Analysis
-
max time kernel
133s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
27-06-2024 08:21
Behavioral task
behavioral1
Sample
154e078a01c64594670fc142909254ee_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
154e078a01c64594670fc142909254ee_JaffaCakes118.exe
-
Size
723KB
-
MD5
154e078a01c64594670fc142909254ee
-
SHA1
22cae4c77eb6e3ff4163b39b65dafceb935e1f11
-
SHA256
7c76299e3ac43fd7282eb0a981138f2e4e8a6521cc2ba7486049c8c92ad68900
-
SHA512
323d1ac93b1676834c21d267f23a0e08aced1677fe939cc8d205d3a49da3c834729799a7f31983cfae16da1e5908093481732653cb8aa7bbdd70ba8968a3c172
-
SSDEEP
12288:7FLlJnnbWOtz6sVJhvaz1Qc/WdI//vfM4qwrbkniafBo6vnTylKM/q9jJr:Z3nbWmJVJFwSddIXvfhqbia/v2jq9V
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
154e078a01c64594670fc142909254ee_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 154e078a01c64594670fc142909254ee_JaffaCakes118.exe -
Modifies firewall policy service 3 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe -
Disables Task Manager via registry modification
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 2712 attrib.exe 1112 attrib.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 2768 msdcsc.exe -
Loads dropped DLL 2 IoCs
Processes:
154e078a01c64594670fc142909254ee_JaffaCakes118.exepid process 1212 154e078a01c64594670fc142909254ee_JaffaCakes118.exe 1212 154e078a01c64594670fc142909254ee_JaffaCakes118.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msdcsc.exe154e078a01c64594670fc142909254ee_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 154e078a01c64594670fc142909254ee_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 2768 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
154e078a01c64594670fc142909254ee_JaffaCakes118.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1212 154e078a01c64594670fc142909254ee_JaffaCakes118.exe Token: SeSecurityPrivilege 1212 154e078a01c64594670fc142909254ee_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1212 154e078a01c64594670fc142909254ee_JaffaCakes118.exe Token: SeLoadDriverPrivilege 1212 154e078a01c64594670fc142909254ee_JaffaCakes118.exe Token: SeSystemProfilePrivilege 1212 154e078a01c64594670fc142909254ee_JaffaCakes118.exe Token: SeSystemtimePrivilege 1212 154e078a01c64594670fc142909254ee_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 1212 154e078a01c64594670fc142909254ee_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1212 154e078a01c64594670fc142909254ee_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 1212 154e078a01c64594670fc142909254ee_JaffaCakes118.exe Token: SeBackupPrivilege 1212 154e078a01c64594670fc142909254ee_JaffaCakes118.exe Token: SeRestorePrivilege 1212 154e078a01c64594670fc142909254ee_JaffaCakes118.exe Token: SeShutdownPrivilege 1212 154e078a01c64594670fc142909254ee_JaffaCakes118.exe Token: SeDebugPrivilege 1212 154e078a01c64594670fc142909254ee_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 1212 154e078a01c64594670fc142909254ee_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 1212 154e078a01c64594670fc142909254ee_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 1212 154e078a01c64594670fc142909254ee_JaffaCakes118.exe Token: SeUndockPrivilege 1212 154e078a01c64594670fc142909254ee_JaffaCakes118.exe Token: SeManageVolumePrivilege 1212 154e078a01c64594670fc142909254ee_JaffaCakes118.exe Token: SeImpersonatePrivilege 1212 154e078a01c64594670fc142909254ee_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 1212 154e078a01c64594670fc142909254ee_JaffaCakes118.exe Token: 33 1212 154e078a01c64594670fc142909254ee_JaffaCakes118.exe Token: 34 1212 154e078a01c64594670fc142909254ee_JaffaCakes118.exe Token: 35 1212 154e078a01c64594670fc142909254ee_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2768 msdcsc.exe Token: SeSecurityPrivilege 2768 msdcsc.exe Token: SeTakeOwnershipPrivilege 2768 msdcsc.exe Token: SeLoadDriverPrivilege 2768 msdcsc.exe Token: SeSystemProfilePrivilege 2768 msdcsc.exe Token: SeSystemtimePrivilege 2768 msdcsc.exe Token: SeProfSingleProcessPrivilege 2768 msdcsc.exe Token: SeIncBasePriorityPrivilege 2768 msdcsc.exe Token: SeCreatePagefilePrivilege 2768 msdcsc.exe Token: SeBackupPrivilege 2768 msdcsc.exe Token: SeRestorePrivilege 2768 msdcsc.exe Token: SeShutdownPrivilege 2768 msdcsc.exe Token: SeDebugPrivilege 2768 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2768 msdcsc.exe Token: SeChangeNotifyPrivilege 2768 msdcsc.exe Token: SeRemoteShutdownPrivilege 2768 msdcsc.exe Token: SeUndockPrivilege 2768 msdcsc.exe Token: SeManageVolumePrivilege 2768 msdcsc.exe Token: SeImpersonatePrivilege 2768 msdcsc.exe Token: SeCreateGlobalPrivilege 2768 msdcsc.exe Token: 33 2768 msdcsc.exe Token: 34 2768 msdcsc.exe Token: 35 2768 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 2768 msdcsc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
154e078a01c64594670fc142909254ee_JaffaCakes118.execmd.execmd.exedescription pid process target process PID 1212 wrote to memory of 2688 1212 154e078a01c64594670fc142909254ee_JaffaCakes118.exe cmd.exe PID 1212 wrote to memory of 2688 1212 154e078a01c64594670fc142909254ee_JaffaCakes118.exe cmd.exe PID 1212 wrote to memory of 2688 1212 154e078a01c64594670fc142909254ee_JaffaCakes118.exe cmd.exe PID 1212 wrote to memory of 2688 1212 154e078a01c64594670fc142909254ee_JaffaCakes118.exe cmd.exe PID 1212 wrote to memory of 2872 1212 154e078a01c64594670fc142909254ee_JaffaCakes118.exe cmd.exe PID 1212 wrote to memory of 2872 1212 154e078a01c64594670fc142909254ee_JaffaCakes118.exe cmd.exe PID 1212 wrote to memory of 2872 1212 154e078a01c64594670fc142909254ee_JaffaCakes118.exe cmd.exe PID 1212 wrote to memory of 2872 1212 154e078a01c64594670fc142909254ee_JaffaCakes118.exe cmd.exe PID 2872 wrote to memory of 2712 2872 cmd.exe attrib.exe PID 2872 wrote to memory of 2712 2872 cmd.exe attrib.exe PID 2872 wrote to memory of 2712 2872 cmd.exe attrib.exe PID 2872 wrote to memory of 2712 2872 cmd.exe attrib.exe PID 2688 wrote to memory of 1112 2688 cmd.exe attrib.exe PID 2688 wrote to memory of 1112 2688 cmd.exe attrib.exe PID 2688 wrote to memory of 1112 2688 cmd.exe attrib.exe PID 2688 wrote to memory of 1112 2688 cmd.exe attrib.exe PID 1212 wrote to memory of 2768 1212 154e078a01c64594670fc142909254ee_JaffaCakes118.exe msdcsc.exe PID 1212 wrote to memory of 2768 1212 154e078a01c64594670fc142909254ee_JaffaCakes118.exe msdcsc.exe PID 1212 wrote to memory of 2768 1212 154e078a01c64594670fc142909254ee_JaffaCakes118.exe msdcsc.exe PID 1212 wrote to memory of 2768 1212 154e078a01c64594670fc142909254ee_JaffaCakes118.exe msdcsc.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2712 attrib.exe 1112 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\154e078a01c64594670fc142909254ee_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\154e078a01c64594670fc142909254ee_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1112 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2712 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2768
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
101B
MD58734f7e235865690196a15b301d7adb5
SHA1a684328c2a5bc40cd020832330a82085c4e0722a
SHA2561461e7548c2d87c8eac0d9dded0e8b5d4c9008da701a3e4bf2a76e0bbfaf65f9
SHA51245450daae5227fee95339b78721b99d3270206fddc20a1022b6790bd2f3a8b0cecd6463b8fe0fd2045fd6e29b0c2161e12c7e3550290b3a31ffc05d37b0a2110
-
Filesize
50B
MD5b774ae3fb1da087e1f83b4f7b2060e5a
SHA197eb9be49ac3af9c851c9e1e84e32bfd53e325a8
SHA256adaf4a84b41e410b02e261cfd0fe7739d98647eab73c3badd32ac6e39f26351b
SHA512f75d0f95f7306d26a12b414bfe37b97fbd37546cb3c6e403def7077329ddffb4b45d5c5f0ba0e7bb6d72851d2d691b0a85267beead42f7cbf2e8c3d45a3b4701
-
Filesize
723KB
MD5154e078a01c64594670fc142909254ee
SHA122cae4c77eb6e3ff4163b39b65dafceb935e1f11
SHA2567c76299e3ac43fd7282eb0a981138f2e4e8a6521cc2ba7486049c8c92ad68900
SHA512323d1ac93b1676834c21d267f23a0e08aced1677fe939cc8d205d3a49da3c834729799a7f31983cfae16da1e5908093481732653cb8aa7bbdd70ba8968a3c172