Analysis
-
max time kernel
141s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22/07/2024, 21:57
Behavioral task
behavioral1
Sample
64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe
-
Size
724KB
-
MD5
64f1ca665436b6de17efe57a1a0326e3
-
SHA1
d384911a2f53cf307890f6c0788a2124f9114e5f
-
SHA256
5aa6b435bbf4122ecd80e02129bc5629946b470981585bb41aec932e870d202c
-
SHA512
1f79c1399a82d7eedf611e778b9b22f9f26426cb1eb587d00c9797722c47acff5f94d8369af0850f6d1cd6c07ed3c64f34657fe4ec521516e3a2518206a42bbb
-
SSDEEP
12288:gFLlJnnbWOtz6sVJhvaz1Qc/WdI//vfM4qwrbkniafLo6vUTyl0w/q9jJT:Q3nbWmJVJFwSddIXvfhqbiaxvRxq9N
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" 64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" 64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe 64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe 64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ 64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2452 1052 WerFault.exe 28 -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1052 64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe Token: SeSecurityPrivilege 1052 64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1052 64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe Token: SeLoadDriverPrivilege 1052 64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe Token: SeSystemProfilePrivilege 1052 64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe Token: SeSystemtimePrivilege 1052 64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 1052 64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1052 64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 1052 64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe Token: SeBackupPrivilege 1052 64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe Token: SeRestorePrivilege 1052 64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe Token: SeShutdownPrivilege 1052 64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe Token: SeDebugPrivilege 1052 64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 1052 64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 1052 64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 1052 64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe Token: SeUndockPrivilege 1052 64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe Token: SeManageVolumePrivilege 1052 64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe Token: SeImpersonatePrivilege 1052 64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 1052 64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe Token: 33 1052 64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe Token: 34 1052 64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe Token: 35 1052 64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1052 wrote to memory of 2368 1052 64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe 29 PID 1052 wrote to memory of 2368 1052 64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe 29 PID 1052 wrote to memory of 2368 1052 64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe 29 PID 1052 wrote to memory of 2368 1052 64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe 29 PID 1052 wrote to memory of 2724 1052 64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe 31 PID 1052 wrote to memory of 2724 1052 64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe 31 PID 1052 wrote to memory of 2724 1052 64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe 31 PID 1052 wrote to memory of 2724 1052 64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe 31 PID 1052 wrote to memory of 2452 1052 64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe 32 PID 1052 wrote to memory of 2452 1052 64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe 32 PID 1052 wrote to memory of 2452 1052 64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe 32 PID 1052 wrote to memory of 2452 1052 64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\64f1ca665436b6de17efe57a1a0326e3_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "2⤵PID:2368
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "2⤵PID:2724
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 6322⤵
- Program crash
PID:2452
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
101B
MD53dc3c41cbda9ea24d0b0c921fd1e8fcb
SHA1b689dad610ea2149d3da78344881c68f1afdf260
SHA256a90ce1d0ec528978483ed8eff71957657667398bf126e014ead019a629c7489a
SHA512b972661ed41f5d690684ed9849c247c004b09a2eb875c52951e9c6b28e984e68b67246e7ca9ecdeac925f297aebf774bd17f20f2f5492a297911622b286a1e46
-
Filesize
50B
MD5b774ae3fb1da087e1f83b4f7b2060e5a
SHA197eb9be49ac3af9c851c9e1e84e32bfd53e325a8
SHA256adaf4a84b41e410b02e261cfd0fe7739d98647eab73c3badd32ac6e39f26351b
SHA512f75d0f95f7306d26a12b414bfe37b97fbd37546cb3c6e403def7077329ddffb4b45d5c5f0ba0e7bb6d72851d2d691b0a85267beead42f7cbf2e8c3d45a3b4701