Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22/07/2024, 17:33
Static task
static1
Behavioral task
behavioral1
Sample
641eee36a837e78938443a37bdba829f_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
641eee36a837e78938443a37bdba829f_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
641eee36a837e78938443a37bdba829f_JaffaCakes118.exe
-
Size
484KB
-
MD5
641eee36a837e78938443a37bdba829f
-
SHA1
6a270b234c96d1102ede2082ad51a7c9285c749b
-
SHA256
5e933618f0cca94e548037a4f8e0c3603e1f38175f6bd8085bfb64ed8c5f1a34
-
SHA512
2e0059582be9648d2bb7143d17d179a335537cebfcef18037a84823d65e01d9b202a4b6d495443a386dab7b7e39b7251bf86640ea351eda070b813e9997ef29c
-
SSDEEP
6144:8NvQ7ettISBED2zX5AhGU+CLfu5qPZkGSRuq0ud:8NDgSBED27OhqmLSGSRx
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 1244 msdcsc.exe 3644 msdcsc.exe -
resource yara_rule behavioral2/memory/3624-3-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral2/memory/3624-4-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral2/memory/3624-6-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral2/memory/3624-7-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral2/memory/3624-8-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral2/memory/3624-9-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral2/memory/3624-70-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral2/memory/3644-81-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral2/memory/3644-80-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral2/memory/3644-79-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral2/memory/3644-84-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral2/memory/3644-82-0x0000000000400000-0x00000000004B6000-memory.dmp upx -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" iexplore.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2832 set thread context of 3624 2832 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe 84 PID 1244 set thread context of 3644 1244 msdcsc.exe 92 PID 3644 set thread context of 3828 3644 msdcsc.exe 93 PID 3828 set thread context of 1624 3828 iexplore.exe 94 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4376 PING.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3624 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: SeSecurityPrivilege 3624 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 3624 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: SeLoadDriverPrivilege 3624 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: SeSystemProfilePrivilege 3624 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: SeSystemtimePrivilege 3624 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 3624 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 3624 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 3624 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: SeBackupPrivilege 3624 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: SeRestorePrivilege 3624 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: SeShutdownPrivilege 3624 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: SeDebugPrivilege 3624 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 3624 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 3624 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 3624 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: SeUndockPrivilege 3624 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: SeManageVolumePrivilege 3624 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: SeImpersonatePrivilege 3624 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 3624 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: 33 3624 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: 34 3624 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: 35 3624 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: 36 3624 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 3644 msdcsc.exe Token: SeSecurityPrivilege 3644 msdcsc.exe Token: SeTakeOwnershipPrivilege 3644 msdcsc.exe Token: SeLoadDriverPrivilege 3644 msdcsc.exe Token: SeSystemProfilePrivilege 3644 msdcsc.exe Token: SeSystemtimePrivilege 3644 msdcsc.exe Token: SeProfSingleProcessPrivilege 3644 msdcsc.exe Token: SeIncBasePriorityPrivilege 3644 msdcsc.exe Token: SeCreatePagefilePrivilege 3644 msdcsc.exe Token: SeBackupPrivilege 3644 msdcsc.exe Token: SeRestorePrivilege 3644 msdcsc.exe Token: SeShutdownPrivilege 3644 msdcsc.exe Token: SeDebugPrivilege 3644 msdcsc.exe Token: SeSystemEnvironmentPrivilege 3644 msdcsc.exe Token: SeChangeNotifyPrivilege 3644 msdcsc.exe Token: SeRemoteShutdownPrivilege 3644 msdcsc.exe Token: SeUndockPrivilege 3644 msdcsc.exe Token: SeManageVolumePrivilege 3644 msdcsc.exe Token: SeImpersonatePrivilege 3644 msdcsc.exe Token: SeCreateGlobalPrivilege 3644 msdcsc.exe Token: 33 3644 msdcsc.exe Token: 34 3644 msdcsc.exe Token: 35 3644 msdcsc.exe Token: 36 3644 msdcsc.exe Token: SeIncreaseQuotaPrivilege 1624 iexplore.exe Token: SeSecurityPrivilege 1624 iexplore.exe Token: SeTakeOwnershipPrivilege 1624 iexplore.exe Token: SeLoadDriverPrivilege 1624 iexplore.exe Token: SeSystemProfilePrivilege 1624 iexplore.exe Token: SeSystemtimePrivilege 1624 iexplore.exe Token: SeProfSingleProcessPrivilege 1624 iexplore.exe Token: SeIncBasePriorityPrivilege 1624 iexplore.exe Token: SeCreatePagefilePrivilege 1624 iexplore.exe Token: SeBackupPrivilege 1624 iexplore.exe Token: SeRestorePrivilege 1624 iexplore.exe Token: SeShutdownPrivilege 1624 iexplore.exe Token: SeDebugPrivilege 1624 iexplore.exe Token: SeSystemEnvironmentPrivilege 1624 iexplore.exe Token: SeChangeNotifyPrivilege 1624 iexplore.exe Token: SeRemoteShutdownPrivilege 1624 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2832 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe 1244 msdcsc.exe 3828 iexplore.exe 1624 iexplore.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2832 wrote to memory of 3624 2832 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe 84 PID 2832 wrote to memory of 3624 2832 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe 84 PID 2832 wrote to memory of 3624 2832 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe 84 PID 2832 wrote to memory of 3624 2832 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe 84 PID 2832 wrote to memory of 3624 2832 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe 84 PID 2832 wrote to memory of 3624 2832 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe 84 PID 2832 wrote to memory of 3624 2832 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe 84 PID 2832 wrote to memory of 3624 2832 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe 84 PID 3624 wrote to memory of 1192 3624 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe 87 PID 3624 wrote to memory of 1192 3624 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe 87 PID 3624 wrote to memory of 1192 3624 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe 87 PID 1192 wrote to memory of 4376 1192 cmd.exe 89 PID 1192 wrote to memory of 4376 1192 cmd.exe 89 PID 1192 wrote to memory of 4376 1192 cmd.exe 89 PID 3624 wrote to memory of 1244 3624 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe 91 PID 3624 wrote to memory of 1244 3624 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe 91 PID 3624 wrote to memory of 1244 3624 641eee36a837e78938443a37bdba829f_JaffaCakes118.exe 91 PID 1244 wrote to memory of 3644 1244 msdcsc.exe 92 PID 1244 wrote to memory of 3644 1244 msdcsc.exe 92 PID 1244 wrote to memory of 3644 1244 msdcsc.exe 92 PID 1244 wrote to memory of 3644 1244 msdcsc.exe 92 PID 1244 wrote to memory of 3644 1244 msdcsc.exe 92 PID 1244 wrote to memory of 3644 1244 msdcsc.exe 92 PID 1244 wrote to memory of 3644 1244 msdcsc.exe 92 PID 1244 wrote to memory of 3644 1244 msdcsc.exe 92 PID 3644 wrote to memory of 3828 3644 msdcsc.exe 93 PID 3644 wrote to memory of 3828 3644 msdcsc.exe 93 PID 3644 wrote to memory of 3828 3644 msdcsc.exe 93 PID 3644 wrote to memory of 3828 3644 msdcsc.exe 93 PID 3644 wrote to memory of 3828 3644 msdcsc.exe 93 PID 3828 wrote to memory of 1624 3828 iexplore.exe 94 PID 3828 wrote to memory of 1624 3828 iexplore.exe 94 PID 3828 wrote to memory of 1624 3828 iexplore.exe 94 PID 3828 wrote to memory of 1624 3828 iexplore.exe 94 PID 3828 wrote to memory of 1624 3828 iexplore.exe 94 PID 3828 wrote to memory of 1624 3828 iexplore.exe 94 PID 3828 wrote to memory of 1624 3828 iexplore.exe 94 PID 3828 wrote to memory of 1624 3828 iexplore.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\641eee36a837e78938443a37bdba829f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\641eee36a837e78938443a37bdba829f_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Users\Admin\AppData\Local\Temp\641eee36a837e78938443a37bdba829f_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\641eee36a837e78938443a37bdba829f_JaffaCakes118.exe2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\641eee36a837e78938443a37bdba829f_JaffaCakes118.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 44⤵
- Runs ping.exe
PID:4376
-
-
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"5⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"6⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1624
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
484KB
MD5641eee36a837e78938443a37bdba829f
SHA16a270b234c96d1102ede2082ad51a7c9285c749b
SHA2565e933618f0cca94e548037a4f8e0c3603e1f38175f6bd8085bfb64ed8c5f1a34
SHA5122e0059582be9648d2bb7143d17d179a335537cebfcef18037a84823d65e01d9b202a4b6d495443a386dab7b7e39b7251bf86640ea351eda070b813e9997ef29c