Analysis
-
max time kernel
128s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
24/06/2024, 12:48
General
-
Target
089825ae526a0a96cf678cfa46ab3fb8_JaffaCakes118.exe
-
Size
30KB
-
MD5
089825ae526a0a96cf678cfa46ab3fb8
-
SHA1
6519155380a112fee7175fd9eccf1a3ca1c2178e
-
SHA256
c7e132c55fa6e00e98e764635929711f2a6cff15995ab8d877d4ef11b5d47c41
-
SHA512
825ed3ba679eac85e8f58c94fb0eaf77165f5717ba53a7a70b85351eb83c1c9f87d0dc93eb8aaecf793de323e4a5f00da6d8dc026a736e0142b124011d816d11
-
SSDEEP
384:n/cx2DN0MCLP4TLpxxklqd8ukQ379EGR7l1j8OWntErWyc7sESVacoLUicM4W51o:JF4ArxCM98CvVaZUPMj6t
Malware Config
Signatures
-
UAC bypass 3 TTPs 2 IoCs
-
Adds policy Run key to start application 2 TTPs 3 IoCs
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 4 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\089825ae526a0a96cf678cfa46ab3fb8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\089825ae526a0a96cf678cfa46ab3fb8_JaffaCakes118.exe"1⤵
- UAC bypass
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\ProgramData\wscntfy.exe"C:\ProgramData\wscntfy.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Common Files\lsmass.exe"C:\Program Files (x86)\Common Files\lsmass.exe"2⤵
- UAC bypass
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\netsh.exe"netsh.exe" firewall add allowedprogram program="C:\Program Files (x86)\Common Files\lsmass.exe" name="Windows-Audio Driver" mode=ENABLE scope=ALL profile=ALL3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
30KB
MD5089825ae526a0a96cf678cfa46ab3fb8
SHA16519155380a112fee7175fd9eccf1a3ca1c2178e
SHA256c7e132c55fa6e00e98e764635929711f2a6cff15995ab8d877d4ef11b5d47c41
SHA512825ed3ba679eac85e8f58c94fb0eaf77165f5717ba53a7a70b85351eb83c1c9f87d0dc93eb8aaecf793de323e4a5f00da6d8dc026a736e0142b124011d816d11
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB