Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
09-08-2024 21:46
Behavioral task
behavioral1
Sample
83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe
Resource
win7-20240705-en
windows7-x64
19 signatures
150 seconds
General
-
Target
83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe
-
Size
912KB
-
MD5
83aaee69716dda7b17faa2d36ea38822
-
SHA1
12ba999ca951b9f2154ab388039c20e364e56b25
-
SHA256
6547d234fd9c2d92380a8c60eaa0e30b0c253b20870d3eaafc371f51bd46303a
-
SHA512
cff941de4e85adcdf62e3088c358a374b4f2ac5219a438663ebd7e84b1c0693532cda54ebae9b6f687ae582cea2c727f56be0744232f25f041cfeb807a2c584b
-
SSDEEP
12288:m8UaT9XY2siA0bMG09xD7I3Gg8ecgVvfBoCDBOQQYbVXpuy1r/re:zUKoN0bUxgGa/pfBHDb+y1L
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\MSDCSC\\msdcsc.exe" 83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe -
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" iexplore.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe -
Modifies security service 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" iexplore.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" iexplore.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1940 attrib.exe 1700 attrib.exe -
Executes dropped EXE 1 IoCs
pid Process 2672 msdcsc.exe -
Loads dropped DLL 2 IoCs
pid Process 3032 83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe 3032 83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/3032-0-0x0000000000400000-0x00000000004E6000-memory.dmp upx behavioral1/files/0x0008000000016d02-5.dat upx behavioral1/memory/3032-7-0x00000000042A0000-0x0000000004386000-memory.dmp upx behavioral1/memory/3032-13-0x0000000000400000-0x00000000004E6000-memory.dmp upx behavioral1/memory/2672-16-0x0000000000400000-0x00000000004E6000-memory.dmp upx -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinUpdater = "C:\\MSDCSC\\msdcsc.exe" 83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinUpdater = "C:\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinUpdater = "C:\\MSDCSC\\msdcsc.exe" iexplore.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2672 set thread context of 2696 2672 msdcsc.exe 37 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2696 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3032 83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe Token: SeSecurityPrivilege 3032 83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 3032 83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe Token: SeLoadDriverPrivilege 3032 83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe Token: SeSystemProfilePrivilege 3032 83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe Token: SeSystemtimePrivilege 3032 83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 3032 83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 3032 83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 3032 83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe Token: SeBackupPrivilege 3032 83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe Token: SeRestorePrivilege 3032 83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe Token: SeShutdownPrivilege 3032 83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe Token: SeDebugPrivilege 3032 83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 3032 83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 3032 83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 3032 83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe Token: SeUndockPrivilege 3032 83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe Token: SeManageVolumePrivilege 3032 83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe Token: SeImpersonatePrivilege 3032 83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 3032 83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe Token: 33 3032 83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe Token: 34 3032 83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe Token: 35 3032 83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2672 msdcsc.exe Token: SeSecurityPrivilege 2672 msdcsc.exe Token: SeTakeOwnershipPrivilege 2672 msdcsc.exe Token: SeLoadDriverPrivilege 2672 msdcsc.exe Token: SeSystemProfilePrivilege 2672 msdcsc.exe Token: SeSystemtimePrivilege 2672 msdcsc.exe Token: SeProfSingleProcessPrivilege 2672 msdcsc.exe Token: SeIncBasePriorityPrivilege 2672 msdcsc.exe Token: SeCreatePagefilePrivilege 2672 msdcsc.exe Token: SeBackupPrivilege 2672 msdcsc.exe Token: SeRestorePrivilege 2672 msdcsc.exe Token: SeShutdownPrivilege 2672 msdcsc.exe Token: SeDebugPrivilege 2672 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2672 msdcsc.exe Token: SeChangeNotifyPrivilege 2672 msdcsc.exe Token: SeRemoteShutdownPrivilege 2672 msdcsc.exe Token: SeUndockPrivilege 2672 msdcsc.exe Token: SeManageVolumePrivilege 2672 msdcsc.exe Token: SeImpersonatePrivilege 2672 msdcsc.exe Token: SeCreateGlobalPrivilege 2672 msdcsc.exe Token: 33 2672 msdcsc.exe Token: 34 2672 msdcsc.exe Token: 35 2672 msdcsc.exe Token: SeIncreaseQuotaPrivilege 2696 iexplore.exe Token: SeSecurityPrivilege 2696 iexplore.exe Token: SeTakeOwnershipPrivilege 2696 iexplore.exe Token: SeLoadDriverPrivilege 2696 iexplore.exe Token: SeSystemProfilePrivilege 2696 iexplore.exe Token: SeSystemtimePrivilege 2696 iexplore.exe Token: SeProfSingleProcessPrivilege 2696 iexplore.exe Token: SeIncBasePriorityPrivilege 2696 iexplore.exe Token: SeCreatePagefilePrivilege 2696 iexplore.exe Token: SeBackupPrivilege 2696 iexplore.exe Token: SeRestorePrivilege 2696 iexplore.exe Token: SeShutdownPrivilege 2696 iexplore.exe Token: SeDebugPrivilege 2696 iexplore.exe Token: SeSystemEnvironmentPrivilege 2696 iexplore.exe Token: SeChangeNotifyPrivilege 2696 iexplore.exe Token: SeRemoteShutdownPrivilege 2696 iexplore.exe Token: SeUndockPrivilege 2696 iexplore.exe Token: SeManageVolumePrivilege 2696 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2696 iexplore.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 3032 wrote to memory of 1312 3032 83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe 30 PID 3032 wrote to memory of 1312 3032 83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe 30 PID 3032 wrote to memory of 1312 3032 83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe 30 PID 3032 wrote to memory of 1312 3032 83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe 30 PID 3032 wrote to memory of 2444 3032 83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe 31 PID 3032 wrote to memory of 2444 3032 83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe 31 PID 3032 wrote to memory of 2444 3032 83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe 31 PID 3032 wrote to memory of 2444 3032 83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe 31 PID 2444 wrote to memory of 1700 2444 cmd.exe 35 PID 2444 wrote to memory of 1700 2444 cmd.exe 35 PID 2444 wrote to memory of 1700 2444 cmd.exe 35 PID 2444 wrote to memory of 1700 2444 cmd.exe 35 PID 1312 wrote to memory of 1940 1312 cmd.exe 34 PID 1312 wrote to memory of 1940 1312 cmd.exe 34 PID 1312 wrote to memory of 1940 1312 cmd.exe 34 PID 1312 wrote to memory of 1940 1312 cmd.exe 34 PID 3032 wrote to memory of 2672 3032 83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe 36 PID 3032 wrote to memory of 2672 3032 83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe 36 PID 3032 wrote to memory of 2672 3032 83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe 36 PID 3032 wrote to memory of 2672 3032 83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe 36 PID 2672 wrote to memory of 2696 2672 msdcsc.exe 37 PID 2672 wrote to memory of 2696 2672 msdcsc.exe 37 PID 2672 wrote to memory of 2696 2672 msdcsc.exe 37 PID 2672 wrote to memory of 2696 2672 msdcsc.exe 37 PID 2672 wrote to memory of 2696 2672 msdcsc.exe 37 PID 2672 wrote to memory of 2696 2672 msdcsc.exe 37 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 1940 attrib.exe 1700 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe" +s +h2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\83aaee69716dda7b17faa2d36ea38822_JaffaCakes118.exe" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1940
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1700
-
-
-
C:\MSDCSC\msdcsc.exe"C:\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2696
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
912KB
MD583aaee69716dda7b17faa2d36ea38822
SHA112ba999ca951b9f2154ab388039c20e364e56b25
SHA2566547d234fd9c2d92380a8c60eaa0e30b0c253b20870d3eaafc371f51bd46303a
SHA512cff941de4e85adcdf62e3088c358a374b4f2ac5219a438663ebd7e84b1c0693532cda54ebae9b6f687ae582cea2c727f56be0744232f25f041cfeb807a2c584b