Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
06-07-2024 05:16
Static task
static1
Behavioral task
behavioral1
Sample
275e4fb802670ac45647885f0cff516b_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
275e4fb802670ac45647885f0cff516b_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
275e4fb802670ac45647885f0cff516b_JaffaCakes118.exe
-
Size
191KB
-
MD5
275e4fb802670ac45647885f0cff516b
-
SHA1
6a787ff47b390bd869ec3705941ec099d5e128ed
-
SHA256
720c224ea9fa4ba58d5d35dbe67fc6f3e2e084361a926fcca92e41bdc04760af
-
SHA512
e0e6448243cda05e0a4a1d868f29a0d7947bd8945dc88ac5aa9f8645f31b8b9374af59318fa6cca76ab7cc07d4cf5ba0101e98a15aebfdcbfb7863143a077e7c
-
SSDEEP
1536:cx79lOyt/Qy38O93Zz63ziVZwdso4EXpISV5kXr1QqgDopmO8pThggtpjO3E/FNr:cfzt/53z91YHpJ5kXuZop3a9tpmSK6l
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies firewall policy service 3 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" unwise_.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile unwise_.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" unwise_.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0" unwise_.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1" unwise_.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile unwise_.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" unwise_.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" unwise_.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" unwise_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" unwise_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" unwise_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" unwise_.exe -
Modifies Windows Firewall 2 TTPs 7 IoCs
pid Process 376 netsh.exe 3380 netsh.exe 4108 netsh.exe 3256 netsh.exe 4132 netsh.exe 1140 netsh.exe 2240 netsh.exe -
Deletes itself 1 IoCs
pid Process 4980 unwise_.exe -
Executes dropped EXE 1 IoCs
pid Process 4980 unwise_.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" unwise_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" unwise_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" unwise_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" unwise_.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Fonts\unwise_.exe 275e4fb802670ac45647885f0cff516b_JaffaCakes118.exe File opened for modification C:\Windows\Fonts\unwise_.exe 275e4fb802670ac45647885f0cff516b_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 21 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Modifies data under HKEY_USERS 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" unwise_.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings unwise_.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server = "65534" unwise_.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerServer = "65534" unwise_.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ unwise_.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" unwise_.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" unwise_.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" unwise_.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: 33 4648 275e4fb802670ac45647885f0cff516b_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 4648 275e4fb802670ac45647885f0cff516b_JaffaCakes118.exe Token: 33 4980 unwise_.exe Token: SeIncBasePriorityPrivilege 4980 unwise_.exe Token: SeBackupPrivilege 4980 unwise_.exe Token: SeSecurityPrivilege 4980 unwise_.exe Token: SeSecurityPrivilege 4980 unwise_.exe Token: SeBackupPrivilege 4980 unwise_.exe Token: SeSecurityPrivilege 4980 unwise_.exe Token: SeBackupPrivilege 4980 unwise_.exe Token: SeSecurityPrivilege 4980 unwise_.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4980 wrote to memory of 2240 4980 unwise_.exe 87 PID 4980 wrote to memory of 2240 4980 unwise_.exe 87 PID 4980 wrote to memory of 2240 4980 unwise_.exe 87 PID 4980 wrote to memory of 376 4980 unwise_.exe 89 PID 4980 wrote to memory of 376 4980 unwise_.exe 89 PID 4980 wrote to memory of 376 4980 unwise_.exe 89 PID 4980 wrote to memory of 3380 4980 unwise_.exe 91 PID 4980 wrote to memory of 3380 4980 unwise_.exe 91 PID 4980 wrote to memory of 3380 4980 unwise_.exe 91 PID 4980 wrote to memory of 4108 4980 unwise_.exe 93 PID 4980 wrote to memory of 4108 4980 unwise_.exe 93 PID 4980 wrote to memory of 4108 4980 unwise_.exe 93 PID 4980 wrote to memory of 3256 4980 unwise_.exe 95 PID 4980 wrote to memory of 3256 4980 unwise_.exe 95 PID 4980 wrote to memory of 3256 4980 unwise_.exe 95 PID 4980 wrote to memory of 4132 4980 unwise_.exe 97 PID 4980 wrote to memory of 4132 4980 unwise_.exe 97 PID 4980 wrote to memory of 4132 4980 unwise_.exe 97 PID 4980 wrote to memory of 1140 4980 unwise_.exe 99 PID 4980 wrote to memory of 1140 4980 unwise_.exe 99 PID 4980 wrote to memory of 1140 4980 unwise_.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\275e4fb802670ac45647885f0cff516b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\275e4fb802670ac45647885f0cff516b_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4648
-
C:\Windows\Fonts\unwise_.exe"C:\Windows\Fonts\unwise_.exe"1⤵
- Modifies firewall policy service
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" firewall set portopening TCP 445 NB2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2240
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" firewall set portopening TCP 139 NB2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:376
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" firewall set portopening TCP 1013 BS2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3380
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" firewall set portopening TCP 9999 PORT12⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4108
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" firewall set portopening TCP 9991 PORT22⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3256
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Windows\Fonts\unwise_.exe" workstation ENABLE ALL2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4132
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" firewall set allowedprogram "C:\Windows\Fonts\unwise_.exe" workstation ENABLE ALL2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1140
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
191KB
MD5275e4fb802670ac45647885f0cff516b
SHA16a787ff47b390bd869ec3705941ec099d5e128ed
SHA256720c224ea9fa4ba58d5d35dbe67fc6f3e2e084361a926fcca92e41bdc04760af
SHA512e0e6448243cda05e0a4a1d868f29a0d7947bd8945dc88ac5aa9f8645f31b8b9374af59318fa6cca76ab7cc07d4cf5ba0101e98a15aebfdcbfb7863143a077e7c