5bd61a3ca0dd086b415d.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Installer\{58064C04-220B-1AD9-A674-F7A386535C23}\syshost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4373196495fd5bd61a3ca0dd086b415d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4373196495fd5bd61a3ca0dd086b415d.exe"
C:\Windows\Installer\{58064C04-220B-1AD9-A674-F7A386535C23}\syshost.exe
"C:\Windows\Installer\{58064C04-220B-1AD9-A674-F7A386535C23}\syshost.exe" /service
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\18ef14.tmp"
C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
Network
Files
memory/2720-3-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2720-2-0x0000000000220000-0x0000000000226000-memory.dmp
memory/2720-1-0x0000000001D60000-0x0000000001E60000-memory.dmp
memory/2848-5-0x0000000000400000-0x0000000000459000-memory.dmp
memory/2720-8-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2720-7-0x0000000000400000-0x0000000000459000-memory.dmp
C:\Windows\Installer\{58064C04-220B-1AD9-A674-F7A386535C23}\syshost.exe
| MD5 | 4373196495fd5bd61a3ca0dd086b415d |
| SHA1 | 7e80f5e068643383fc29991333a23608ed322976 |
| SHA256 | ba531df27744b17a0006cda3da7751903ad9354cb5740c41a35913df05be0830 |
| SHA512 | 8576c0301afa4780e1637ba40fddba2c20075122273d7c95831ff782d2359c842e8e41066b1202937baefeff833b1163da1b883255bb0d81c940d817dc8ad7a8 |
memory/2848-9-0x0000000000400000-0x0000000000459000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-27 20:34
Reported
2025-01-27 20:34
Platform
win10v2004-20241007-en
Max time kernel
3s
Max time network
5s
Command Line
Signatures
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\e57925d.sys | C:\Windows\Installer\{D18F138F-C729-DB54-1DF8-4545FDD7D2F7}\syshost.exe | N/A |
Enables test signing to bypass driver trust controls
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Installer\{D18F138F-C729-DB54-1DF8-4545FDD7D2F7}\syshost.exe | N/A |
Indicator Removal: File Deletion
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\{D18F138F-C729-DB54-1DF8-4545FDD7D2F7}\syshost.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4373196495fd5bd61a3ca0dd086b415d.exe | N/A |
| File opened for modification | C:\Windows\Installer\{D18F138F-C729-DB54-1DF8-4545FDD7D2F7}\syshost.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4373196495fd5bd61a3ca0dd086b415d.exe | N/A |
| File opened for modification | C:\Windows\Installer\{D18F138F-C729-DB54-1DF8-4545FDD7D2F7}\syshost.exe.tmp | C:\Windows\Installer\{D18F138F-C729-DB54-1DF8-4545FDD7D2F7}\syshost.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4373196495fd5bd61a3ca0dd086b415d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Installer\{D18F138F-C729-DB54-1DF8-4545FDD7D2F7}\syshost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "157" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4373196495fd5bd61a3ca0dd086b415d.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Installer\{D18F138F-C729-DB54-1DF8-4545FDD7D2F7}\syshost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4373196495fd5bd61a3ca0dd086b415d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4373196495fd5bd61a3ca0dd086b415d.exe"
C:\Windows\Installer\{D18F138F-C729-DB54-1DF8-4545FDD7D2F7}\syshost.exe
"C:\Windows\Installer\{D18F138F-C729-DB54-1DF8-4545FDD7D2F7}\syshost.exe" /service
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\e7e1a2aa.tmp"
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39ae055 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.114.82.104.in-addr.arpa | udp |
Files
memory/3428-0-0x0000000002470000-0x00000000024D0000-memory.dmp
memory/3428-1-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3428-2-0x0000000000400000-0x0000000000459000-memory.dmp
C:\Windows\Installer\{D18F138F-C729-DB54-1DF8-4545FDD7D2F7}\syshost.exe
| MD5 | 4373196495fd5bd61a3ca0dd086b415d |
| SHA1 | 7e80f5e068643383fc29991333a23608ed322976 |
| SHA256 | ba531df27744b17a0006cda3da7751903ad9354cb5740c41a35913df05be0830 |
| SHA512 | 8576c0301afa4780e1637ba40fddba2c20075122273d7c95831ff782d2359c842e8e41066b1202937baefeff833b1163da1b883255bb0d81c940d817dc8ad7a8 |
memory/4912-6-0x0000000000400000-0x0000000000459000-memory.dmp
memory/4912-8-0x0000000000400000-0x0000000000459000-memory.dmp
memory/3428-11-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3428-10-0x0000000000400000-0x0000000000459000-memory.dmp
memory/4912-13-0x0000000000400000-0x0000000000459000-memory.dmp