Malware Analysis Report

2024-09-23 04:16

Sample ID 240619-2gaceavdkd
Target 00e6f056c93844000da657f883763b37_JaffaCakes118
SHA256 3f76f12fbefcf128ee20c97f156acb276e203c681c7172949824256f35824187
Tags
metasploit backdoor evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3f76f12fbefcf128ee20c97f156acb276e203c681c7172949824256f35824187

Threat Level: Known bad

The file 00e6f056c93844000da657f883763b37_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor evasion persistence privilege_escalation trojan

Modifies WinLogon for persistence

MetaSploit

Modifies security service

Modifies firewall policy service

Windows security bypass

Looks for VMWare Tools registry key

Boot or Logon Autostart Execution: Active Setup

Modifies Windows Firewall

Executes dropped EXE

Windows security modification

Deletes itself

Identifies Wine through registry keys

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-19 22:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 22:32

Reported

2024-06-19 22:35

Platform

win7-20240419-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\00e6f056c93844000da657f883763b37_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe \"C:\\Windows\\Fonts\\wmsncs.exe\"" C:\Windows\Fonts\wmsncs.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0" C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1" C:\Windows\Fonts\wmsncs.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Windows\Fonts\wmsncs.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" C:\Windows\Fonts\wmsncs.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\Fonts\wmsncs.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\Fonts\wmsncs.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM} C:\Windows\Fonts\wmsncs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe" C:\Windows\Fonts\wmsncs.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools C:\Windows\Fonts\wmsncs.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools C:\Users\Admin\AppData\Local\Temp\00e6f056c93844000da657f883763b37_JaffaCakes118.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\wmsncs.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\wmsncs.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\00e6f056c93844000da657f883763b37_JaffaCakes118.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\Fonts\wmsncs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Wmsncs Service = "C:\\Windows\\Fonts\\wmsncs.exe" C:\Windows\Fonts\wmsncs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NvidMediaCenter = "C:\\Program Files (x86)\\Common Files\\System\\wmsncs.exe" C:\Windows\Fonts\wmsncs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spool Driver Service = "C:\\Windows\\system32\\spool\\drivers\\wmsncs.exe" C:\Windows\Fonts\wmsncs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Wins Service = "C:\\Windows\\system32\\wins\\wmsncs.exe" C:\Windows\Fonts\wmsncs.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\wins\wmsncs.exe C:\Windows\Fonts\wmsncs.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\Fonts\wmsncs.exe N/A
File created C:\Windows\system32\spool\drivers\wmsncs.exe C:\Windows\Fonts\wmsncs.exe N/A
File opened for modification C:\Windows\system32\spool\drivers\wmsncs.exe C:\Windows\Fonts\wmsncs.exe N/A
File created C:\Windows\SysWOW64\wins\wmsncs.exe C:\Windows\Fonts\wmsncs.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\System\wmsncs.exe C:\Windows\Fonts\wmsncs.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\wmsncs.exe C:\Windows\Fonts\wmsncs.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\wmsncs.exe C:\Users\Admin\AppData\Local\Temp\00e6f056c93844000da657f883763b37_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Fonts\wmsncs.exe C:\Users\Admin\AppData\Local\Temp\00e6f056c93844000da657f883763b37_JaffaCakes118.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM} C:\Windows\Fonts\wmsncs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\Fonts\wmsncs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" C:\Windows\SysWOW64\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerServer = "65534" C:\Windows\Fonts\wmsncs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" C:\Windows\SysWOW64\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run C:\Windows\Fonts\wmsncs.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" C:\Windows\SysWOW64\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\Fonts\wmsncs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Active Setup C:\Windows\Fonts\wmsncs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\Fonts\wmsncs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" C:\Windows\SysWOW64\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" C:\Windows\SysWOW64\netsh.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\Fonts\wmsncs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" C:\Windows\SysWOW64\netsh.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\Fonts\wmsncs.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wmsncs Service = "C:\\Windows\\Fonts\\wmsncs.exe" C:\Windows\Fonts\wmsncs.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" C:\Windows\SysWOW64\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\Fonts\wmsncs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" C:\Windows\SysWOW64\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Active Setup\Installed Components C:\Windows\Fonts\wmsncs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe" C:\Windows\Fonts\wmsncs.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Fonts\wmsncs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" C:\Windows\SysWOW64\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM} C:\Windows\Fonts\wmsncs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvidMediaCenter = "C:\\Program Files (x86)\\Common Files\\System\\wmsncs.exe" C:\Windows\Fonts\wmsncs.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Fonts\wmsncs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2736 wrote to memory of 2568 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 2736 wrote to memory of 2568 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 2736 wrote to memory of 2568 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 2736 wrote to memory of 2568 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 2736 wrote to memory of 3012 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 2736 wrote to memory of 3012 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 2736 wrote to memory of 3012 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 2736 wrote to memory of 3012 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 2736 wrote to memory of 2824 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 2736 wrote to memory of 2824 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 2736 wrote to memory of 2824 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 2736 wrote to memory of 2824 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 2736 wrote to memory of 2856 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 2736 wrote to memory of 2856 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 2736 wrote to memory of 2856 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 2736 wrote to memory of 2856 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 2736 wrote to memory of 2696 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 2736 wrote to memory of 2696 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 2736 wrote to memory of 2696 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 2736 wrote to memory of 2696 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\00e6f056c93844000da657f883763b37_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\00e6f056c93844000da657f883763b37_JaffaCakes118.exe"

C:\Windows\Fonts\wmsncs.exe

"C:\Windows\Fonts\wmsncs.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" firewall set portopening TCP 1013 BS

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" firewall set portopening TCP 8080 PORT1

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" firewall set portopening TCP 8081 PORT2

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Windows\Fonts\wmsncs.exe" workstation ENABLE ALL

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" firewall set allowedprogram "C:\Windows\Fonts\wmsncs.exe" workstation ENABLE ALL

Network

Country Destination Domain Proto
US 8.8.8.8:53 hodkskis1981.weedns.com udp
US 8.8.8.8:53 xoxoxmyman.weedns.com udp
US 8.8.8.8:53 update.antiv-viru.co.cc udp
KR 175.126.123.219:8080 update.antiv-viru.co.cc tcp
US 8.8.8.8:53 liveupdate.viru-scan.co.cc udp
KR 175.126.123.219:8080 liveupdate.viru-scan.co.cc tcp
US 8.8.8.8:53 1.0x0103x0x0m.co.cc udp
KR 175.126.123.219:8080 1.0x0103x0x0m.co.cc tcp
US 8.8.8.8:53 1.itsy-bitsy.co.cc udp
KR 175.126.123.219:8080 1.itsy-bitsy.co.cc tcp
US 8.8.8.8:53 dashman.dnip.net udp
US 8.8.8.8:53 xoomopy.dnip.net udp
US 8.8.8.8:53 gertmann.effers.com udp
US 192.64.151.240:8080 gertmann.effers.com tcp
US 8.8.8.8:53 sunburn.flnet.org udp
NL 37.48.65.145:8080 sunburn.flnet.org tcp
US 8.8.8.8:53 secretsnake.opendns.be udp
FR 212.83.138.160:8080 secretsnake.opendns.be tcp
US 8.8.8.8:53 bluedog.opendns.be udp
FR 212.83.138.160:8080 bluedog.opendns.be tcp

Files

memory/2976-0-0x0000000000400000-0x000000000071D000-memory.dmp

memory/2976-1-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2976-2-0x0000000000400000-0x000000000071D000-memory.dmp

memory/2976-3-0x0000000000401000-0x0000000000423000-memory.dmp

C:\Windows\Fonts\wmsncs.exe

MD5 00e6f056c93844000da657f883763b37
SHA1 138f1df9b9b5c19f7701fad125ec236e58730ac1
SHA256 3f76f12fbefcf128ee20c97f156acb276e203c681c7172949824256f35824187
SHA512 94643d5971d9e8261451aaaa0622f3befc106cd109fc7fc7429d86ddeef942e9ae33eca75b9a1388dbee03879711a7f809e71f9b37c10dff31547eb0d519199b

memory/2736-7-0x0000000000400000-0x000000000071D000-memory.dmp

memory/2736-8-0x0000000000400000-0x000000000071D000-memory.dmp

memory/2736-9-0x0000000000400000-0x000000000071D000-memory.dmp

memory/2736-10-0x0000000000400000-0x000000000071D000-memory.dmp

memory/2976-11-0x0000000000400000-0x000000000071D000-memory.dmp

memory/2736-27-0x0000000000400000-0x000000000071D000-memory.dmp

memory/2736-37-0x0000000000400000-0x000000000071D000-memory.dmp

memory/2736-38-0x0000000000400000-0x000000000071D000-memory.dmp

memory/2736-48-0x0000000000400000-0x000000000071D000-memory.dmp

memory/2736-58-0x0000000000400000-0x000000000071D000-memory.dmp

memory/2736-71-0x0000000000400000-0x000000000071D000-memory.dmp

memory/2736-82-0x0000000000400000-0x000000000071D000-memory.dmp

memory/2736-92-0x0000000000400000-0x000000000071D000-memory.dmp

memory/2736-105-0x0000000000400000-0x000000000071D000-memory.dmp

memory/2736-115-0x0000000000400000-0x000000000071D000-memory.dmp

memory/2736-128-0x0000000000400000-0x000000000071D000-memory.dmp

memory/2736-138-0x0000000000400000-0x000000000071D000-memory.dmp

memory/2736-151-0x0000000000400000-0x000000000071D000-memory.dmp

memory/2736-161-0x0000000000400000-0x000000000071D000-memory.dmp

memory/2736-171-0x0000000000400000-0x000000000071D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 22:32

Reported

2024-06-19 22:35

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\00e6f056c93844000da657f883763b37_JaffaCakes118.exe"

Signatures

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\00e6f056c93844000da657f883763b37_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\00e6f056c93844000da657f883763b37_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\00e6f056c93844000da657f883763b37_JaffaCakes118.exe"

Network

Files

memory/404-1-0x0000000000760000-0x00000000007A0000-memory.dmp

memory/404-0-0x0000000000400000-0x000000000071D000-memory.dmp

memory/404-2-0x0000000000400000-0x000000000071D000-memory.dmp

memory/404-3-0x0000000000760000-0x00000000007A0000-memory.dmp