Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22/07/2024, 22:33
Behavioral task
behavioral1
Sample
650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe
-
Size
646KB
-
MD5
650fd80f02974f7c046b055e09900e8a
-
SHA1
22e282ca1ce25dfa1aa52abd4148acb7aa6e5182
-
SHA256
a8b1e96d76313463404f4f11820f7c8a2110ec44133a2a59e04a1e62ad6e1976
-
SHA512
9cde349b9a1fe44f9f98b569d855a5486e68a155347f043ce8876793d720e709fc8fd73213f7bbbe1fb00a16e67e1c4a2c8cf1c7ca5b050fa481fadda8156fd1
-
SSDEEP
12288:r8UaT9XY2siA0bMG09xD7I3Gg8ecgVvfBoCDBOQQYbVXpuy1f/gORixk:IUKoN0bUxgGa/pfBHDb+y1HgZ+
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 3532 msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3532 set thread context of 3724 3532 msdcsc.exe 87 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1056 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: SeSecurityPrivilege 1056 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1056 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: SeLoadDriverPrivilege 1056 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: SeSystemProfilePrivilege 1056 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: SeSystemtimePrivilege 1056 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 1056 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1056 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 1056 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: SeBackupPrivilege 1056 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: SeRestorePrivilege 1056 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: SeShutdownPrivilege 1056 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: SeDebugPrivilege 1056 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 1056 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 1056 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 1056 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: SeUndockPrivilege 1056 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: SeManageVolumePrivilege 1056 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: SeImpersonatePrivilege 1056 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 1056 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: 33 1056 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: 34 1056 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: 35 1056 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: 36 1056 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 3532 msdcsc.exe Token: SeSecurityPrivilege 3532 msdcsc.exe Token: SeTakeOwnershipPrivilege 3532 msdcsc.exe Token: SeLoadDriverPrivilege 3532 msdcsc.exe Token: SeSystemProfilePrivilege 3532 msdcsc.exe Token: SeSystemtimePrivilege 3532 msdcsc.exe Token: SeProfSingleProcessPrivilege 3532 msdcsc.exe Token: SeIncBasePriorityPrivilege 3532 msdcsc.exe Token: SeCreatePagefilePrivilege 3532 msdcsc.exe Token: SeBackupPrivilege 3532 msdcsc.exe Token: SeRestorePrivilege 3532 msdcsc.exe Token: SeShutdownPrivilege 3532 msdcsc.exe Token: SeDebugPrivilege 3532 msdcsc.exe Token: SeSystemEnvironmentPrivilege 3532 msdcsc.exe Token: SeChangeNotifyPrivilege 3532 msdcsc.exe Token: SeRemoteShutdownPrivilege 3532 msdcsc.exe Token: SeUndockPrivilege 3532 msdcsc.exe Token: SeManageVolumePrivilege 3532 msdcsc.exe Token: SeImpersonatePrivilege 3532 msdcsc.exe Token: SeCreateGlobalPrivilege 3532 msdcsc.exe Token: 33 3532 msdcsc.exe Token: 34 3532 msdcsc.exe Token: 35 3532 msdcsc.exe Token: 36 3532 msdcsc.exe Token: SeIncreaseQuotaPrivilege 3724 iexplore.exe Token: SeSecurityPrivilege 3724 iexplore.exe Token: SeTakeOwnershipPrivilege 3724 iexplore.exe Token: SeLoadDriverPrivilege 3724 iexplore.exe Token: SeSystemProfilePrivilege 3724 iexplore.exe Token: SeSystemtimePrivilege 3724 iexplore.exe Token: SeProfSingleProcessPrivilege 3724 iexplore.exe Token: SeIncBasePriorityPrivilege 3724 iexplore.exe Token: SeCreatePagefilePrivilege 3724 iexplore.exe Token: SeBackupPrivilege 3724 iexplore.exe Token: SeRestorePrivilege 3724 iexplore.exe Token: SeShutdownPrivilege 3724 iexplore.exe Token: SeDebugPrivilege 3724 iexplore.exe Token: SeSystemEnvironmentPrivilege 3724 iexplore.exe Token: SeChangeNotifyPrivilege 3724 iexplore.exe Token: SeRemoteShutdownPrivilege 3724 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3724 iexplore.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1056 wrote to memory of 3532 1056 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe 86 PID 1056 wrote to memory of 3532 1056 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe 86 PID 1056 wrote to memory of 3532 1056 650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe 86 PID 3532 wrote to memory of 3724 3532 msdcsc.exe 87 PID 3532 wrote to memory of 3724 3532 msdcsc.exe 87 PID 3532 wrote to memory of 3724 3532 msdcsc.exe 87 PID 3532 wrote to memory of 3724 3532 msdcsc.exe 87 PID 3532 wrote to memory of 3724 3532 msdcsc.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\650fd80f02974f7c046b055e09900e8a_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3724
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
646KB
MD5650fd80f02974f7c046b055e09900e8a
SHA122e282ca1ce25dfa1aa52abd4148acb7aa6e5182
SHA256a8b1e96d76313463404f4f11820f7c8a2110ec44133a2a59e04a1e62ad6e1976
SHA5129cde349b9a1fe44f9f98b569d855a5486e68a155347f043ce8876793d720e709fc8fd73213f7bbbe1fb00a16e67e1c4a2c8cf1c7ca5b050fa481fadda8156fd1