54d4b81b529fe9ef2e1b091f819bd803c10223a1651fa74a73aa6efca03e696d

Analysis

max time kernel
148s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 15:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
Size

352KB
MD5

5c92043f41ab489d9a1bb797cd3316ee
SHA1

6148c67ecb92bf90b260a50d9b0b6589ae526173
SHA256

54d4b81b529fe9ef2e1b091f819bd803c10223a1651fa74a73aa6efca03e696d
SHA512

4bd622244c7792c954e5c3a89080e292f22b1613a1c6736c4a3fb5445ef0fa0119544956927fd553600e6ae7fcbcfb70619a81de7a61dfdb89f671b556e6231e
SSDEEP

6144:AOQph/0d8DY/HaTTJ29lxV3QXH6Q7OMGB0K350VWw9CY7WWyZ/08oYqx+OWnKlAG:A5PvYvPQXaQSMEC05YqWyZ/0DoviACuN

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 10 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\dvd.exe = "C:\\Users\\Admin\\AppData\\Roaming\\dvd.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dvd.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\Credentials\\dvd.exe"	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3028 set thread context of 3356	3028	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe	85

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
3484	reg.exe
1428	reg.exe
1528	reg.exe
3512	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\dvd.exe:ZONE.identifier	cmd.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
Token: 1	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
Token: SeCreateTokenPrivilege	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
Token: SeMachineAccountPrivilege	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
Token: SeTcbPrivilege	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
Token: SeSecurityPrivilege	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
Token: SeSystemtimePrivilege	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
Token: SeCreatePermanentPrivilege	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
Token: SeBackupPrivilege	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
Token: SeRestorePrivilege	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
Token: SeShutdownPrivilege	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
Token: SeDebugPrivilege	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
Token: SeAuditPrivilege	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
Token: SeUndockPrivilege	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
Token: SeSyncAgentPrivilege	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
Token: SeEnableDelegationPrivilege	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
Token: SeManageVolumePrivilege	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
Token: SeImpersonatePrivilege	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
Token: 31	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
Token: 32	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
Token: 33	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
Token: 34	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
Token: 35	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2584	3028	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe	84
PID 3028 wrote to memory of 2584	3028	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe	84
PID 3028 wrote to memory of 2584	3028	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe	84
PID 3028 wrote to memory of 3356	3028	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe	85
PID 3028 wrote to memory of 3356	3028	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe	85
PID 3028 wrote to memory of 3356	3028	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe	85
PID 3028 wrote to memory of 3356	3028	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe	85
PID 3028 wrote to memory of 3356	3028	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe	85
PID 3028 wrote to memory of 3356	3028	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe	85
PID 3028 wrote to memory of 3356	3028	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe	85
PID 3028 wrote to memory of 3356	3028	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe	85
PID 3028 wrote to memory of 2596	3028	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe	86
PID 3028 wrote to memory of 2596	3028	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe	86
PID 3028 wrote to memory of 2596	3028	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe	86
PID 3356 wrote to memory of 3896	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe	89
PID 3356 wrote to memory of 3896	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe	89
PID 3356 wrote to memory of 3896	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe	89
PID 3356 wrote to memory of 4468	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe	90
PID 3356 wrote to memory of 4468	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe	90
PID 3356 wrote to memory of 4468	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe	90
PID 3356 wrote to memory of 3956	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe	91
PID 3356 wrote to memory of 3956	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe	91
PID 3356 wrote to memory of 3956	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe	91
PID 3356 wrote to memory of 4404	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe	92
PID 3356 wrote to memory of 4404	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe	92
PID 3356 wrote to memory of 4404	3356	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe	92
PID 3028 wrote to memory of 2656	3028	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe	97
PID 3028 wrote to memory of 2656	3028	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe	97
PID 3028 wrote to memory of 2656	3028	5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe	97
PID 3896 wrote to memory of 3484	3896	cmd.exe	100
PID 3896 wrote to memory of 3484	3896	cmd.exe	100
PID 3896 wrote to memory of 3484	3896	cmd.exe	100
PID 4404 wrote to memory of 1528	4404	cmd.exe	101
PID 4404 wrote to memory of 1528	4404	cmd.exe	101
PID 4404 wrote to memory of 1528	4404	cmd.exe	101
PID 3956 wrote to memory of 3512	3956	cmd.exe	102
PID 3956 wrote to memory of 3512	3956	cmd.exe	102
PID 3956 wrote to memory of 3512	3956	cmd.exe	102
PID 4468 wrote to memory of 1428	4468	cmd.exe	99
PID 4468 wrote to memory of 1428	4468	cmd.exe	99
PID 4468 wrote to memory of 1428	4468	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Local\Temp\5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
  5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
  2⤵
  PID:2584
- C:\Users\Admin\AppData\Local\Temp\5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
  5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3356
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3896
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:3484
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4468
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5c92043f41ab489d9a1bb797cd3316ee_JaffaCakes118.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:1428
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3956
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:3512
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\dvd.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\dvd.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4404
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\dvd.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\dvd.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:1528
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:2596
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - NTFS ADS
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\xCocaine.txt

Filesize
352KB

MD5
5c92043f41ab489d9a1bb797cd3316ee

SHA1
6148c67ecb92bf90b260a50d9b0b6589ae526173

SHA256
54d4b81b529fe9ef2e1b091f819bd803c10223a1651fa74a73aa6efca03e696d

SHA512
4bd622244c7792c954e5c3a89080e292f22b1613a1c6736c4a3fb5445ef0fa0119544956927fd553600e6ae7fcbcfb70619a81de7a61dfdb89f671b556e6231e

Download Submit
memory/3028-0-0x0000000074D42000-0x0000000074D43000-memory.dmp

Filesize
4KB

Download
memory/3028-1-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/3028-2-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/3028-15-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/3356-4-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3356-5-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads