Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
08/09/2024, 03:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe
Resource
win7-20240729-en
windows7-x64
19 signatures
150 seconds
General
-
Target
d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
d3791e026f6c10ac0054f637a95f67fb
-
SHA1
108363fcc97db3fc89fcce9ad7fc1798805c8796
-
SHA256
dc9a1a03eec640f6c37d1c81a4f79ee7b9c9ae7bf56efd0fa61bd1ec3cdd5a60
-
SHA512
63031669bb6a431ce0443494f9d54847ac444bb76fb9b63ebc74cd03bf321bb62139364ddfa2d536d86798e55af0b87381f8f0e63927a10ea4b0b23057c05113
-
SSDEEP
24576:DF21tW5kPfbt74gGU3YTcK3eyQ6orCCswX:Au5k7t749N5orCPwX
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1636 attrib.exe 2856 attrib.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate msdcsc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion msdcsc.exe -
Executes dropped EXE 1 IoCs
pid Process 2888 msdcsc.exe -
resource yara_rule behavioral1/memory/1520-3-0x0000000000270000-0x0000000000281000-memory.dmp upx behavioral1/memory/1520-2-0x0000000000270000-0x0000000000281000-memory.dmp upx behavioral1/memory/1520-1-0x0000000000270000-0x0000000000281000-memory.dmp upx behavioral1/memory/1520-0-0x0000000000270000-0x0000000000281000-memory.dmp upx behavioral1/memory/1520-4-0x00000000357D0000-0x0000000035808000-memory.dmp upx behavioral1/memory/1520-37-0x0000000000270000-0x0000000000281000-memory.dmp upx behavioral1/memory/2888-44-0x0000000000240000-0x0000000000251000-memory.dmp upx behavioral1/memory/2888-43-0x0000000000240000-0x0000000000251000-memory.dmp upx behavioral1/memory/2888-42-0x0000000000240000-0x0000000000251000-memory.dmp upx behavioral1/memory/2888-41-0x0000000000240000-0x0000000000251000-memory.dmp upx behavioral1/memory/2888-45-0x00000000371C0000-0x00000000371F8000-memory.dmp upx -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 14 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msdcsc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier msdcsc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet msdcsc.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msdcsc.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msdcsc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msdcsc.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier msdcsc.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier msdcsc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2888 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1520 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: SeSecurityPrivilege 1520 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1520 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: SeLoadDriverPrivilege 1520 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: SeSystemProfilePrivilege 1520 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: SeSystemtimePrivilege 1520 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 1520 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1520 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 1520 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: SeBackupPrivilege 1520 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: SeRestorePrivilege 1520 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: SeShutdownPrivilege 1520 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: SeDebugPrivilege 1520 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 1520 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 1520 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 1520 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: SeUndockPrivilege 1520 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: SeManageVolumePrivilege 1520 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: SeImpersonatePrivilege 1520 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 1520 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: 33 1520 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: 34 1520 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: 35 1520 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2888 msdcsc.exe Token: SeSecurityPrivilege 2888 msdcsc.exe Token: SeTakeOwnershipPrivilege 2888 msdcsc.exe Token: SeLoadDriverPrivilege 2888 msdcsc.exe Token: SeSystemProfilePrivilege 2888 msdcsc.exe Token: SeSystemtimePrivilege 2888 msdcsc.exe Token: SeProfSingleProcessPrivilege 2888 msdcsc.exe Token: SeIncBasePriorityPrivilege 2888 msdcsc.exe Token: SeCreatePagefilePrivilege 2888 msdcsc.exe Token: SeBackupPrivilege 2888 msdcsc.exe Token: SeRestorePrivilege 2888 msdcsc.exe Token: SeShutdownPrivilege 2888 msdcsc.exe Token: SeDebugPrivilege 2888 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2888 msdcsc.exe Token: SeChangeNotifyPrivilege 2888 msdcsc.exe Token: SeRemoteShutdownPrivilege 2888 msdcsc.exe Token: SeUndockPrivilege 2888 msdcsc.exe Token: SeManageVolumePrivilege 2888 msdcsc.exe Token: SeImpersonatePrivilege 2888 msdcsc.exe Token: SeCreateGlobalPrivilege 2888 msdcsc.exe Token: 33 2888 msdcsc.exe Token: 34 2888 msdcsc.exe Token: 35 2888 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2888 msdcsc.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1520 wrote to memory of 2964 1520 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe 30 PID 1520 wrote to memory of 2964 1520 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe 30 PID 1520 wrote to memory of 2964 1520 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe 30 PID 1520 wrote to memory of 2964 1520 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe 30 PID 1520 wrote to memory of 2144 1520 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe 31 PID 1520 wrote to memory of 2144 1520 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe 31 PID 1520 wrote to memory of 2144 1520 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe 31 PID 1520 wrote to memory of 2144 1520 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe 31 PID 2964 wrote to memory of 2856 2964 cmd.exe 34 PID 2964 wrote to memory of 2856 2964 cmd.exe 34 PID 2964 wrote to memory of 2856 2964 cmd.exe 34 PID 2964 wrote to memory of 2856 2964 cmd.exe 34 PID 2144 wrote to memory of 1636 2144 cmd.exe 35 PID 2144 wrote to memory of 1636 2144 cmd.exe 35 PID 2144 wrote to memory of 1636 2144 cmd.exe 35 PID 2144 wrote to memory of 1636 2144 cmd.exe 35 PID 1520 wrote to memory of 2888 1520 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe 36 PID 1520 wrote to memory of 2888 1520 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe 36 PID 1520 wrote to memory of 2888 1520 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe 36 PID 1520 wrote to memory of 2888 1520 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe 36 PID 2888 wrote to memory of 1904 2888 msdcsc.exe 37 PID 2888 wrote to memory of 1904 2888 msdcsc.exe 37 PID 2888 wrote to memory of 1904 2888 msdcsc.exe 37 PID 2888 wrote to memory of 1904 2888 msdcsc.exe 37 PID 2888 wrote to memory of 2988 2888 msdcsc.exe 38 PID 2888 wrote to memory of 2988 2888 msdcsc.exe 38 PID 2888 wrote to memory of 2988 2888 msdcsc.exe 38 PID 2888 wrote to memory of 2988 2888 msdcsc.exe 38 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 1636 attrib.exe 2856 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2856
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1636
-
-
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies security service
- Windows security bypass
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵PID:1904
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵PID:2988
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
101B
MD55126024b2122482a5fae52be98343754
SHA17ccec34774a00a64cf4cdb8574c87d7625fee099
SHA2567875723ebf6ef7c65c10c256bf8273fd70be7713e0467f5f32cbbe46b34cfe48
SHA512177eb580057ce502ccfb94f02e5434a8b7c1526484b3192444f95daa57a12fb043d6549b1e0bec4f469d0d0f07d9e5dc7b077154242ddb0554f04c4024190f3d
-
Filesize
50B
MD5b774ae3fb1da087e1f83b4f7b2060e5a
SHA197eb9be49ac3af9c851c9e1e84e32bfd53e325a8
SHA256adaf4a84b41e410b02e261cfd0fe7739d98647eab73c3badd32ac6e39f26351b
SHA512f75d0f95f7306d26a12b414bfe37b97fbd37546cb3c6e403def7077329ddffb4b45d5c5f0ba0e7bb6d72851d2d691b0a85267beead42f7cbf2e8c3d45a3b4701
-
Filesize
1.1MB
MD5d3791e026f6c10ac0054f637a95f67fb
SHA1108363fcc97db3fc89fcce9ad7fc1798805c8796
SHA256dc9a1a03eec640f6c37d1c81a4f79ee7b9c9ae7bf56efd0fa61bd1ec3cdd5a60
SHA51263031669bb6a431ce0443494f9d54847ac444bb76fb9b63ebc74cd03bf321bb62139364ddfa2d536d86798e55af0b87381f8f0e63927a10ea4b0b23057c05113