a261915e7b2253e3ac0291a1e2e9d45c57874e0d67a4590893cc27757ed06b40

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
25/07/2024, 23:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

71b4dcefce1e1a8cc945ee91363e042d_JaffaCakes118.exe
Size

897KB
MD5

71b4dcefce1e1a8cc945ee91363e042d
SHA1

49b12d852c36458193304a99aac52d310decfde6
SHA256

a261915e7b2253e3ac0291a1e2e9d45c57874e0d67a4590893cc27757ed06b40
SHA512

8479c7cba275c1c9947c1850d39651da6c3cfdada217ad6436be83a815c62de31c839ccfd6b046553b7d32ce7a64338330919f21f17c4c3721e4097986b65a87
SSDEEP

12288:20k8tylIiSxqjrrrBY5x1uS2NlrWCcTrYoHJNYSbFNNC/Wd3f9nXKBVLs/M+ULzD:2ODiHrrrmFqK/fbHtE/uPQTuNUL

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 10 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Msnmsgr.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Msnmsgr.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\bindtomicrosoft office.exe = "C:\\Users\\Admin\\AppData\\Roaming\\bindtomicrosoft office.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	71b4dcefce1e1a8cc945ee91363e042d_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
5072	Msnmsgr.exe
4176	Msnmsgr.exe
452	Msnmsgr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Msnmsgr = "C:\\Users\\Admin\\AppData\\Roaming\\Msnmsgr.exe"	reg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5072 set thread context of 4176	5072	Msnmsgr.exe	91
PID 5072 set thread context of 452	5072	Msnmsgr.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	71b4dcefce1e1a8cc945ee91363e042d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2192	reg.exe
4768	reg.exe
672	reg.exe
4480	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: 1	4176	Msnmsgr.exe
Token: SeCreateTokenPrivilege	4176	Msnmsgr.exe
Token: SeAssignPrimaryTokenPrivilege	4176	Msnmsgr.exe
Token: SeLockMemoryPrivilege	4176	Msnmsgr.exe
Token: SeIncreaseQuotaPrivilege	4176	Msnmsgr.exe
Token: SeMachineAccountPrivilege	4176	Msnmsgr.exe
Token: SeTcbPrivilege	4176	Msnmsgr.exe
Token: SeSecurityPrivilege	4176	Msnmsgr.exe
Token: SeTakeOwnershipPrivilege	4176	Msnmsgr.exe
Token: SeLoadDriverPrivilege	4176	Msnmsgr.exe
Token: SeSystemProfilePrivilege	4176	Msnmsgr.exe
Token: SeSystemtimePrivilege	4176	Msnmsgr.exe
Token: SeProfSingleProcessPrivilege	4176	Msnmsgr.exe
Token: SeIncBasePriorityPrivilege	4176	Msnmsgr.exe
Token: SeCreatePagefilePrivilege	4176	Msnmsgr.exe
Token: SeCreatePermanentPrivilege	4176	Msnmsgr.exe
Token: SeBackupPrivilege	4176	Msnmsgr.exe
Token: SeRestorePrivilege	4176	Msnmsgr.exe
Token: SeShutdownPrivilege	4176	Msnmsgr.exe
Token: SeDebugPrivilege	4176	Msnmsgr.exe
Token: SeAuditPrivilege	4176	Msnmsgr.exe
Token: SeSystemEnvironmentPrivilege	4176	Msnmsgr.exe
Token: SeChangeNotifyPrivilege	4176	Msnmsgr.exe
Token: SeRemoteShutdownPrivilege	4176	Msnmsgr.exe
Token: SeUndockPrivilege	4176	Msnmsgr.exe
Token: SeSyncAgentPrivilege	4176	Msnmsgr.exe
Token: SeEnableDelegationPrivilege	4176	Msnmsgr.exe
Token: SeManageVolumePrivilege	4176	Msnmsgr.exe
Token: SeImpersonatePrivilege	4176	Msnmsgr.exe
Token: SeCreateGlobalPrivilege	4176	Msnmsgr.exe
Token: 31	4176	Msnmsgr.exe
Token: 32	4176	Msnmsgr.exe
Token: 33	4176	Msnmsgr.exe
Token: 34	4176	Msnmsgr.exe
Token: 35	4176	Msnmsgr.exe
Token: SeDebugPrivilege	452	Msnmsgr.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3264	71b4dcefce1e1a8cc945ee91363e042d_JaffaCakes118.exe
5072	Msnmsgr.exe
4176	Msnmsgr.exe
4176	Msnmsgr.exe
452	Msnmsgr.exe
4176	Msnmsgr.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 3264 wrote to memory of 940	3264	71b4dcefce1e1a8cc945ee91363e042d_JaffaCakes118.exe	85
PID 3264 wrote to memory of 940	3264	71b4dcefce1e1a8cc945ee91363e042d_JaffaCakes118.exe	85
PID 3264 wrote to memory of 940	3264	71b4dcefce1e1a8cc945ee91363e042d_JaffaCakes118.exe	85
PID 940 wrote to memory of 320	940	cmd.exe	88
PID 940 wrote to memory of 320	940	cmd.exe	88
PID 940 wrote to memory of 320	940	cmd.exe	88
PID 3264 wrote to memory of 5072	3264	71b4dcefce1e1a8cc945ee91363e042d_JaffaCakes118.exe	90
PID 3264 wrote to memory of 5072	3264	71b4dcefce1e1a8cc945ee91363e042d_JaffaCakes118.exe	90
PID 3264 wrote to memory of 5072	3264	71b4dcefce1e1a8cc945ee91363e042d_JaffaCakes118.exe	90
PID 5072 wrote to memory of 4176	5072	Msnmsgr.exe	91
PID 5072 wrote to memory of 4176	5072	Msnmsgr.exe	91
PID 5072 wrote to memory of 4176	5072	Msnmsgr.exe	91
PID 5072 wrote to memory of 4176	5072	Msnmsgr.exe	91
PID 5072 wrote to memory of 4176	5072	Msnmsgr.exe	91
PID 5072 wrote to memory of 4176	5072	Msnmsgr.exe	91
PID 5072 wrote to memory of 4176	5072	Msnmsgr.exe	91
PID 5072 wrote to memory of 4176	5072	Msnmsgr.exe	91
PID 5072 wrote to memory of 452	5072	Msnmsgr.exe	92
PID 5072 wrote to memory of 452	5072	Msnmsgr.exe	92
PID 5072 wrote to memory of 452	5072	Msnmsgr.exe	92
PID 5072 wrote to memory of 452	5072	Msnmsgr.exe	92
PID 5072 wrote to memory of 452	5072	Msnmsgr.exe	92
PID 5072 wrote to memory of 452	5072	Msnmsgr.exe	92
PID 5072 wrote to memory of 452	5072	Msnmsgr.exe	92
PID 4176 wrote to memory of 3516	4176	Msnmsgr.exe	94
PID 4176 wrote to memory of 3516	4176	Msnmsgr.exe	94
PID 4176 wrote to memory of 3516	4176	Msnmsgr.exe	94
PID 4176 wrote to memory of 4664	4176	Msnmsgr.exe	95
PID 4176 wrote to memory of 4664	4176	Msnmsgr.exe	95
PID 4176 wrote to memory of 4664	4176	Msnmsgr.exe	95
PID 4176 wrote to memory of 5092	4176	Msnmsgr.exe	96
PID 4176 wrote to memory of 5092	4176	Msnmsgr.exe	96
PID 4176 wrote to memory of 5092	4176	Msnmsgr.exe	96
PID 4176 wrote to memory of 3988	4176	Msnmsgr.exe	97
PID 4176 wrote to memory of 3988	4176	Msnmsgr.exe	97
PID 4176 wrote to memory of 3988	4176	Msnmsgr.exe	97
PID 5092 wrote to memory of 2192	5092	cmd.exe	102
PID 5092 wrote to memory of 2192	5092	cmd.exe	102
PID 5092 wrote to memory of 2192	5092	cmd.exe	102
PID 3516 wrote to memory of 4768	3516	cmd.exe	103
PID 3516 wrote to memory of 4768	3516	cmd.exe	103
PID 3516 wrote to memory of 4768	3516	cmd.exe	103
PID 4664 wrote to memory of 672	4664	cmd.exe	104
PID 4664 wrote to memory of 672	4664	cmd.exe	104
PID 4664 wrote to memory of 672	4664	cmd.exe	104
PID 3988 wrote to memory of 4480	3988	cmd.exe	105
PID 3988 wrote to memory of 4480	3988	cmd.exe	105
PID 3988 wrote to memory of 4480	3988	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\71b4dcefce1e1a8cc945ee91363e042d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\71b4dcefce1e1a8cc945ee91363e042d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kdsQA.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Msnmsgr" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Msnmsgr.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:320
- C:\Users\Admin\AppData\Roaming\Msnmsgr.exe
  "C:\Users\Admin\AppData\Roaming\Msnmsgr.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Users\Admin\AppData\Roaming\Msnmsgr.exe
    C:\Users\Admin\AppData\Roaming\Msnmsgr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4176
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3516
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4768
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Msnmsgr.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Msnmsgr.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4664
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Msnmsgr.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Msnmsgr.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:672
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5092
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2192
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bindtomicrosoft office.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bindtomicrosoft office.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3988
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bindtomicrosoft office.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bindtomicrosoft office.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4480
- - C:\Users\Admin\AppData\Roaming\Msnmsgr.exe
    C:\Users\Admin\AppData\Roaming\Msnmsgr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kdsQA.bat

Filesize
134B

MD5
42604967a8f810bffb361cec25fdd9a5

SHA1
f28921b6e0fb28d6399af79a6dfecb33816d6d64

SHA256
ef93fd6174b2d99eb3974896c93d3ab77454018a279a9f10179333d73e5d4f33

SHA512
328d8f99a18566ead3d3523122eae1d4ff34705eb8da598b06144634cfbac1873b99abb564224a7dfa5ec53af32938ca6e2710f7249175e702ef4e389c5f7d8f

Download Submit
C:\Users\Admin\AppData\Roaming\Msnmsgr.exe

Filesize
897KB

MD5
71b4dcefce1e1a8cc945ee91363e042d

SHA1
49b12d852c36458193304a99aac52d310decfde6

SHA256
a261915e7b2253e3ac0291a1e2e9d45c57874e0d67a4590893cc27757ed06b40

SHA512
8479c7cba275c1c9947c1850d39651da6c3cfdada217ad6436be83a815c62de31c839ccfd6b046553b7d32ce7a64338330919f21f17c4c3721e4097986b65a87

Download Submit
memory/452-37-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/452-45-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/452-31-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/452-35-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/452-36-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/452-34-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3264-20-0x0000000000400000-0x0000000000D3F000-memory.dmp

Filesize
9.2MB

Download
memory/3264-0-0x0000000000400000-0x0000000000D3F000-memory.dmp

Filesize
9.2MB

Download
memory/4176-27-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4176-23-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4176-44-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4176-46-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4176-48-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4176-59-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/5072-43-0x0000000000400000-0x0000000000D3F000-memory.dmp

Filesize
9.2MB

Download
memory/5072-18-0x0000000000400000-0x0000000000D3F000-memory.dmp

Filesize
9.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads