Analysis
-
max time kernel
138s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
24/06/2024, 12:48
General
-
Target
089825ae526a0a96cf678cfa46ab3fb8_JaffaCakes118.exe
-
Size
30KB
-
MD5
089825ae526a0a96cf678cfa46ab3fb8
-
SHA1
6519155380a112fee7175fd9eccf1a3ca1c2178e
-
SHA256
c7e132c55fa6e00e98e764635929711f2a6cff15995ab8d877d4ef11b5d47c41
-
SHA512
825ed3ba679eac85e8f58c94fb0eaf77165f5717ba53a7a70b85351eb83c1c9f87d0dc93eb8aaecf793de323e4a5f00da6d8dc026a736e0142b124011d816d11
-
SSDEEP
384:n/cx2DN0MCLP4TLpxxklqd8ukQ379EGR7l1j8OWntErWyc7sESVacoLUicM4W51o:JF4ArxCM98CvVaZUPMj6t
Malware Config
Signatures
-
UAC bypass 3 TTPs 2 IoCs
-
Adds policy Run key to start application 2 TTPs 3 IoCs
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\089825ae526a0a96cf678cfa46ab3fb8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\089825ae526a0a96cf678cfa46ab3fb8_JaffaCakes118.exe"1⤵
- UAC bypass
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\ProgramData\wscntfy.exe"C:\ProgramData\wscntfy.exe"2⤵
- UAC bypass
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\netsh.exe"netsh.exe" firewall add allowedprogram program="C:\ProgramData\wscntfy.exe" name="Windows-Audio Driver" mode=ENABLE scope=ALL profile=ALL3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Program Files (x86)\Common Files\lsmass.exe"C:\Program Files (x86)\Common Files\lsmass.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
30KB
MD5089825ae526a0a96cf678cfa46ab3fb8
SHA16519155380a112fee7175fd9eccf1a3ca1c2178e
SHA256c7e132c55fa6e00e98e764635929711f2a6cff15995ab8d877d4ef11b5d47c41
SHA512825ed3ba679eac85e8f58c94fb0eaf77165f5717ba53a7a70b85351eb83c1c9f87d0dc93eb8aaecf793de323e4a5f00da6d8dc026a736e0142b124011d816d11
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB