Malware Analysis Report

2025-01-03 08:24

Sample ID 240704-bnhn9awfqj
Target 242205f019fb37e9e88dc6a23861fbf2_JaffaCakes118
SHA256 d3a71f2ce6fda71ab66cabb9e28ad25991c4bb7e949c2438e73059337ac81e59
Tags
metasploit backdoor evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d3a71f2ce6fda71ab66cabb9e28ad25991c4bb7e949c2438e73059337ac81e59

Threat Level: Known bad

The file 242205f019fb37e9e88dc6a23861fbf2_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor evasion persistence privilege_escalation trojan

MetaSploit

Windows security bypass

Modifies firewall policy service

Modifies security service

Modifies WinLogon for persistence

Modifies Windows Firewall

Boot or Logon Autostart Execution: Active Setup

Looks for VMWare Tools registry key

Windows security modification

Deletes itself

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

Enumerates physical storage devices

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-04 01:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-04 01:17

Reported

2024-07-04 01:20

Platform

win7-20240508-en

Max time kernel

149s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\242205f019fb37e9e88dc6a23861fbf2_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe \"C:\\Windows\\Fonts\\wmsncs.exe\"" C:\Windows\Fonts\wmsncs.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1" C:\Windows\Fonts\wmsncs.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Windows\Fonts\wmsncs.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0" C:\Windows\Fonts\wmsncs.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\Fonts\wmsncs.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\Fonts\wmsncs.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM} C:\Windows\Fonts\wmsncs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe" C:\Windows\Fonts\wmsncs.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools C:\Users\Admin\AppData\Local\Temp\242205f019fb37e9e88dc6a23861fbf2_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools C:\Windows\Fonts\wmsncs.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\wmsncs.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\wmsncs.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\Fonts\wmsncs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NvidMediaCenter = "C:\\Program Files (x86)\\Common Files\\System\\wmsncs.exe" C:\Windows\Fonts\wmsncs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spool Driver Service = "C:\\Windows\\system32\\spool\\drivers\\wmsncs.exe" C:\Windows\Fonts\wmsncs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Wins Service = "C:\\Windows\\system32\\wins\\wmsncs.exe" C:\Windows\Fonts\wmsncs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Wmsncs Service = "C:\\Windows\\Fonts\\wmsncs.exe" C:\Windows\Fonts\wmsncs.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\wins\wmsncs.exe C:\Windows\Fonts\wmsncs.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\Fonts\wmsncs.exe N/A
File created C:\Windows\system32\spool\drivers\wmsncs.exe C:\Windows\Fonts\wmsncs.exe N/A
File opened for modification C:\Windows\system32\spool\drivers\wmsncs.exe C:\Windows\Fonts\wmsncs.exe N/A
File created C:\Windows\SysWOW64\wins\wmsncs.exe C:\Windows\Fonts\wmsncs.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\System\wmsncs.exe C:\Windows\Fonts\wmsncs.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System C:\Windows\Fonts\wmsncs.exe N/A
File created C:\Program Files (x86)\Common Files\System\wmsncs.exe C:\Windows\Fonts\wmsncs.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\wmsncs.exe C:\Users\Admin\AppData\Local\Temp\242205f019fb37e9e88dc6a23861fbf2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Fonts\wmsncs.exe C:\Users\Admin\AppData\Local\Temp\242205f019fb37e9e88dc6a23861fbf2_JaffaCakes118.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\Fonts\wmsncs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." C:\Windows\SysWOW64\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\Fonts\wmsncs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wmsncs Service = "C:\\Windows\\Fonts\\wmsncs.exe" C:\Windows\Fonts\wmsncs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" C:\Windows\SysWOW64\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\Fonts\wmsncs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Active Setup C:\Windows\Fonts\wmsncs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Spool Driver Service = "C:\\Windows\\system32\\spool\\drivers\\wmsncs.exe" C:\Windows\Fonts\wmsncs.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" C:\Windows\SysWOW64\netsh.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerServer = "65534" C:\Windows\Fonts\wmsncs.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe" C:\Windows\Fonts\wmsncs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wins Service = "C:\\Windows\\system32\\wins\\wmsncs.exe" C:\Windows\Fonts\wmsncs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\Fonts\wmsncs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" C:\Windows\SysWOW64\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\Fonts\wmsncs.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Fonts\wmsncs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" C:\Windows\SysWOW64\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM} C:\Windows\Fonts\wmsncs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" C:\Windows\SysWOW64\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\Fonts\wmsncs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." C:\Windows\SysWOW64\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\Fonts\wmsncs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvidMediaCenter = "C:\\Program Files (x86)\\Common Files\\System\\wmsncs.exe" C:\Windows\Fonts\wmsncs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" C:\Windows\SysWOW64\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run C:\Windows\Fonts\wmsncs.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" C:\Windows\SysWOW64\netsh.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\Fonts\wmsncs.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server = "65534" C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\Fonts\wmsncs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" C:\Windows\SysWOW64\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Active Setup\Installed Components C:\Windows\Fonts\wmsncs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM} C:\Windows\Fonts\wmsncs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" C:\Windows\SysWOW64\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\242205f019fb37e9e88dc6a23861fbf2_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\242205f019fb37e9e88dc6a23861fbf2_JaffaCakes118.exe N/A
Token: 33 N/A C:\Windows\Fonts\wmsncs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Fonts\wmsncs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2572 wrote to memory of 2792 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 2572 wrote to memory of 2792 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 2572 wrote to memory of 2792 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 2572 wrote to memory of 2792 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 2572 wrote to memory of 2656 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 2572 wrote to memory of 2656 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 2572 wrote to memory of 2656 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 2572 wrote to memory of 2656 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 2572 wrote to memory of 2500 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 2572 wrote to memory of 2500 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 2572 wrote to memory of 2500 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 2572 wrote to memory of 2500 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 2572 wrote to memory of 2532 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 2572 wrote to memory of 2532 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 2572 wrote to memory of 2532 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 2572 wrote to memory of 2532 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 2572 wrote to memory of 2472 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 2572 wrote to memory of 2472 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 2572 wrote to memory of 2472 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 2572 wrote to memory of 2472 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\242205f019fb37e9e88dc6a23861fbf2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\242205f019fb37e9e88dc6a23861fbf2_JaffaCakes118.exe"

C:\Windows\Fonts\wmsncs.exe

"C:\Windows\Fonts\wmsncs.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" firewall set portopening TCP 1013 BS

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" firewall set portopening TCP 8080 PORT1

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" firewall set portopening TCP 8081 PORT2

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Windows\Fonts\wmsncs.exe" workstation ENABLE ALL

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" firewall set allowedprogram "C:\Windows\Fonts\wmsncs.exe" workstation ENABLE ALL

Network

Country Destination Domain Proto
US 8.8.8.8:53 hodkskis1981.weedns.com udp
US 8.8.8.8:53 xoxoxmyman.weedns.com udp
US 8.8.8.8:53 1.0x0103x0x0m.co.cc udp
KR 175.126.123.219:8080 1.0x0103x0x0m.co.cc tcp
US 8.8.8.8:53 1.itsy-bitsy.co.cc udp
KR 175.126.123.219:8080 1.itsy-bitsy.co.cc tcp
US 8.8.8.8:53 dashman.dnip.net udp
US 8.8.8.8:53 xoomopy.dnip.net udp
US 8.8.8.8:53 gertmann.effers.com udp
US 91.199.82.208:8080 gertmann.effers.com tcp
US 8.8.8.8:53 sunburn.flnet.org udp
NL 185.107.56.193:8080 sunburn.flnet.org tcp
US 8.8.8.8:53 secretsnake.opendns.be udp
FR 212.83.138.160:8080 secretsnake.opendns.be tcp
US 8.8.8.8:53 bluedog.opendns.be udp
FR 212.83.138.160:8080 bluedog.opendns.be tcp
US 8.8.8.8:53 fx010413.whyI.org udp
US 8.8.8.8:53 greenman.weedns.com udp

Files

memory/3016-0-0x0000000000400000-0x0000000000663000-memory.dmp

memory/3016-1-0x0000000000400000-0x0000000000663000-memory.dmp

memory/3016-2-0x0000000000400000-0x0000000000663000-memory.dmp

C:\Windows\Fonts\wmsncs.exe

MD5 242205f019fb37e9e88dc6a23861fbf2
SHA1 9f9277560a7a1ceea78e27b3fa458df8b4462244
SHA256 d3a71f2ce6fda71ab66cabb9e28ad25991c4bb7e949c2438e73059337ac81e59
SHA512 3de03611c48a62b749a73326f4dd4087cd0107b6ae067eb5744e7580f86211e0bf07bc4d53456fcb677025a7c7d2af16a6e28da946b389f22e74f121f43c6970

memory/2572-6-0x0000000000400000-0x0000000000663000-memory.dmp

memory/2572-7-0x0000000000400000-0x0000000000663000-memory.dmp

memory/3016-8-0x0000000000400000-0x0000000000663000-memory.dmp

memory/2572-30-0x0000000000400000-0x0000000000663000-memory.dmp

memory/2572-37-0x0000000000400000-0x0000000000663000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-04 01:17

Reported

2024-07-04 01:20

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\242205f019fb37e9e88dc6a23861fbf2_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe \"C:\\Windows\\Fonts\\wmsncs.exe\"" C:\Windows\Fonts\wmsncs.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Windows\Fonts\wmsncs.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0" C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1" C:\Windows\Fonts\wmsncs.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\Fonts\wmsncs.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\Fonts\wmsncs.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\Fonts\wmsncs.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM} C:\Windows\Fonts\wmsncs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe" C:\Windows\Fonts\wmsncs.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools C:\Users\Admin\AppData\Local\Temp\242205f019fb37e9e88dc6a23861fbf2_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools C:\Windows\Fonts\wmsncs.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\wmsncs.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\wmsncs.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\Fonts\wmsncs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Wmsncs Service = "C:\\Windows\\Fonts\\wmsncs.exe" C:\Windows\Fonts\wmsncs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NvidMediaCenter = "C:\\Program Files (x86)\\Common Files\\System\\wmsncs.exe" C:\Windows\Fonts\wmsncs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spool Driver Service = "C:\\Windows\\system32\\spool\\drivers\\wmsncs.exe" C:\Windows\Fonts\wmsncs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Wins Service = "C:\\Windows\\system32\\wins\\wmsncs.exe" C:\Windows\Fonts\wmsncs.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\drivers\wmsncs.exe C:\Windows\Fonts\wmsncs.exe N/A
File opened for modification C:\Windows\system32\spool\drivers\wmsncs.exe C:\Windows\Fonts\wmsncs.exe N/A
File created C:\Windows\SysWOW64\wins\wmsncs.exe C:\Windows\Fonts\wmsncs.exe N/A
File opened for modification C:\Windows\SysWOW64\wins\wmsncs.exe C:\Windows\Fonts\wmsncs.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\System C:\Windows\Fonts\wmsncs.exe N/A
File created C:\Program Files (x86)\Common Files\System\wmsncs.exe C:\Windows\Fonts\wmsncs.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\wmsncs.exe C:\Windows\Fonts\wmsncs.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\wmsncs.exe C:\Users\Admin\AppData\Local\Temp\242205f019fb37e9e88dc6a23861fbf2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Fonts\wmsncs.exe C:\Users\Admin\AppData\Local\Temp\242205f019fb37e9e88dc6a23861fbf2_JaffaCakes118.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server = "65534" C:\Windows\Fonts\wmsncs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run C:\Windows\Fonts\wmsncs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\NvidMediaCenter = "C:\\Program Files (x86)\\Common Files\\System\\wmsncs.exe" C:\Windows\Fonts\wmsncs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\Spool Driver Service = "C:\\Windows\\system32\\spool\\drivers\\wmsncs.exe" C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\Fonts\wmsncs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM} C:\Windows\Fonts\wmsncs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\Fonts\wmsncs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe" C:\Windows\Fonts\wmsncs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerServer = "65534" C:\Windows\Fonts\wmsncs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\Wmsncs Service = "C:\\Windows\\Fonts\\wmsncs.exe" C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\Fonts\wmsncs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Active Setup\Installed Components C:\Windows\Fonts\wmsncs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\Wins Service = "C:\\Windows\\system32\\wins\\wmsncs.exe" C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\Fonts\wmsncs.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\Fonts\wmsncs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Active Setup C:\Windows\Fonts\wmsncs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\Fonts\wmsncs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\Fonts\wmsncs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\242205f019fb37e9e88dc6a23861fbf2_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\242205f019fb37e9e88dc6a23861fbf2_JaffaCakes118.exe N/A
Token: 33 N/A C:\Windows\Fonts\wmsncs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Fonts\wmsncs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1816 wrote to memory of 1380 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 1816 wrote to memory of 1380 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 1816 wrote to memory of 1380 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 1816 wrote to memory of 3828 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 1816 wrote to memory of 3828 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 1816 wrote to memory of 3828 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 1816 wrote to memory of 1472 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 1816 wrote to memory of 1472 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 1816 wrote to memory of 1472 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 1816 wrote to memory of 3964 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 1816 wrote to memory of 3964 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 1816 wrote to memory of 3964 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 1816 wrote to memory of 4840 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 1816 wrote to memory of 4840 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe
PID 1816 wrote to memory of 4840 N/A C:\Windows\Fonts\wmsncs.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\242205f019fb37e9e88dc6a23861fbf2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\242205f019fb37e9e88dc6a23861fbf2_JaffaCakes118.exe"

C:\Windows\Fonts\wmsncs.exe

"C:\Windows\Fonts\wmsncs.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" firewall set portopening TCP 1013 BS

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" firewall set portopening TCP 8080 PORT1

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" firewall set portopening TCP 8081 PORT2

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Windows\Fonts\wmsncs.exe" workstation ENABLE ALL

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" firewall set allowedprogram "C:\Windows\Fonts\wmsncs.exe" workstation ENABLE ALL

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4240,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=1036 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 hodkskis1981.weedns.com udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 xoxoxmyman.weedns.com udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 1.0x0103x0x0m.co.cc udp
KR 175.126.123.219:8080 1.0x0103x0x0m.co.cc tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 1.itsy-bitsy.co.cc udp
KR 175.126.123.219:8080 1.itsy-bitsy.co.cc tcp
US 8.8.8.8:53 dashman.dnip.net udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 xoomopy.dnip.net udp
US 8.8.8.8:53 gertmann.effers.com udp
US 91.199.82.208:8080 gertmann.effers.com tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 sunburn.flnet.org udp
NL 185.107.56.193:8080 sunburn.flnet.org tcp
US 8.8.8.8:53 193.56.107.185.in-addr.arpa udp
US 8.8.8.8:53 secretsnake.opendns.be udp
FR 212.83.138.160:8080 secretsnake.opendns.be tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 bluedog.opendns.be udp
FR 212.83.138.160:8080 bluedog.opendns.be tcp
US 8.8.8.8:53 fx010413.whyI.org udp
US 8.8.8.8:53 greenman.weedns.com udp

Files

memory/748-1-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/748-2-0x0000000000401000-0x0000000000637000-memory.dmp

memory/748-0-0x0000000000400000-0x0000000000663000-memory.dmp

C:\Windows\Fonts\wmsncs.exe

MD5 242205f019fb37e9e88dc6a23861fbf2
SHA1 9f9277560a7a1ceea78e27b3fa458df8b4462244
SHA256 d3a71f2ce6fda71ab66cabb9e28ad25991c4bb7e949c2438e73059337ac81e59
SHA512 3de03611c48a62b749a73326f4dd4087cd0107b6ae067eb5744e7580f86211e0bf07bc4d53456fcb677025a7c7d2af16a6e28da946b389f22e74f121f43c6970

memory/1816-7-0x0000000000400000-0x0000000000663000-memory.dmp

memory/1816-11-0x0000000000400000-0x0000000000663000-memory.dmp

memory/748-10-0x0000000000400000-0x0000000000663000-memory.dmp

memory/1816-9-0x0000000000400000-0x0000000000663000-memory.dmp

memory/748-8-0x0000000000401000-0x0000000000637000-memory.dmp

memory/1816-36-0x0000000000400000-0x0000000000663000-memory.dmp

memory/1816-40-0x0000000000400000-0x0000000000663000-memory.dmp