1002a6e376ff550fc94c0fc6330acab0de4ca218ab2728e6c0bffe41a8f42c3e

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

228ab772c65ef9264b1863d2449efdec_JaffaCakes118.exe
Size

606KB
MD5

228ab772c65ef9264b1863d2449efdec
SHA1

d8e068e4d84a0d6c956b477941f015fc2c250be3
SHA256

1002a6e376ff550fc94c0fc6330acab0de4ca218ab2728e6c0bffe41a8f42c3e
SHA512

6cd97dd6717d18620c210b5a487046bfcf5af920a0af50f4c328ef58dc4480b79de226e9236dc5bd482dcd32435f18310a618518e38fd96e0d4ab2bcea890d1c
SSDEEP

12288:8utrzh9xOXkV9Pl4xaKlVIlVNU4B4teFTxsTVrNt0uuVVCtzVCNyMlUQ:8utr5OUV9PlRKjI3NUvtcxsTVXIVgtc9

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\AppPatch\\wscntfy.exe,C:\\Windows\\help\\svchost.exe"	mouse.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mouse.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscntfy.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	228ab772c65ef9264b1863d2449efdec_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	my_facebook_photo.exe

Executes dropped EXE 4 IoCs

pid	Process
1160	my_facebook_photo.exe
3500	un_lock.exe
4864	mouse.exe
4532	wscntfy.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mouse.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscntfy.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	wscntfy.exe
File opened (read-only)	\??\Z:	wscntfy.exe
File opened (read-only)	\??\K:	wscntfy.exe
File opened (read-only)	\??\L:	wscntfy.exe
File opened (read-only)	\??\N:	wscntfy.exe
File opened (read-only)	\??\O:	wscntfy.exe
File opened (read-only)	\??\P:	wscntfy.exe
File opened (read-only)	\??\S:	wscntfy.exe
File opened (read-only)	\??\U:	wscntfy.exe
File opened (read-only)	\??\W:	wscntfy.exe
File opened (read-only)	\??\B:	wscntfy.exe
File opened (read-only)	\??\G:	wscntfy.exe
File opened (read-only)	\??\I:	wscntfy.exe
File opened (read-only)	\??\J:	wscntfy.exe
File opened (read-only)	\??\Q:	wscntfy.exe
File opened (read-only)	\??\A:	wscntfy.exe
File opened (read-only)	\??\H:	wscntfy.exe
File opened (read-only)	\??\M:	wscntfy.exe
File opened (read-only)	\??\R:	wscntfy.exe
File opened (read-only)	\??\Y:	wscntfy.exe
File opened (read-only)	\??\E:	wscntfy.exe
File opened (read-only)	\??\V:	wscntfy.exe
File opened (read-only)	\??\X:	wscntfy.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File created	C:\Windows\un_lock.exe	my_facebook_photo.exe
File created	C:\Windows\run.bat	my_facebook_photo.exe
File created	C:\Windows\mouse.exe	un_lock.exe
File opened for modification	C:\Windows\my_facebook_photo.exe	228ab772c65ef9264b1863d2449efdec_JaffaCakes118.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_240600734	my_facebook_photo.exe
File opened for modification	C:\Windows\mouse.exe	un_lock.exe
File created	C:\Windows\AppPatch\wscntfy.exe	mouse.exe
File opened for modification	C:\Windows\AppPatch\wscntfy.exe	mouse.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_240600421	228ab772c65ef9264b1863d2449efdec_JaffaCakes118.exe
File created	C:\Windows\my_facebook_photo.exe	228ab772c65ef9264b1863d2449efdec_JaffaCakes118.exe
File opened for modification	C:\Windows\lock.rar	my_facebook_photo.exe
File opened for modification	C:\Windows\run.bat	my_facebook_photo.exe
File opened for modification	C:\Windows\un_lock.exe	my_facebook_photo.exe
File created	C:\Windows\lock.rar	my_facebook_photo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1208	PING.EXE

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 1160	2660	228ab772c65ef9264b1863d2449efdec_JaffaCakes118.exe	80
PID 2660 wrote to memory of 1160	2660	228ab772c65ef9264b1863d2449efdec_JaffaCakes118.exe	80
PID 2660 wrote to memory of 1160	2660	228ab772c65ef9264b1863d2449efdec_JaffaCakes118.exe	80
PID 1160 wrote to memory of 3012	1160	my_facebook_photo.exe	81
PID 1160 wrote to memory of 3012	1160	my_facebook_photo.exe	81
PID 1160 wrote to memory of 3012	1160	my_facebook_photo.exe	81
PID 3012 wrote to memory of 3468	3012	cmd.exe	83
PID 3012 wrote to memory of 3468	3012	cmd.exe	83
PID 3012 wrote to memory of 3468	3012	cmd.exe	83
PID 3468 wrote to memory of 3500	3468	cmd.exe	85
PID 3468 wrote to memory of 3500	3468	cmd.exe	85
PID 3468 wrote to memory of 3500	3468	cmd.exe	85
PID 3468 wrote to memory of 1208	3468	cmd.exe	86
PID 3468 wrote to memory of 1208	3468	cmd.exe	86
PID 3468 wrote to memory of 1208	3468	cmd.exe	86
PID 3468 wrote to memory of 4864	3468	cmd.exe	88
PID 3468 wrote to memory of 4864	3468	cmd.exe	88
PID 3468 wrote to memory of 4864	3468	cmd.exe	88
PID 4864 wrote to memory of 1504	4864	mouse.exe	89
PID 4864 wrote to memory of 1504	4864	mouse.exe	89
PID 4864 wrote to memory of 1504	4864	mouse.exe	89
PID 1504 wrote to memory of 3432	1504	cmd.exe	91
PID 1504 wrote to memory of 3432	1504	cmd.exe	91
PID 1504 wrote to memory of 3432	1504	cmd.exe	91
PID 1504 wrote to memory of 3440	1504	cmd.exe	92
PID 1504 wrote to memory of 3440	1504	cmd.exe	92
PID 1504 wrote to memory of 3440	1504	cmd.exe	92
PID 4864 wrote to memory of 2596	4864	mouse.exe	93
PID 4864 wrote to memory of 2596	4864	mouse.exe	93
PID 4864 wrote to memory of 2596	4864	mouse.exe	93
PID 2596 wrote to memory of 2120	2596	cmd.exe	95
PID 2596 wrote to memory of 2120	2596	cmd.exe	95
PID 2596 wrote to memory of 2120	2596	cmd.exe	95
PID 2596 wrote to memory of 2116	2596	cmd.exe	96
PID 2596 wrote to memory of 2116	2596	cmd.exe	96
PID 2596 wrote to memory of 2116	2596	cmd.exe	96
PID 4864 wrote to memory of 4532	4864	mouse.exe	97
PID 4864 wrote to memory of 4532	4864	mouse.exe	97
PID 4864 wrote to memory of 4532	4864	mouse.exe	97

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	mouse.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mouse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wscntfy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscntfy.exe

C:\Users\Admin\AppData\Local\Temp\228ab772c65ef9264b1863d2449efdec_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\228ab772c65ef9264b1863d2449efdec_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\my_facebook_photo.exe
  "C:\Windows\my_facebook_photo.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /min run.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K run.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3468
    - - C:\Windows\un_lock.exe
        
        un_lock.exe x lock.rar -o+ -p112233
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3500
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 5 127.1
        5⤵
        Runs ping.exe
        
        PID:1208
    - - C:\Windows\mouse.exe
        
        mouse.exe
        5⤵
        Modifies WinLogon for persistence
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4864
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo y|cacls C:\Windows\AppPatch /c /t /g BUILTIN\Administrators:f
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        7⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cacls.exe
        
        cacls C:\Windows\AppPatch /c /t /g BUILTIN\Administrators:f
        7⤵
        
        PID:3440
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo y|cacls C:\Windows\AppPatch /c /t /g everyone:r
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        7⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cacls.exe
        
        cacls C:\Windows\AppPatch /c /t /g everyone:r
        7⤵
        
        PID:2116
      - C:\Windows\AppPatch\wscntfy.exe
        
        C:\Windows\AppPatch\wscntfy.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Enumerates connected drives
        System policy modification
        
        PID:4532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\lock.rar

Filesize
283KB

MD5
f309812bc30ede3e0cb2d153cd308eff

SHA1
d934ed3cf64ec7dbe8149a481b922d1cac2d459b

SHA256
4827e8b75ffe836aac4496c9776bfe1d82c946282d7b4eb0e7cd8b1f84a84d46

SHA512
40718ff41cad7cb5e78d920c8b749d6ae665afb05422058066ec9787785a67b917c364a46ed5b0a64bbd6fa2c215d019f23b5bb50307e4865ae9d1512d0acbcc

Download Submit
C:\Windows\mouse.exe

Filesize
496KB

MD5
e6b7fcb92f4f6bd37c90fb4c7711f119

SHA1
cf3b196cfc1f94aab26f315656c2c108b4afb824

SHA256
1762514cd1b3464b600a0021222d99be019717242e3ac148bf07e1dba548ddd3

SHA512
9b06c6396d3710f0a1cbad945249aa24ee4aa9e52e56a2c4ffb01c9c9fb95852782086761a60e1cf5b725ca0cdebcbf7dd6a6410288ecc30d9d43bbb60f32cfa

Download Submit
C:\Windows\my_facebook_photo.exe

Filesize
579KB

MD5
b56bbdf5fa8a9a45b610e3101abb1760

SHA1
9faef03a37d2a00b5997ae2ca4f5b72cbc88b8e8

SHA256
cffd8709c771543bac7cd9bb280efcb1ecff4d8fc18ef8b5f2ca81b83499df3a

SHA512
41995f8fa539bd4a42f2fee48d5432bbbf0729b43927bde0c0e183fc116d86e819516c6d5577341638c9e057cbc19a57750b9f0571978d7d3b02ce0a5a311bc8

Download Submit
C:\Windows\run.bat

Filesize
152B

MD5
ca438926e36d6cbe183fce2c28f123bc

SHA1
88ce6c95531c9e1a5f68626133b54fe081b4117f

SHA256
98e1b9c70bef2b14d22b367aefd816d1134af15ad85415b0ec446324775cb79d

SHA512
4d6425a29909da421d4edd56d50d0c38e52a50e1641e26cc83272d516d0f9ea1fdb5efbb4900e37fcb837702792c26dddda48f3077dd21cdea230abdb8c76fe7

Download Submit
C:\Windows\un_lock.exe

Filesize
240KB

MD5
49710e363e4c247716508672f909d5ba

SHA1
74538e7a6515166fd6e83b9c72ee28e529e462e8

SHA256
cffd9238edb8484c2831508505e81a733f5074ba002f98e573dbdb7118c687ad

SHA512
e863b4bcb332a552d73a9dc2e41a4e86a4b528cd46991d3489c129ff46973778f65fac73051bd4a6d33e5c15b1154bc761bda376a767f48a3cc1d9391ada700f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads