Analysis Overview
SHA256
3f76f12fbefcf128ee20c97f156acb276e203c681c7172949824256f35824187
Threat Level: Known bad
The file 00e6f056c93844000da657f883763b37_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
MetaSploit
Modifies security service
Modifies firewall policy service
Windows security bypass
Looks for VMWare Tools registry key
Boot or Logon Autostart Execution: Active Setup
Modifies Windows Firewall
Executes dropped EXE
Windows security modification
Deletes itself
Identifies Wine through registry keys
Adds Run key to start application
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Event Triggered Execution: Netsh Helper DLL
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-19 22:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-19 22:32
Reported
2024-06-19 22:35
Platform
win7-20240419-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
MetaSploit
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe \"C:\\Windows\\Fonts\\wmsncs.exe\"" | C:\Windows\Fonts\wmsncs.exe | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0" | C:\Windows\Fonts\wmsncs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1" | C:\Windows\Fonts\wmsncs.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\Fonts\wmsncs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\Fonts\wmsncs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\Fonts\wmsncs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | C:\Windows\Fonts\wmsncs.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile | C:\Windows\Fonts\wmsncs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" | C:\Windows\Fonts\wmsncs.exe | N/A |
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\Fonts\wmsncs.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\Fonts\wmsncs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\Fonts\wmsncs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\Fonts\wmsncs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\Fonts\wmsncs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\Fonts\wmsncs.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM} | C:\Windows\Fonts\wmsncs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe" | C:\Windows\Fonts\wmsncs.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools | C:\Windows\Fonts\wmsncs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools | C:\Users\Admin\AppData\Local\Temp\00e6f056c93844000da657f883763b37_JaffaCakes118.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Fonts\wmsncs.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Fonts\wmsncs.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\00e6f056c93844000da657f883763b37_JaffaCakes118.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\Fonts\wmsncs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\Fonts\wmsncs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\Fonts\wmsncs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\Fonts\wmsncs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\Fonts\wmsncs.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Wmsncs Service = "C:\\Windows\\Fonts\\wmsncs.exe" | C:\Windows\Fonts\wmsncs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NvidMediaCenter = "C:\\Program Files (x86)\\Common Files\\System\\wmsncs.exe" | C:\Windows\Fonts\wmsncs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spool Driver Service = "C:\\Windows\\system32\\spool\\drivers\\wmsncs.exe" | C:\Windows\Fonts\wmsncs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Wins Service = "C:\\Windows\\system32\\wins\\wmsncs.exe" | C:\Windows\Fonts\wmsncs.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\wins\wmsncs.exe | C:\Windows\Fonts\wmsncs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Windows\Fonts\wmsncs.exe | N/A |
| File created | C:\Windows\system32\spool\drivers\wmsncs.exe | C:\Windows\Fonts\wmsncs.exe | N/A |
| File opened for modification | C:\Windows\system32\spool\drivers\wmsncs.exe | C:\Windows\Fonts\wmsncs.exe | N/A |
| File created | C:\Windows\SysWOW64\wins\wmsncs.exe | C:\Windows\Fonts\wmsncs.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Common Files\System\wmsncs.exe | C:\Windows\Fonts\wmsncs.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\wmsncs.exe | C:\Windows\Fonts\wmsncs.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Fonts\wmsncs.exe | C:\Users\Admin\AppData\Local\Temp\00e6f056c93844000da657f883763b37_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\Fonts\wmsncs.exe | C:\Users\Admin\AppData\Local\Temp\00e6f056c93844000da657f883763b37_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM} | C:\Windows\Fonts\wmsncs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\Fonts\wmsncs.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\Fonts\wmsncs.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerServer = "65534" | C:\Windows\Fonts\wmsncs.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run | C:\Windows\Fonts\wmsncs.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\Fonts\wmsncs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Active Setup | C:\Windows\Fonts\wmsncs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\Fonts\wmsncs.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" | C:\Windows\Fonts\wmsncs.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Windows\Fonts\wmsncs.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wmsncs Service = "C:\\Windows\\Fonts\\wmsncs.exe" | C:\Windows\Fonts\wmsncs.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\Fonts\wmsncs.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Active Setup\Installed Components | C:\Windows\Fonts\wmsncs.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe" | C:\Windows\Fonts\wmsncs.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\Fonts\wmsncs.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM} | C:\Windows\Fonts\wmsncs.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvidMediaCenter = "C:\\Program Files (x86)\\Common Files\\System\\wmsncs.exe" | C:\Windows\Fonts\wmsncs.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\Fonts\wmsncs.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\00e6f056c93844000da657f883763b37_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\00e6f056c93844000da657f883763b37_JaffaCakes118.exe"
C:\Windows\Fonts\wmsncs.exe
"C:\Windows\Fonts\wmsncs.exe"
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" firewall set portopening TCP 1013 BS
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" firewall set portopening TCP 8080 PORT1
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" firewall set portopening TCP 8081 PORT2
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Windows\Fonts\wmsncs.exe" workstation ENABLE ALL
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" firewall set allowedprogram "C:\Windows\Fonts\wmsncs.exe" workstation ENABLE ALL
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hodkskis1981.weedns.com | udp |
| US | 8.8.8.8:53 | xoxoxmyman.weedns.com | udp |
| US | 8.8.8.8:53 | update.antiv-viru.co.cc | udp |
| KR | 175.126.123.219:8080 | update.antiv-viru.co.cc | tcp |
| US | 8.8.8.8:53 | liveupdate.viru-scan.co.cc | udp |
| KR | 175.126.123.219:8080 | liveupdate.viru-scan.co.cc | tcp |
| US | 8.8.8.8:53 | 1.0x0103x0x0m.co.cc | udp |
| KR | 175.126.123.219:8080 | 1.0x0103x0x0m.co.cc | tcp |
| US | 8.8.8.8:53 | 1.itsy-bitsy.co.cc | udp |
| KR | 175.126.123.219:8080 | 1.itsy-bitsy.co.cc | tcp |
| US | 8.8.8.8:53 | dashman.dnip.net | udp |
| US | 8.8.8.8:53 | xoomopy.dnip.net | udp |
| US | 8.8.8.8:53 | gertmann.effers.com | udp |
| US | 192.64.151.240:8080 | gertmann.effers.com | tcp |
| US | 8.8.8.8:53 | sunburn.flnet.org | udp |
| NL | 37.48.65.145:8080 | sunburn.flnet.org | tcp |
| US | 8.8.8.8:53 | secretsnake.opendns.be | udp |
| FR | 212.83.138.160:8080 | secretsnake.opendns.be | tcp |
| US | 8.8.8.8:53 | bluedog.opendns.be | udp |
| FR | 212.83.138.160:8080 | bluedog.opendns.be | tcp |
Files
memory/2976-0-0x0000000000400000-0x000000000071D000-memory.dmp
memory/2976-1-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2976-2-0x0000000000400000-0x000000000071D000-memory.dmp
memory/2976-3-0x0000000000401000-0x0000000000423000-memory.dmp
C:\Windows\Fonts\wmsncs.exe
| MD5 | 00e6f056c93844000da657f883763b37 |
| SHA1 | 138f1df9b9b5c19f7701fad125ec236e58730ac1 |
| SHA256 | 3f76f12fbefcf128ee20c97f156acb276e203c681c7172949824256f35824187 |
| SHA512 | 94643d5971d9e8261451aaaa0622f3befc106cd109fc7fc7429d86ddeef942e9ae33eca75b9a1388dbee03879711a7f809e71f9b37c10dff31547eb0d519199b |
memory/2736-7-0x0000000000400000-0x000000000071D000-memory.dmp
memory/2736-8-0x0000000000400000-0x000000000071D000-memory.dmp
memory/2736-9-0x0000000000400000-0x000000000071D000-memory.dmp
memory/2736-10-0x0000000000400000-0x000000000071D000-memory.dmp
memory/2976-11-0x0000000000400000-0x000000000071D000-memory.dmp
memory/2736-27-0x0000000000400000-0x000000000071D000-memory.dmp
memory/2736-37-0x0000000000400000-0x000000000071D000-memory.dmp
memory/2736-38-0x0000000000400000-0x000000000071D000-memory.dmp
memory/2736-48-0x0000000000400000-0x000000000071D000-memory.dmp
memory/2736-58-0x0000000000400000-0x000000000071D000-memory.dmp
memory/2736-71-0x0000000000400000-0x000000000071D000-memory.dmp
memory/2736-82-0x0000000000400000-0x000000000071D000-memory.dmp
memory/2736-92-0x0000000000400000-0x000000000071D000-memory.dmp
memory/2736-105-0x0000000000400000-0x000000000071D000-memory.dmp
memory/2736-115-0x0000000000400000-0x000000000071D000-memory.dmp
memory/2736-128-0x0000000000400000-0x000000000071D000-memory.dmp
memory/2736-138-0x0000000000400000-0x000000000071D000-memory.dmp
memory/2736-151-0x0000000000400000-0x000000000071D000-memory.dmp
memory/2736-161-0x0000000000400000-0x000000000071D000-memory.dmp
memory/2736-171-0x0000000000400000-0x000000000071D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-19 22:32
Reported
2024-06-19 22:35
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
51s
Command Line
Signatures
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\00e6f056c93844000da657f883763b37_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\00e6f056c93844000da657f883763b37_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\00e6f056c93844000da657f883763b37_JaffaCakes118.exe"
Network
Files
memory/404-1-0x0000000000760000-0x00000000007A0000-memory.dmp
memory/404-0-0x0000000000400000-0x000000000071D000-memory.dmp
memory/404-2-0x0000000000400000-0x000000000071D000-memory.dmp
memory/404-3-0x0000000000760000-0x00000000007A0000-memory.dmp