cfbba5f19480d8a7309fd43caa43a37614194ef72822d14ecd7826a5430107c6

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/08/2024, 11:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e93551177a6d66b660a9ded2413b04f_JaffaCakes118.exe
Size

996KB
MD5

8e93551177a6d66b660a9ded2413b04f
SHA1

3fefbcf11bc1eb2661fd83cc74bac822aba7addf
SHA256

cfbba5f19480d8a7309fd43caa43a37614194ef72822d14ecd7826a5430107c6
SHA512

48d3b0c77215bb3795b4bc20f1e6828214d3bb3967e2a5994dcf1a760bb7a448baaa78d08f7fd872f1a1d93102166858114d79499ae0b15741790d3d818008ac
SSDEEP

6144:7UBJHxPUSbAu3vKqKKBZd++iYK0wZkHMl65WxdO9uvNJUzoNIk3zko3bGeq:kHVbFJwwMcgx2iUzaIb3

Score

10^/10

discovery evasion

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 10 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\update2.exe = "C:\\Users\\Admin\\AppData\\Roaming\\update2.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8e93551177a6d66b660a9ded2413b04f_JaffaCakes118.exe	8e93551177a6d66b660a9ded2413b04f_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8e93551177a6d66b660a9ded2413b04f_JaffaCakes118.exe	8e93551177a6d66b660a9ded2413b04f_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
920	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2444 set thread context of 920	2444	8e93551177a6d66b660a9ded2413b04f_JaffaCakes118.exe	90

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e93551177a6d66b660a9ded2413b04f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1180	reg.exe
4884	reg.exe
3172	reg.exe
4512	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	920	svchost.exe
Token: SeCreateTokenPrivilege	920	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	920	svchost.exe
Token: SeLockMemoryPrivilege	920	svchost.exe
Token: SeIncreaseQuotaPrivilege	920	svchost.exe
Token: SeMachineAccountPrivilege	920	svchost.exe
Token: SeTcbPrivilege	920	svchost.exe
Token: SeSecurityPrivilege	920	svchost.exe
Token: SeTakeOwnershipPrivilege	920	svchost.exe
Token: SeLoadDriverPrivilege	920	svchost.exe
Token: SeSystemProfilePrivilege	920	svchost.exe
Token: SeSystemtimePrivilege	920	svchost.exe
Token: SeProfSingleProcessPrivilege	920	svchost.exe
Token: SeIncBasePriorityPrivilege	920	svchost.exe
Token: SeCreatePagefilePrivilege	920	svchost.exe
Token: SeCreatePermanentPrivilege	920	svchost.exe
Token: SeBackupPrivilege	920	svchost.exe
Token: SeRestorePrivilege	920	svchost.exe
Token: SeShutdownPrivilege	920	svchost.exe
Token: SeDebugPrivilege	920	svchost.exe
Token: SeAuditPrivilege	920	svchost.exe
Token: SeSystemEnvironmentPrivilege	920	svchost.exe
Token: SeChangeNotifyPrivilege	920	svchost.exe
Token: SeRemoteShutdownPrivilege	920	svchost.exe
Token: SeUndockPrivilege	920	svchost.exe
Token: SeSyncAgentPrivilege	920	svchost.exe
Token: SeEnableDelegationPrivilege	920	svchost.exe
Token: SeManageVolumePrivilege	920	svchost.exe
Token: SeImpersonatePrivilege	920	svchost.exe
Token: SeCreateGlobalPrivilege	920	svchost.exe
Token: 31	920	svchost.exe
Token: 32	920	svchost.exe
Token: 33	920	svchost.exe
Token: 34	920	svchost.exe
Token: 35	920	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
920	svchost.exe
920	svchost.exe
920	svchost.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 2572	2444	8e93551177a6d66b660a9ded2413b04f_JaffaCakes118.exe	86
PID 2444 wrote to memory of 2572	2444	8e93551177a6d66b660a9ded2413b04f_JaffaCakes118.exe	86
PID 2444 wrote to memory of 2572	2444	8e93551177a6d66b660a9ded2413b04f_JaffaCakes118.exe	86
PID 2572 wrote to memory of 1012	2572	csc.exe	88
PID 2572 wrote to memory of 1012	2572	csc.exe	88
PID 2572 wrote to memory of 1012	2572	csc.exe	88
PID 2444 wrote to memory of 920	2444	8e93551177a6d66b660a9ded2413b04f_JaffaCakes118.exe	90
PID 2444 wrote to memory of 920	2444	8e93551177a6d66b660a9ded2413b04f_JaffaCakes118.exe	90
PID 2444 wrote to memory of 920	2444	8e93551177a6d66b660a9ded2413b04f_JaffaCakes118.exe	90
PID 2444 wrote to memory of 920	2444	8e93551177a6d66b660a9ded2413b04f_JaffaCakes118.exe	90
PID 2444 wrote to memory of 920	2444	8e93551177a6d66b660a9ded2413b04f_JaffaCakes118.exe	90
PID 2444 wrote to memory of 920	2444	8e93551177a6d66b660a9ded2413b04f_JaffaCakes118.exe	90
PID 2444 wrote to memory of 920	2444	8e93551177a6d66b660a9ded2413b04f_JaffaCakes118.exe	90
PID 2444 wrote to memory of 920	2444	8e93551177a6d66b660a9ded2413b04f_JaffaCakes118.exe	90
PID 920 wrote to memory of 2408	920	svchost.exe	91
PID 920 wrote to memory of 2408	920	svchost.exe	91
PID 920 wrote to memory of 2408	920	svchost.exe	91
PID 920 wrote to memory of 3020	920	svchost.exe	92
PID 920 wrote to memory of 3020	920	svchost.exe	92
PID 920 wrote to memory of 3020	920	svchost.exe	92
PID 920 wrote to memory of 4476	920	svchost.exe	93
PID 920 wrote to memory of 4476	920	svchost.exe	93
PID 920 wrote to memory of 4476	920	svchost.exe	93
PID 920 wrote to memory of 3152	920	svchost.exe	94
PID 920 wrote to memory of 3152	920	svchost.exe	94
PID 920 wrote to memory of 3152	920	svchost.exe	94
PID 3020 wrote to memory of 1180	3020	cmd.exe	99
PID 3020 wrote to memory of 1180	3020	cmd.exe	99
PID 3020 wrote to memory of 1180	3020	cmd.exe	99
PID 4476 wrote to memory of 4884	4476	cmd.exe	100
PID 4476 wrote to memory of 4884	4476	cmd.exe	100
PID 4476 wrote to memory of 4884	4476	cmd.exe	100
PID 2408 wrote to memory of 3172	2408	cmd.exe	101
PID 2408 wrote to memory of 3172	2408	cmd.exe	101
PID 2408 wrote to memory of 3172	2408	cmd.exe	101
PID 3152 wrote to memory of 4512	3152	cmd.exe	102
PID 3152 wrote to memory of 4512	3152	cmd.exe	102
PID 3152 wrote to memory of 4512	3152	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\8e93551177a6d66b660a9ded2413b04f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8e93551177a6d66b660a9ded2413b04f_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\idhvhzcd.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6F64.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6F63.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1012
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:920
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3172
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1180
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4884
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\update2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\update2.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3152
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\update2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\update2.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6F64.tmp

Filesize
1KB

MD5
74c69aa19926e6dac367c8e8305d2e13

SHA1
69b7b0233c0c61f526222f5eccb8a21ffaec81a9

SHA256
866b0c37a4e156a5a9dad21a893f53016fc4dc78d98b43aa0ea0df5bc7a0427a

SHA512
3786a5b6d5429632f948e2ae794dc3102fe9e3dca37edd0c658776786a0cc156436a5c3df36e8a65f2b8e98daea97a4c0118e9f01ff5de03722c5a9f013ce67a

Download Submit
C:\Users\Admin\AppData\Local\Temp\idhvhzcd.dll

Filesize
5KB

MD5
4dbfe6a6a6be5087a683a2bfb5237bc0

SHA1
8a501a5190dda12fd4e7f3e6e8a1296dfc77b49c

SHA256
f17d0d34b172b27241559da9eed3ccf0ab2f37313d9ae1d4520e51dc500ea20a

SHA512
54b2bd33af0079f1926e4a9bb7a4d03ebf543965521f4fac43680ce169825e96c97f6bdd7c205e855b573493cbdb9a04d3d38837640d450b4aee27c7f3290fb0

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
12KB

MD5
bb5b2961567e68995464801d3bb2a964

SHA1
5d82ae2b8d24208418bfb09cbb3074c056e790dc

SHA256
a2d3d892c68a84208a9887cb34ecae820e59c4aa25c22db5c23379df344df004

SHA512
050550640a7bf2b65b3cd537f252b64465ec451555ff1831a9d799922e8c3382e83a52bc46015c5ed1ac79ebb233616f72aa8ed72f01e8be578ca383a304ff7a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC6F63.tmp

Filesize
652B

MD5
be6253a82ba7f266859adf95e8aafefc

SHA1
1d19df355ab895de44594a39e058b7b0322bbf24

SHA256
58ad18e7c4f2f6c8b0e5a71988403737a5e58736aabd755b091bf0edade03305

SHA512
5515c40e83fc491832e9284c764eac26f652c4041d93d6902e0e1c1fb61e1f0a1e9e8864b2f5ce6745ecb67688f6cecba6ac6cce7c7342b8691487a1defff0bc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\idhvhzcd.0.cs

Filesize
4KB

MD5
2216d197bc442e875016eba15c07a937

SHA1
37528e21ea3271b85d276c6bd003e6c60c81545d

SHA256
2e9e3da7bfa1334706550bb4d6269bf3e64cbbc09fa349af52eb22f32aebb4af

SHA512
7d7bdc3bf83ac0a29e917ead899dcaa1b47ee2660f405fe4883ca2a2546f7924265e1d75a2ea02c0e34fac4d2bb82bbaaa88d06c240afad4e9fd49337cd04d3f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\idhvhzcd.cmdline

Filesize
206B

MD5
ce2719d613aac41a89bffe8f703471b1

SHA1
d152c2a20a7f6b6e532f3e7016fe011a6c5f1081

SHA256
24397bbfa80664f93df73722f3b7d17b3dbd9c870a7e573b12b772f40f62a390

SHA512
2a79f360d196f1e07410edfe5daae9517590252a7640bddb3e4d40f71c43f9dd219ee1308f0333143ad3a8578db4085b2a00f658a4f6b840ef4e86161c12964c

Download Submit
memory/920-40-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/920-36-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/920-47-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/920-46-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/920-20-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/920-45-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/920-24-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/920-31-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/920-44-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/920-43-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/920-34-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/920-42-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/920-37-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/920-38-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/920-39-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/920-41-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2444-0-0x0000000074EA2000-0x0000000074EA3000-memory.dmp

Filesize
4KB

Download
memory/2444-33-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/2444-32-0x0000000074EA2000-0x0000000074EA3000-memory.dmp

Filesize
4KB

Download
memory/2444-1-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/2444-2-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/2572-9-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/2572-16-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads