beefe556c769966d5fb10ffb888c5d4983dce84185ba47ecc5a5ff4b36006d46

Analysis

max time kernel
146s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2024 08:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5fc17490c95c2ff2641f5543f3ce1dea_JaffaCakes118.exe
Size

1.0MB
MD5

5fc17490c95c2ff2641f5543f3ce1dea
SHA1

d39b139c9cca542f423623f85a8c1833dad34902
SHA256

beefe556c769966d5fb10ffb888c5d4983dce84185ba47ecc5a5ff4b36006d46
SHA512

54eae9e1d2070e133d0e41e1f8d10530ac84aca04d8fb62c5a1e53a5f3ba3d082963b04158ce3a15c3ca425d553e46d1d122bff637aba71f80a86b2434843937
SSDEEP

24576:lPWmOKWvpckja5YOXEbj+Veniiv1gOpJ8Y3Sdr:lP2KWGzxiv12

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 10 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\bot.exe = "C:\\Users\\Admin\\AppData\\Roaming\\bot.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	5fc17490c95c2ff2641f5543f3ce1dea_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3196	msnmsgr.exe
2384	msnmsgr.exe

Loads dropped DLL 4 IoCs

pid	Process
2384	msnmsgr.exe
2384	msnmsgr.exe
2384	msnmsgr.exe
2384	msnmsgr.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msnmsgr.exe = "C:\\Users\\Admin\\AppData\\Roaming\\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\\0.0.0.0\\msnmsgr.exe"	msnmsgr.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2384 set thread context of 1556	2384	msnmsgr.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2784	reg.exe
4984	reg.exe
536	reg.exe
3876	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	1556	vbc.exe
Token: SeCreateTokenPrivilege	1556	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	1556	vbc.exe
Token: SeLockMemoryPrivilege	1556	vbc.exe
Token: SeIncreaseQuotaPrivilege	1556	vbc.exe
Token: SeMachineAccountPrivilege	1556	vbc.exe
Token: SeTcbPrivilege	1556	vbc.exe
Token: SeSecurityPrivilege	1556	vbc.exe
Token: SeTakeOwnershipPrivilege	1556	vbc.exe
Token: SeLoadDriverPrivilege	1556	vbc.exe
Token: SeSystemProfilePrivilege	1556	vbc.exe
Token: SeSystemtimePrivilege	1556	vbc.exe
Token: SeProfSingleProcessPrivilege	1556	vbc.exe
Token: SeIncBasePriorityPrivilege	1556	vbc.exe
Token: SeCreatePagefilePrivilege	1556	vbc.exe
Token: SeCreatePermanentPrivilege	1556	vbc.exe
Token: SeBackupPrivilege	1556	vbc.exe
Token: SeRestorePrivilege	1556	vbc.exe
Token: SeShutdownPrivilege	1556	vbc.exe
Token: SeDebugPrivilege	1556	vbc.exe
Token: SeAuditPrivilege	1556	vbc.exe
Token: SeSystemEnvironmentPrivilege	1556	vbc.exe
Token: SeChangeNotifyPrivilege	1556	vbc.exe
Token: SeRemoteShutdownPrivilege	1556	vbc.exe
Token: SeUndockPrivilege	1556	vbc.exe
Token: SeSyncAgentPrivilege	1556	vbc.exe
Token: SeEnableDelegationPrivilege	1556	vbc.exe
Token: SeManageVolumePrivilege	1556	vbc.exe
Token: SeImpersonatePrivilege	1556	vbc.exe
Token: SeCreateGlobalPrivilege	1556	vbc.exe
Token: 31	1556	vbc.exe
Token: 32	1556	vbc.exe
Token: 33	1556	vbc.exe
Token: 34	1556	vbc.exe
Token: 35	1556	vbc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1556	vbc.exe
1556	vbc.exe
1556	vbc.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 3196	3064	5fc17490c95c2ff2641f5543f3ce1dea_JaffaCakes118.exe	85
PID 3064 wrote to memory of 3196	3064	5fc17490c95c2ff2641f5543f3ce1dea_JaffaCakes118.exe	85
PID 3064 wrote to memory of 3196	3064	5fc17490c95c2ff2641f5543f3ce1dea_JaffaCakes118.exe	85
PID 3196 wrote to memory of 2384	3196	msnmsgr.exe	86
PID 3196 wrote to memory of 2384	3196	msnmsgr.exe	86
PID 3196 wrote to memory of 2384	3196	msnmsgr.exe	86
PID 2384 wrote to memory of 1556	2384	msnmsgr.exe	89
PID 2384 wrote to memory of 1556	2384	msnmsgr.exe	89
PID 2384 wrote to memory of 1556	2384	msnmsgr.exe	89
PID 2384 wrote to memory of 1556	2384	msnmsgr.exe	89
PID 2384 wrote to memory of 1556	2384	msnmsgr.exe	89
PID 2384 wrote to memory of 1556	2384	msnmsgr.exe	89
PID 2384 wrote to memory of 1556	2384	msnmsgr.exe	89
PID 2384 wrote to memory of 1556	2384	msnmsgr.exe	89
PID 1556 wrote to memory of 2548	1556	vbc.exe	90
PID 1556 wrote to memory of 2548	1556	vbc.exe	90
PID 1556 wrote to memory of 2548	1556	vbc.exe	90
PID 1556 wrote to memory of 4944	1556	vbc.exe	91
PID 1556 wrote to memory of 4944	1556	vbc.exe	91
PID 1556 wrote to memory of 4944	1556	vbc.exe	91
PID 1556 wrote to memory of 1324	1556	vbc.exe	92
PID 1556 wrote to memory of 1324	1556	vbc.exe	92
PID 1556 wrote to memory of 1324	1556	vbc.exe	92
PID 1556 wrote to memory of 1948	1556	vbc.exe	93
PID 1556 wrote to memory of 1948	1556	vbc.exe	93
PID 1556 wrote to memory of 1948	1556	vbc.exe	93
PID 4944 wrote to memory of 2784	4944	cmd.exe	98
PID 4944 wrote to memory of 2784	4944	cmd.exe	98
PID 4944 wrote to memory of 2784	4944	cmd.exe	98
PID 1948 wrote to memory of 4984	1948	cmd.exe	99
PID 1948 wrote to memory of 4984	1948	cmd.exe	99
PID 1948 wrote to memory of 4984	1948	cmd.exe	99
PID 1324 wrote to memory of 536	1324	cmd.exe	100
PID 1324 wrote to memory of 536	1324	cmd.exe	100
PID 1324 wrote to memory of 536	1324	cmd.exe	100
PID 2548 wrote to memory of 3876	2548	cmd.exe	101
PID 2548 wrote to memory of 3876	2548	cmd.exe	101
PID 2548 wrote to memory of 3876	2548	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\5fc17490c95c2ff2641f5543f3ce1dea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5fc17490c95c2ff2641f5543f3ce1dea_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Users\Admin\AppData\Local\Temp\msnmsgr.exe
  "C:\Users\Admin\AppData\Local\Temp\msnmsgr.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3196
- - C:\Users\Admin\AppData\Roaming\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\0.0.0.0\msnmsgr.exe
    C:\Users\Admin\AppData\Roaming\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\0.0.0.0\msnmsgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1556
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2548
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:3876
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4944
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
        6⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2784
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1324
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:536
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1948
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f
        6⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\msnmsgr.exe.log

Filesize
411B

MD5
b75d63217c5d10a12e60be6d73af5e9a

SHA1
d25477a0a74ec499326e7db6c1f962f8fe77b818

SHA256
fa5feaf188800d777889d204daa15cff40715badfd65ddf0a818b9d130378e11

SHA512
07f390be438c0542b40984ce43b33aac495fe2eb7e564d415ed296783704fc6d3946eea24ec6c86a88e7a742c100c30e56a9c5e4d8eee2a5efe936126a615273

Download Submit
C:\Users\Admin\AppData\Local\Temp\User32.dll

Filesize
18KB

MD5
5fa07d6c6384d703766d7935de68850e

SHA1
62f28a572b4d1d359db7017235912ad2599b8c1d

SHA256
120e15dcc4a957649553cd92a5477db9dcbfd9a2cd821e1c904044b5a92d726f

SHA512
7775375f44e0cb00f9bffc023d797dbdb01ebe8429ccfacd7df57beb04427ef309c192d571051242aad1bc400f721f449f86deeb1e5f5d64b6f516bf24e92cc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\msnmsgr.exe

Filesize
760KB

MD5
43cad5f1c98c84a4bd4b9825e7ce1cbb

SHA1
1e37248419ac06e1cefd5238c7e5945af41ee3eb

SHA256
c704cf2ac3792a28a7b325e28bbd839a7a9cd3ebe950f42487b7f4dab8757cba

SHA512
d8e3d1fc5a06fe0cf50ce980b4ff7f3c56c33464a759f7a215482ee66e0a524e0975db0b3116ef53d04df41d674df3a07d6badb9dd36b99f12aaa5e048191e02

Download Submit
memory/1556-57-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1556-59-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1556-64-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1556-63-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1556-62-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1556-61-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1556-60-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1556-56-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1556-38-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1556-55-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1556-43-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1556-53-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1556-52-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1556-51-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2384-45-0x0000000074E70000-0x0000000075421000-memory.dmp

Filesize
5.7MB

Download
memory/2384-32-0x0000000074E70000-0x0000000075421000-memory.dmp

Filesize
5.7MB

Download
memory/2384-31-0x0000000074E70000-0x0000000075421000-memory.dmp

Filesize
5.7MB

Download
memory/3064-1-0x0000000074E70000-0x0000000075421000-memory.dmp

Filesize
5.7MB

Download
memory/3064-0-0x0000000074E72000-0x0000000074E73000-memory.dmp

Filesize
4KB

Download
memory/3064-2-0x0000000074E70000-0x0000000075421000-memory.dmp

Filesize
5.7MB

Download
memory/3064-16-0x0000000074E70000-0x0000000075421000-memory.dmp

Filesize
5.7MB

Download
memory/3196-48-0x0000000074E70000-0x0000000075421000-memory.dmp

Filesize
5.7MB

Download
memory/3196-17-0x0000000074E70000-0x0000000075421000-memory.dmp

Filesize
5.7MB

Download
memory/3196-18-0x0000000074E70000-0x0000000075421000-memory.dmp

Filesize
5.7MB

Download
memory/3196-27-0x0000000074E70000-0x0000000075421000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads