Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08-09-2024 03:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe
Resource
win7-20240729-en
windows7-x64
19 signatures
150 seconds
General
-
Target
d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
d3791e026f6c10ac0054f637a95f67fb
-
SHA1
108363fcc97db3fc89fcce9ad7fc1798805c8796
-
SHA256
dc9a1a03eec640f6c37d1c81a4f79ee7b9c9ae7bf56efd0fa61bd1ec3cdd5a60
-
SHA512
63031669bb6a431ce0443494f9d54847ac444bb76fb9b63ebc74cd03bf321bb62139364ddfa2d536d86798e55af0b87381f8f0e63927a10ea4b0b23057c05113
-
SSDEEP
24576:DF21tW5kPfbt74gGU3YTcK3eyQ6orCCswX:Au5k7t749N5orCPwX
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 3120 attrib.exe 224 attrib.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate msdcsc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion msdcsc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 3208 msdcsc.exe -
resource yara_rule behavioral2/memory/4576-3-0x00000000376D0000-0x00000000376E1000-memory.dmp upx behavioral2/memory/4576-2-0x00000000376D0000-0x00000000376E1000-memory.dmp upx behavioral2/memory/4576-0-0x00000000376D0000-0x00000000376E1000-memory.dmp upx behavioral2/memory/4576-1-0x00000000376D0000-0x00000000376E1000-memory.dmp upx behavioral2/memory/4576-4-0x0000000037AB0000-0x0000000037AE8000-memory.dmp upx behavioral2/memory/4576-77-0x00000000376D0000-0x00000000376E1000-memory.dmp upx behavioral2/memory/3208-83-0x00000000358C0000-0x00000000358D1000-memory.dmp upx behavioral2/memory/3208-82-0x00000000358C0000-0x00000000358D1000-memory.dmp upx behavioral2/memory/3208-81-0x00000000358C0000-0x00000000358D1000-memory.dmp upx behavioral2/memory/3208-84-0x00000000358C0000-0x00000000358D1000-memory.dmp upx behavioral2/memory/3208-85-0x0000000037F50000-0x0000000037F88000-memory.dmp upx -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe -
Checks processor information in registry 2 TTPs 14 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msdcsc.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msdcsc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier msdcsc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msdcsc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier msdcsc.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msdcsc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet msdcsc.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier msdcsc.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3208 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4576 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: SeSecurityPrivilege 4576 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 4576 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: SeLoadDriverPrivilege 4576 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: SeSystemProfilePrivilege 4576 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: SeSystemtimePrivilege 4576 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 4576 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 4576 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 4576 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: SeBackupPrivilege 4576 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: SeRestorePrivilege 4576 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: SeShutdownPrivilege 4576 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: SeDebugPrivilege 4576 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 4576 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 4576 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 4576 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: SeUndockPrivilege 4576 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: SeManageVolumePrivilege 4576 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: SeImpersonatePrivilege 4576 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 4576 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: 33 4576 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: 34 4576 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: 35 4576 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: 36 4576 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 3208 msdcsc.exe Token: SeSecurityPrivilege 3208 msdcsc.exe Token: SeTakeOwnershipPrivilege 3208 msdcsc.exe Token: SeLoadDriverPrivilege 3208 msdcsc.exe Token: SeSystemProfilePrivilege 3208 msdcsc.exe Token: SeSystemtimePrivilege 3208 msdcsc.exe Token: SeProfSingleProcessPrivilege 3208 msdcsc.exe Token: SeIncBasePriorityPrivilege 3208 msdcsc.exe Token: SeCreatePagefilePrivilege 3208 msdcsc.exe Token: SeBackupPrivilege 3208 msdcsc.exe Token: SeRestorePrivilege 3208 msdcsc.exe Token: SeShutdownPrivilege 3208 msdcsc.exe Token: SeDebugPrivilege 3208 msdcsc.exe Token: SeSystemEnvironmentPrivilege 3208 msdcsc.exe Token: SeChangeNotifyPrivilege 3208 msdcsc.exe Token: SeRemoteShutdownPrivilege 3208 msdcsc.exe Token: SeUndockPrivilege 3208 msdcsc.exe Token: SeManageVolumePrivilege 3208 msdcsc.exe Token: SeImpersonatePrivilege 3208 msdcsc.exe Token: SeCreateGlobalPrivilege 3208 msdcsc.exe Token: 33 3208 msdcsc.exe Token: 34 3208 msdcsc.exe Token: 35 3208 msdcsc.exe Token: 36 3208 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3208 msdcsc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 4576 wrote to memory of 3368 4576 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe 87 PID 4576 wrote to memory of 3368 4576 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe 87 PID 4576 wrote to memory of 3368 4576 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe 87 PID 4576 wrote to memory of 1844 4576 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe 88 PID 4576 wrote to memory of 1844 4576 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe 88 PID 4576 wrote to memory of 1844 4576 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe 88 PID 3368 wrote to memory of 3120 3368 cmd.exe 91 PID 3368 wrote to memory of 3120 3368 cmd.exe 91 PID 3368 wrote to memory of 3120 3368 cmd.exe 91 PID 1844 wrote to memory of 224 1844 cmd.exe 92 PID 1844 wrote to memory of 224 1844 cmd.exe 92 PID 1844 wrote to memory of 224 1844 cmd.exe 92 PID 4576 wrote to memory of 3208 4576 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe 93 PID 4576 wrote to memory of 3208 4576 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe 93 PID 4576 wrote to memory of 3208 4576 d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe 93 PID 3208 wrote to memory of 4472 3208 msdcsc.exe 94 PID 3208 wrote to memory of 4472 3208 msdcsc.exe 94 PID 3208 wrote to memory of 4472 3208 msdcsc.exe 94 PID 3208 wrote to memory of 668 3208 msdcsc.exe 95 PID 3208 wrote to memory of 668 3208 msdcsc.exe 95 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 3120 attrib.exe 224 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d3791e026f6c10ac0054f637a95f67fb_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3120
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:224
-
-
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies security service
- Windows security bypass
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵PID:4472
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵PID:668
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50B
MD5b774ae3fb1da087e1f83b4f7b2060e5a
SHA197eb9be49ac3af9c851c9e1e84e32bfd53e325a8
SHA256adaf4a84b41e410b02e261cfd0fe7739d98647eab73c3badd32ac6e39f26351b
SHA512f75d0f95f7306d26a12b414bfe37b97fbd37546cb3c6e403def7077329ddffb4b45d5c5f0ba0e7bb6d72851d2d691b0a85267beead42f7cbf2e8c3d45a3b4701
-
Filesize
1.1MB
MD5d3791e026f6c10ac0054f637a95f67fb
SHA1108363fcc97db3fc89fcce9ad7fc1798805c8796
SHA256dc9a1a03eec640f6c37d1c81a4f79ee7b9c9ae7bf56efd0fa61bd1ec3cdd5a60
SHA51263031669bb6a431ce0443494f9d54847ac444bb76fb9b63ebc74cd03bf321bb62139364ddfa2d536d86798e55af0b87381f8f0e63927a10ea4b0b23057c05113