Analysis
-
max time kernel
122s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
22/07/2024, 17:33
Static task
static1
Behavioral task
behavioral1
Sample
641eee36a837e78938443a37bdba829f_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
641eee36a837e78938443a37bdba829f_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
641eee36a837e78938443a37bdba829f_JaffaCakes118.exe
-
Size
484KB
-
MD5
641eee36a837e78938443a37bdba829f
-
SHA1
6a270b234c96d1102ede2082ad51a7c9285c749b
-
SHA256
5e933618f0cca94e548037a4f8e0c3603e1f38175f6bd8085bfb64ed8c5f1a34
-
SHA512
2e0059582be9648d2bb7143d17d179a335537cebfcef18037a84823d65e01d9b202a4b6d495443a386dab7b7e39b7251bf86640ea351eda070b813e9997ef29c
-
SSDEEP
6144:8NvQ7ettISBED2zX5AhGU+CLfu5qPZkGSRuq0ud:8NDgSBED27OhqmLSGSRx
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 2004 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2696 msdcsc.exe 2712 msdcsc.exe -
Loads dropped DLL 3 IoCs
pid Process 2476 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe 2476 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe 2696 msdcsc.exe -
resource yara_rule behavioral1/memory/2476-5-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral1/memory/2476-13-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral1/memory/2476-12-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral1/memory/2476-10-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral1/memory/2476-7-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral1/memory/2476-14-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral1/memory/2476-16-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral1/memory/2476-15-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral1/memory/2476-17-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral1/memory/2476-30-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral1/memory/2712-46-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral1/memory/2712-45-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral1/memory/2712-44-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral1/memory/2712-47-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral1/memory/2712-52-0x0000000000400000-0x00000000004B6000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2956 set thread context of 2476 2956 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe 31 PID 2696 set thread context of 2712 2696 msdcsc.exe 36 PID 2712 set thread context of 2200 2712 msdcsc.exe 37 PID 2200 set thread context of 2720 2200 iexplore.exe 38 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2644 PING.EXE -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2476 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: SeSecurityPrivilege 2476 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2476 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2476 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2476 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: SeSystemtimePrivilege 2476 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2476 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2476 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2476 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: SeBackupPrivilege 2476 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: SeRestorePrivilege 2476 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: SeShutdownPrivilege 2476 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: SeDebugPrivilege 2476 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2476 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2476 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2476 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: SeUndockPrivilege 2476 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: SeManageVolumePrivilege 2476 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: SeImpersonatePrivilege 2476 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2476 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: 33 2476 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: 34 2476 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: 35 2476 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2712 msdcsc.exe Token: SeSecurityPrivilege 2712 msdcsc.exe Token: SeTakeOwnershipPrivilege 2712 msdcsc.exe Token: SeLoadDriverPrivilege 2712 msdcsc.exe Token: SeSystemProfilePrivilege 2712 msdcsc.exe Token: SeSystemtimePrivilege 2712 msdcsc.exe Token: SeProfSingleProcessPrivilege 2712 msdcsc.exe Token: SeIncBasePriorityPrivilege 2712 msdcsc.exe Token: SeCreatePagefilePrivilege 2712 msdcsc.exe Token: SeBackupPrivilege 2712 msdcsc.exe Token: SeRestorePrivilege 2712 msdcsc.exe Token: SeShutdownPrivilege 2712 msdcsc.exe Token: SeDebugPrivilege 2712 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2712 msdcsc.exe Token: SeChangeNotifyPrivilege 2712 msdcsc.exe Token: SeRemoteShutdownPrivilege 2712 msdcsc.exe Token: SeUndockPrivilege 2712 msdcsc.exe Token: SeManageVolumePrivilege 2712 msdcsc.exe Token: SeImpersonatePrivilege 2712 msdcsc.exe Token: SeCreateGlobalPrivilege 2712 msdcsc.exe Token: 33 2712 msdcsc.exe Token: 34 2712 msdcsc.exe Token: 35 2712 msdcsc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2956 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe 2696 msdcsc.exe 2200 iexplore.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 2956 wrote to memory of 2476 2956 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe 31 PID 2956 wrote to memory of 2476 2956 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe 31 PID 2956 wrote to memory of 2476 2956 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe 31 PID 2956 wrote to memory of 2476 2956 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe 31 PID 2956 wrote to memory of 2476 2956 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe 31 PID 2956 wrote to memory of 2476 2956 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe 31 PID 2956 wrote to memory of 2476 2956 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe 31 PID 2956 wrote to memory of 2476 2956 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe 31 PID 2476 wrote to memory of 2004 2476 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe 32 PID 2476 wrote to memory of 2004 2476 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe 32 PID 2476 wrote to memory of 2004 2476 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe 32 PID 2476 wrote to memory of 2004 2476 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe 32 PID 2004 wrote to memory of 2644 2004 cmd.exe 34 PID 2004 wrote to memory of 2644 2004 cmd.exe 34 PID 2004 wrote to memory of 2644 2004 cmd.exe 34 PID 2004 wrote to memory of 2644 2004 cmd.exe 34 PID 2476 wrote to memory of 2696 2476 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe 35 PID 2476 wrote to memory of 2696 2476 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe 35 PID 2476 wrote to memory of 2696 2476 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe 35 PID 2476 wrote to memory of 2696 2476 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe 35 PID 2696 wrote to memory of 2712 2696 msdcsc.exe 36 PID 2696 wrote to memory of 2712 2696 msdcsc.exe 36 PID 2696 wrote to memory of 2712 2696 msdcsc.exe 36 PID 2696 wrote to memory of 2712 2696 msdcsc.exe 36 PID 2696 wrote to memory of 2712 2696 msdcsc.exe 36 PID 2696 wrote to memory of 2712 2696 msdcsc.exe 36 PID 2696 wrote to memory of 2712 2696 msdcsc.exe 36 PID 2696 wrote to memory of 2712 2696 msdcsc.exe 36 PID 2712 wrote to memory of 2200 2712 msdcsc.exe 37 PID 2712 wrote to memory of 2200 2712 msdcsc.exe 37 PID 2712 wrote to memory of 2200 2712 msdcsc.exe 37 PID 2712 wrote to memory of 2200 2712 msdcsc.exe 37 PID 2712 wrote to memory of 2200 2712 msdcsc.exe 37 PID 2712 wrote to memory of 2200 2712 msdcsc.exe 37 PID 2200 wrote to memory of 2720 2200 iexplore.exe 38 PID 2200 wrote to memory of 2720 2200 iexplore.exe 38 PID 2200 wrote to memory of 2720 2200 iexplore.exe 38 PID 2200 wrote to memory of 2720 2200 iexplore.exe 38 PID 2200 wrote to memory of 2720 2200 iexplore.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\641eee36a837e78938443a37bdba829f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\641eee36a837e78938443a37bdba829f_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Users\Admin\AppData\Local\Temp\641eee36a837e78938443a37bdba829f_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\641eee36a837e78938443a37bdba829f_JaffaCakes118.exe2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\641eee36a837e78938443a37bdba829f_JaffaCakes118.exe"3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 44⤵
- Runs ping.exe
PID:2644
-
-
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"5⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"6⤵PID:2720
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
484KB
MD5641eee36a837e78938443a37bdba829f
SHA16a270b234c96d1102ede2082ad51a7c9285c749b
SHA2565e933618f0cca94e548037a4f8e0c3603e1f38175f6bd8085bfb64ed8c5f1a34
SHA5122e0059582be9648d2bb7143d17d179a335537cebfcef18037a84823d65e01d9b202a4b6d495443a386dab7b7e39b7251bf86640ea351eda070b813e9997ef29c