Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22/07/2024, 22:33
Behavioral task
behavioral1
Sample
650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe
-
Size
646KB
-
MD5
650fd80f02974f7c046b055e09900e8a
-
SHA1
22e282ca1ce25dfa1aa52abd4148acb7aa6e5182
-
SHA256
a8b1e96d76313463404f4f11820f7c8a2110ec44133a2a59e04a1e62ad6e1976
-
SHA512
9cde349b9a1fe44f9f98b569d855a5486e68a155347f043ce8876793d720e709fc8fd73213f7bbbe1fb00a16e67e1c4a2c8cf1c7ca5b050fa481fadda8156fd1
-
SSDEEP
12288:r8UaT9XY2siA0bMG09xD7I3Gg8ecgVvfBoCDBOQQYbVXpuy1f/gORixk:IUKoN0bUxgGa/pfBHDb+y1HgZ+
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2400 msdcsc.exe -
Loads dropped DLL 2 IoCs
pid Process 2392 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe 2392 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2400 set thread context of 1976 2400 msdcsc.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2392 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: SeSecurityPrivilege 2392 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2392 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2392 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2392 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: SeSystemtimePrivilege 2392 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2392 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2392 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2392 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: SeBackupPrivilege 2392 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: SeRestorePrivilege 2392 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: SeShutdownPrivilege 2392 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: SeDebugPrivilege 2392 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2392 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2392 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2392 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: SeUndockPrivilege 2392 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: SeManageVolumePrivilege 2392 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: SeImpersonatePrivilege 2392 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2392 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: 33 2392 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: 34 2392 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: 35 2392 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2400 msdcsc.exe Token: SeSecurityPrivilege 2400 msdcsc.exe Token: SeTakeOwnershipPrivilege 2400 msdcsc.exe Token: SeLoadDriverPrivilege 2400 msdcsc.exe Token: SeSystemProfilePrivilege 2400 msdcsc.exe Token: SeSystemtimePrivilege 2400 msdcsc.exe Token: SeProfSingleProcessPrivilege 2400 msdcsc.exe Token: SeIncBasePriorityPrivilege 2400 msdcsc.exe Token: SeCreatePagefilePrivilege 2400 msdcsc.exe Token: SeBackupPrivilege 2400 msdcsc.exe Token: SeRestorePrivilege 2400 msdcsc.exe Token: SeShutdownPrivilege 2400 msdcsc.exe Token: SeDebugPrivilege 2400 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2400 msdcsc.exe Token: SeChangeNotifyPrivilege 2400 msdcsc.exe Token: SeRemoteShutdownPrivilege 2400 msdcsc.exe Token: SeUndockPrivilege 2400 msdcsc.exe Token: SeManageVolumePrivilege 2400 msdcsc.exe Token: SeImpersonatePrivilege 2400 msdcsc.exe Token: SeCreateGlobalPrivilege 2400 msdcsc.exe Token: 33 2400 msdcsc.exe Token: 34 2400 msdcsc.exe Token: 35 2400 msdcsc.exe Token: SeIncreaseQuotaPrivilege 1976 iexplore.exe Token: SeSecurityPrivilege 1976 iexplore.exe Token: SeTakeOwnershipPrivilege 1976 iexplore.exe Token: SeLoadDriverPrivilege 1976 iexplore.exe Token: SeSystemProfilePrivilege 1976 iexplore.exe Token: SeSystemtimePrivilege 1976 iexplore.exe Token: SeProfSingleProcessPrivilege 1976 iexplore.exe Token: SeIncBasePriorityPrivilege 1976 iexplore.exe Token: SeCreatePagefilePrivilege 1976 iexplore.exe Token: SeBackupPrivilege 1976 iexplore.exe Token: SeRestorePrivilege 1976 iexplore.exe Token: SeShutdownPrivilege 1976 iexplore.exe Token: SeDebugPrivilege 1976 iexplore.exe Token: SeSystemEnvironmentPrivilege 1976 iexplore.exe Token: SeChangeNotifyPrivilege 1976 iexplore.exe Token: SeRemoteShutdownPrivilege 1976 iexplore.exe Token: SeUndockPrivilege 1976 iexplore.exe Token: SeManageVolumePrivilege 1976 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1976 iexplore.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2392 wrote to memory of 2400 2392 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe 30 PID 2392 wrote to memory of 2400 2392 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe 30 PID 2392 wrote to memory of 2400 2392 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe 30 PID 2392 wrote to memory of 2400 2392 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe 30 PID 2400 wrote to memory of 1976 2400 msdcsc.exe 31 PID 2400 wrote to memory of 1976 2400 msdcsc.exe 31 PID 2400 wrote to memory of 1976 2400 msdcsc.exe 31 PID 2400 wrote to memory of 1976 2400 msdcsc.exe 31 PID 2400 wrote to memory of 1976 2400 msdcsc.exe 31 PID 2400 wrote to memory of 1976 2400 msdcsc.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1976
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
646KB
MD5650fd80f02974f7c046b055e09900e8a
SHA122e282ca1ce25dfa1aa52abd4148acb7aa6e5182
SHA256a8b1e96d76313463404f4f11820f7c8a2110ec44133a2a59e04a1e62ad6e1976
SHA5129cde349b9a1fe44f9f98b569d855a5486e68a155347f043ce8876793d720e709fc8fd73213f7bbbe1fb00a16e67e1c4a2c8cf1c7ca5b050fa481fadda8156fd1