1002a6e376ff550fc94c0fc6330acab0de4ca218ab2728e6c0bffe41a8f42c3e

Analysis

max time kernel
130s
max time network
133s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

228ab772c65ef9264b1863d2449efdec_JaffaCakes118.exe
Size

606KB
MD5

228ab772c65ef9264b1863d2449efdec
SHA1

d8e068e4d84a0d6c956b477941f015fc2c250be3
SHA256

1002a6e376ff550fc94c0fc6330acab0de4ca218ab2728e6c0bffe41a8f42c3e
SHA512

6cd97dd6717d18620c210b5a487046bfcf5af920a0af50f4c328ef58dc4480b79de226e9236dc5bd482dcd32435f18310a618518e38fd96e0d4ab2bcea890d1c
SSDEEP

12288:8utrzh9xOXkV9Pl4xaKlVIlVNU4B4teFTxsTVrNt0uuVVCtzVCNyMlUQ:8utr5OUV9PlRKjI3NUvtcxsTVXIVgtc9

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\AppPatch\\wscntfy.exe,C:\\Windows\\help\\svchost.exe"	mouse.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscntfy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mouse.exe

Executes dropped EXE 4 IoCs

pid	Process
2024	my_facebook_photo.exe
2328	un_lock.exe
2780	mouse.exe
2576	wscntfy.exe

Loads dropped DLL 2 IoCs

pid	Process
2780	mouse.exe
2780	mouse.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mouse.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscntfy.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	wscntfy.exe
File opened (read-only)	\??\N:	wscntfy.exe
File opened (read-only)	\??\O:	wscntfy.exe
File opened (read-only)	\??\Q:	wscntfy.exe
File opened (read-only)	\??\V:	wscntfy.exe
File opened (read-only)	\??\Z:	wscntfy.exe
File opened (read-only)	\??\G:	wscntfy.exe
File opened (read-only)	\??\H:	wscntfy.exe
File opened (read-only)	\??\J:	wscntfy.exe
File opened (read-only)	\??\M:	wscntfy.exe
File opened (read-only)	\??\P:	wscntfy.exe
File opened (read-only)	\??\T:	wscntfy.exe
File opened (read-only)	\??\E:	wscntfy.exe
File opened (read-only)	\??\K:	wscntfy.exe
File opened (read-only)	\??\Y:	wscntfy.exe
File opened (read-only)	\??\W:	wscntfy.exe
File opened (read-only)	\??\X:	wscntfy.exe
File opened (read-only)	\??\B:	wscntfy.exe
File opened (read-only)	\??\I:	wscntfy.exe
File opened (read-only)	\??\L:	wscntfy.exe
File opened (read-only)	\??\R:	wscntfy.exe
File opened (read-only)	\??\S:	wscntfy.exe
File opened (read-only)	\??\U:	wscntfy.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File created	C:\Windows\lock.rar	my_facebook_photo.exe
File created	C:\Windows\AppPatch\wscntfy.exe	mouse.exe
File opened for modification	C:\Windows\my_facebook_photo.exe	228ab772c65ef9264b1863d2449efdec_JaffaCakes118.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_259403080	my_facebook_photo.exe
File opened for modification	C:\Windows\un_lock.exe	my_facebook_photo.exe
File opened for modification	C:\Windows\mouse.exe	un_lock.exe
File opened for modification	C:\Windows\AppPatch\wscntfy.exe	mouse.exe
File opened for modification	C:\Windows\lock.rar	my_facebook_photo.exe
File opened for modification	C:\Windows\run.bat	my_facebook_photo.exe
File created	C:\Windows\mouse.exe	un_lock.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_259402892	228ab772c65ef9264b1863d2449efdec_JaffaCakes118.exe
File created	C:\Windows\my_facebook_photo.exe	228ab772c65ef9264b1863d2449efdec_JaffaCakes118.exe
File created	C:\Windows\un_lock.exe	my_facebook_photo.exe
File created	C:\Windows\run.bat	my_facebook_photo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2740	PING.EXE

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2024	1740	228ab772c65ef9264b1863d2449efdec_JaffaCakes118.exe	28
PID 1740 wrote to memory of 2024	1740	228ab772c65ef9264b1863d2449efdec_JaffaCakes118.exe	28
PID 1740 wrote to memory of 2024	1740	228ab772c65ef9264b1863d2449efdec_JaffaCakes118.exe	28
PID 1740 wrote to memory of 2024	1740	228ab772c65ef9264b1863d2449efdec_JaffaCakes118.exe	28
PID 1740 wrote to memory of 2024	1740	228ab772c65ef9264b1863d2449efdec_JaffaCakes118.exe	28
PID 1740 wrote to memory of 2024	1740	228ab772c65ef9264b1863d2449efdec_JaffaCakes118.exe	28
PID 1740 wrote to memory of 2024	1740	228ab772c65ef9264b1863d2449efdec_JaffaCakes118.exe	28
PID 2024 wrote to memory of 2840	2024	my_facebook_photo.exe	29
PID 2024 wrote to memory of 2840	2024	my_facebook_photo.exe	29
PID 2024 wrote to memory of 2840	2024	my_facebook_photo.exe	29
PID 2024 wrote to memory of 2840	2024	my_facebook_photo.exe	29
PID 2840 wrote to memory of 2596	2840	cmd.exe	31
PID 2840 wrote to memory of 2596	2840	cmd.exe	31
PID 2840 wrote to memory of 2596	2840	cmd.exe	31
PID 2840 wrote to memory of 2596	2840	cmd.exe	31
PID 2596 wrote to memory of 2328	2596	cmd.exe	33
PID 2596 wrote to memory of 2328	2596	cmd.exe	33
PID 2596 wrote to memory of 2328	2596	cmd.exe	33
PID 2596 wrote to memory of 2328	2596	cmd.exe	33
PID 2596 wrote to memory of 2740	2596	cmd.exe	35
PID 2596 wrote to memory of 2740	2596	cmd.exe	35
PID 2596 wrote to memory of 2740	2596	cmd.exe	35
PID 2596 wrote to memory of 2740	2596	cmd.exe	35
PID 2596 wrote to memory of 2780	2596	cmd.exe	36
PID 2596 wrote to memory of 2780	2596	cmd.exe	36
PID 2596 wrote to memory of 2780	2596	cmd.exe	36
PID 2596 wrote to memory of 2780	2596	cmd.exe	36
PID 2780 wrote to memory of 2680	2780	mouse.exe	37
PID 2780 wrote to memory of 2680	2780	mouse.exe	37
PID 2780 wrote to memory of 2680	2780	mouse.exe	37
PID 2780 wrote to memory of 2680	2780	mouse.exe	37
PID 2680 wrote to memory of 2696	2680	cmd.exe	39
PID 2680 wrote to memory of 2696	2680	cmd.exe	39
PID 2680 wrote to memory of 2696	2680	cmd.exe	39
PID 2680 wrote to memory of 2696	2680	cmd.exe	39
PID 2680 wrote to memory of 2668	2680	cmd.exe	40
PID 2680 wrote to memory of 2668	2680	cmd.exe	40
PID 2680 wrote to memory of 2668	2680	cmd.exe	40
PID 2680 wrote to memory of 2668	2680	cmd.exe	40
PID 2780 wrote to memory of 2772	2780	mouse.exe	41
PID 2780 wrote to memory of 2772	2780	mouse.exe	41
PID 2780 wrote to memory of 2772	2780	mouse.exe	41
PID 2780 wrote to memory of 2772	2780	mouse.exe	41
PID 2772 wrote to memory of 2512	2772	cmd.exe	43
PID 2772 wrote to memory of 2512	2772	cmd.exe	43
PID 2772 wrote to memory of 2512	2772	cmd.exe	43
PID 2772 wrote to memory of 2512	2772	cmd.exe	43
PID 2772 wrote to memory of 2520	2772	cmd.exe	44
PID 2772 wrote to memory of 2520	2772	cmd.exe	44
PID 2772 wrote to memory of 2520	2772	cmd.exe	44
PID 2772 wrote to memory of 2520	2772	cmd.exe	44
PID 2780 wrote to memory of 2576	2780	mouse.exe	45
PID 2780 wrote to memory of 2576	2780	mouse.exe	45
PID 2780 wrote to memory of 2576	2780	mouse.exe	45
PID 2780 wrote to memory of 2576	2780	mouse.exe	45

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mouse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wscntfy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	mouse.exe

C:\Users\Admin\AppData\Local\Temp\228ab772c65ef9264b1863d2449efdec_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\228ab772c65ef9264b1863d2449efdec_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\my_facebook_photo.exe
  "C:\Windows\my_facebook_photo.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /min run.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K run.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2596
    - - C:\Windows\un_lock.exe
        
        un_lock.exe x lock.rar -o+ -p112233
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2328
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 5 127.1
        5⤵
        Runs ping.exe
        
        PID:2740
    - - C:\Windows\mouse.exe
        
        mouse.exe
        5⤵
        Modifies WinLogon for persistence
        UAC bypass
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2780
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo y|cacls C:\Windows\AppPatch /c /t /g BUILTIN\Administrators:f
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        7⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cacls.exe
        
        cacls C:\Windows\AppPatch /c /t /g BUILTIN\Administrators:f
        7⤵
        
        PID:2668
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo y|cacls C:\Windows\AppPatch /c /t /g everyone:r
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        7⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cacls.exe
        
        cacls C:\Windows\AppPatch /c /t /g everyone:r
        7⤵
        
        PID:2520
      - C:\Windows\AppPatch\wscntfy.exe
        
        C:\Windows\AppPatch\wscntfy.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Enumerates connected drives
        System policy modification
        
        PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\lock.rar

Filesize
283KB

MD5
f309812bc30ede3e0cb2d153cd308eff

SHA1
d934ed3cf64ec7dbe8149a481b922d1cac2d459b

SHA256
4827e8b75ffe836aac4496c9776bfe1d82c946282d7b4eb0e7cd8b1f84a84d46

SHA512
40718ff41cad7cb5e78d920c8b749d6ae665afb05422058066ec9787785a67b917c364a46ed5b0a64bbd6fa2c215d019f23b5bb50307e4865ae9d1512d0acbcc

Download Submit
C:\Windows\mouse.exe

Filesize
496KB

MD5
e6b7fcb92f4f6bd37c90fb4c7711f119

SHA1
cf3b196cfc1f94aab26f315656c2c108b4afb824

SHA256
1762514cd1b3464b600a0021222d99be019717242e3ac148bf07e1dba548ddd3

SHA512
9b06c6396d3710f0a1cbad945249aa24ee4aa9e52e56a2c4ffb01c9c9fb95852782086761a60e1cf5b725ca0cdebcbf7dd6a6410288ecc30d9d43bbb60f32cfa

Download Submit
C:\Windows\my_facebook_photo.exe

Filesize
579KB

MD5
b56bbdf5fa8a9a45b610e3101abb1760

SHA1
9faef03a37d2a00b5997ae2ca4f5b72cbc88b8e8

SHA256
cffd8709c771543bac7cd9bb280efcb1ecff4d8fc18ef8b5f2ca81b83499df3a

SHA512
41995f8fa539bd4a42f2fee48d5432bbbf0729b43927bde0c0e183fc116d86e819516c6d5577341638c9e057cbc19a57750b9f0571978d7d3b02ce0a5a311bc8

Download Submit
C:\Windows\run.bat

Filesize
152B

MD5
ca438926e36d6cbe183fce2c28f123bc

SHA1
88ce6c95531c9e1a5f68626133b54fe081b4117f

SHA256
98e1b9c70bef2b14d22b367aefd816d1134af15ad85415b0ec446324775cb79d

SHA512
4d6425a29909da421d4edd56d50d0c38e52a50e1641e26cc83272d516d0f9ea1fdb5efbb4900e37fcb837702792c26dddda48f3077dd21cdea230abdb8c76fe7

Download Submit
C:\Windows\un_lock.exe

Filesize
240KB

MD5
49710e363e4c247716508672f909d5ba

SHA1
74538e7a6515166fd6e83b9c72ee28e529e462e8

SHA256
cffd9238edb8484c2831508505e81a733f5074ba002f98e573dbdb7118c687ad

SHA512
e863b4bcb332a552d73a9dc2e41a4e86a4b528cd46991d3489c129ff46973778f65fac73051bd4a6d33e5c15b1154bc761bda376a767f48a3cc1d9391ada700f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads