506342243db5998de802937dd8a1a0ce63bd4822703150a36469c8f22f55060c

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 16:17 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebb6eedcb868b4940409ec48e73688b3_JaffaCakes118.exe
Size

111KB
MD5

ebb6eedcb868b4940409ec48e73688b3
SHA1

9e5b7f1c4ba3eba88dd307e46af1d084cf5f8b03
SHA256

506342243db5998de802937dd8a1a0ce63bd4822703150a36469c8f22f55060c
SHA512

250773f7fc4745130de22e80b5c00102df81e7eb810d76c928af74dafcef315de7669f33095f5c36c8257ad43bffdc9f331ce105b229a4f7bfb2fbd963811f08
SSDEEP

3072:BmLm2L1szSZx3Y9+Up1LVGOEWLZbfMiqFflMs4h:BmvLGG3YwUpkWNXqtl6h

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2192	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
2572	msserv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\msserv = "C:\\Windows\\msserv.exe"	ebb6eedcb868b4940409ec48e73688b3_JaffaCakes118.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\	msserv.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\msserv.config	msserv.exe
File created	C:\Windows\msserv.exe	ebb6eedcb868b4940409ec48e73688b3_JaffaCakes118.exe
File opened for modification	C:\Windows\msserv.exe	ebb6eedcb868b4940409ec48e73688b3_JaffaCakes118.exe
File created	C:\Windows\msserv.config	msserv.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w32tm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w32tm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebb6eedcb868b4940409ec48e73688b3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2572	2368	ebb6eedcb868b4940409ec48e73688b3_JaffaCakes118.exe	30
PID 2368 wrote to memory of 2572	2368	ebb6eedcb868b4940409ec48e73688b3_JaffaCakes118.exe	30
PID 2368 wrote to memory of 2572	2368	ebb6eedcb868b4940409ec48e73688b3_JaffaCakes118.exe	30
PID 2368 wrote to memory of 2572	2368	ebb6eedcb868b4940409ec48e73688b3_JaffaCakes118.exe	30
PID 2572 wrote to memory of 2192	2572	msserv.exe	31
PID 2572 wrote to memory of 2192	2572	msserv.exe	31
PID 2572 wrote to memory of 2192	2572	msserv.exe	31
PID 2572 wrote to memory of 2192	2572	msserv.exe	31
PID 2572 wrote to memory of 2172	2572	msserv.exe	32
PID 2572 wrote to memory of 2172	2572	msserv.exe	32
PID 2572 wrote to memory of 2172	2572	msserv.exe	32
PID 2572 wrote to memory of 2172	2572	msserv.exe	32
PID 2572 wrote to memory of 2064	2572	msserv.exe	34
PID 2572 wrote to memory of 2064	2572	msserv.exe	34
PID 2572 wrote to memory of 2064	2572	msserv.exe	34
PID 2572 wrote to memory of 2064	2572	msserv.exe	34
PID 2064 wrote to memory of 1328	2064	w32tm.exe	37
PID 2064 wrote to memory of 1328	2064	w32tm.exe	37
PID 2064 wrote to memory of 1328	2064	w32tm.exe	37
PID 2064 wrote to memory of 1328	2064	w32tm.exe	37
PID 2172 wrote to memory of 2508	2172	w32tm.exe	38
PID 2172 wrote to memory of 2508	2172	w32tm.exe	38
PID 2172 wrote to memory of 2508	2172	w32tm.exe	38
PID 2172 wrote to memory of 2508	2172	w32tm.exe	38

C:\Users\Admin\AppData\Local\Temp\ebb6eedcb868b4940409ec48e73688b3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ebb6eedcb868b4940409ec48e73688b3_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\msserv.exe
  "C:\Windows\msserv.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set allowedprogram "C:\Windows\msserv.exe" enable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2192
- - C:\Windows\SysWOW64\w32tm.exe
    w32tm /config /syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Windows\system32\w32tm.exe
      w32tm /config /syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov
      4⤵
      PID:2508
- - C:\Windows\SysWOW64\w32tm.exe
    w32tm /config /update
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Windows\system32\w32tm.exe
      w32tm /config /update
      4⤵
      PID:1328

Network

DNS

cadeaux-avenue.cn

msserv.exe

Remote address:

8.8.8.8:53

Request

cadeaux-avenue.cn

IN A

Response

No results found

200.44.207.135:28797

msserv.exe

53 B
1
190.73.157.195:21440

msserv.exe

53 B
1
71.238.249.91:26704

msserv.exe

53 B
1
72.184.1.223:23093

msserv.exe

53 B
1
71.145.178.121:13978

msserv.exe

53 B
1
203.111.228.78:23370

msserv.exe

53 B
1
61.76.234.153:28475

msserv.exe

53 B
1
58.149.215.156:29672

msserv.exe

53 B
1
121.54.107.38:22268

msserv.exe

53 B
1
211.55.136.170:26944

msserv.exe

53 B
1
58.186.89.167:27347

msserv.exe

53 B
1
69.211.27.92:22559

msserv.exe

53 B
1
60.49.38.44:11336

msserv.exe

53 B
1
190.37.105.45:9589

msserv.exe

53 B
1
118.68.198.67:8020

msserv.exe

53 B
1
201.62.170.23:26651

msserv.exe

53 B
1
190.66.239.3:32790

msserv.exe

53 B
1
69.180.52.228:12415

msserv.exe

53 B
1
99.229.2.67:19625

msserv.exe

53 B
1
98.217.84.169:9715

msserv.exe

53 B
1
190.40.240.142:11886

msserv.exe

53 B
1
123.22.106.178:10103

msserv.exe

53 B
1
189.136.225.246:14350

msserv.exe

53 B
1
123.23.28.112:7642

msserv.exe

53 B
1
222.252.142.93:9221

msserv.exe

53 B
1
66.178.66.187:3068

msserv.exe

53 B
1
59.8.247.228:6256

msserv.exe

53 B
1
201.240.68.250:6496

msserv.exe

53 B
1
121.166.43.120:8811

msserv.exe

53 B
1
123.19.48.98:22213

msserv.exe

53 B
1
67.181.127.29:5733

msserv.exe

53 B
1
96.242.26.230:9761

msserv.exe

53 B
1
69.8.20.111:7343

msserv.exe

53 B
1
72.207.245.133:1223

msserv.exe

53 B
1
222.154.177.211:28229

msserv.exe

53 B
1
81.200.20.114:8176

msserv.exe

53 B
1
67.87.23.18:22357

msserv.exe

53 B
1
118.110.126.195:7177

msserv.exe

53 B
1
211.198.36.240:33327

msserv.exe

53 B
1
79.130.221.226:17226

msserv.exe

53 B
1
84.36.149.219:4742

msserv.exe

53 B
1
76.124.80.166:2853

msserv.exe

53 B
1
72.53.147.189:10020

msserv.exe

53 B
1
70.71.195.12:30368

msserv.exe

53 B
1
86.31.253.187:28591

msserv.exe

53 B
1
121.191.23.226:13656

msserv.exe

53 B
1
24.1.226.175:30864

msserv.exe

53 B
1
124.110.243.66:31950

msserv.exe

53 B
1
24.46.231.254:31332

msserv.exe

53 B
1
70.83.157.80:25203

msserv.exe

53 B
1
201.19.30.142:18103

msserv.exe

53 B
1
124.13.107.25:8023

msserv.exe

53 B
1
189.26.83.58:28336

msserv.exe

53 B
1
202.58.183.211:27197

msserv.exe

53 B
1
222.254.97.20:9896

msserv.exe

53 B
1
71.199.141.188:13194

msserv.exe

53 B
1
190.139.31.16:14198

msserv.exe

53 B
1
125.234.106.195:8762

msserv.exe

53 B
1
222.225.145.120:20555

msserv.exe

53 B
1
190.42.7.11:31632

msserv.exe

53 B
1
78.92.198.12:8422

msserv.exe

53 B
1
194.153.119.36:19902

msserv.exe

53 B
1
123.17.214.30:10510

msserv.exe

53 B
1
222.254.133.33:13194

msserv.exe

53 B
1
71.110.84.69:12757

msserv.exe

53 B
1
72.74.227.177:10883

msserv.exe

53 B
1
125.24.116.6:29440

msserv.exe

53 B
1
58.69.224.196:24140

msserv.exe

53 B
1
116.33.125.43:14785

msserv.exe

53 B
1
203.45.14.157:9634

msserv.exe

53 B
1
87.70.121.176:20949

msserv.exe

53 B
1
70.187.169.211:16368

msserv.exe

53 B
1
222.119.195.39:13978

msserv.exe

53 B
1
87.227.67.91:18385

msserv.exe

53 B
1
220.231.127.34:14001

msserv.exe

53 B
1
200.163.172.116:19467

msserv.exe

53 B
1
68.53.26.66:23938

msserv.exe

53 B
1
124.120.80.44:8420

msserv.exe

53 B
1
70.71.104.69:9956

msserv.exe

53 B
1
58.127.131.29:32049

msserv.exe

53 B
1
91.178.69.201:19353

msserv.exe

53 B
1
71.164.144.103:16338

msserv.exe

53 B
1
200.203.162.165:1381

msserv.exe

53 B
1
63.226.146.212:18817

msserv.exe

53 B
1
117.1.164.87:3379

msserv.exe

53 B
1
190.69.177.250:30594

msserv.exe

53 B
1
118.216.109.147:25846

msserv.exe

53 B
1
24.136.95.70:11191

msserv.exe

53 B
1
77.41.122.47:13957

msserv.exe

53 B
1
97.90.61.106:20052

msserv.exe

53 B
1
200.106.90.3:30987

msserv.exe

53 B
1
123.19.237.106:3372

msserv.exe

53 B
1
123.19.127.28:13002

msserv.exe

53 B
1
61.196.6.61:18962

msserv.exe

53 B
1
190.224.53.156:5367

msserv.exe

53 B
1
202.165.204.234:11396

msserv.exe

53 B
1
125.240.61.210:28836

msserv.exe

53 B
1
41.249.105.161:2472

msserv.exe

53 B
1
190.55.162.86:3794

msserv.exe

53 B
1
117.0.248.9:7014

msserv.exe

53 B
1
83.237.50.158:24504

msserv.exe

53 B
1
69.51.216.164:13580

msserv.exe

53 B
1
83.254.3.12:2739

msserv.exe

53 B
1
123.19.204.168:27613

msserv.exe

53 B
1
41.235.184.96:20195

msserv.exe

53 B
1
189.31.178.214:24323

msserv.exe

53 B
1
123.142.161.199:4580

msserv.exe

53 B
1
125.186.68.56:11856

msserv.exe

53 B
1
41.240.5.62:1215

msserv.exe

53 B
1
70.174.114.149:29965

msserv.exe

53 B
1
124.82.25.155:13820

msserv.exe

53 B
1
72.223.99.152:32078

msserv.exe

53 B
1
123.22.56.255:11051

msserv.exe

53 B
1
125.55.108.64:11045

msserv.exe

53 B
1
190.80.176.178:9628

msserv.exe

53 B
1
83.8.91.15:19730

msserv.exe

53 B
1
24.59.79.233:12921

msserv.exe

53 B
1
125.207.199.106:8343

msserv.exe

53 B
1
79.125.161.250:26099

msserv.exe

53 B
1
200.81.35.28:27635

msserv.exe

53 B
1
92.113.133.253:15360

msserv.exe

53 B
1
222.102.238.183:19919

msserv.exe

53 B
1
41.233.50.109:17780

msserv.exe

53 B
1
190.42.104.104:9917

msserv.exe

53 B
1
123.19.98.158:14026

msserv.exe

53 B
1
203.87.201.3:22188

msserv.exe

53 B
1
68.197.157.80:7164

msserv.exe

53 B
1
70.130.228.67:2506

msserv.exe

53 B
1
189.60.87.42:7219

msserv.exe

53 B
1
125.234.55.230:5143

msserv.exe

53 B
1
61.38.75.122:29536

msserv.exe

53 B
1
222.254.225.218:33175

msserv.exe

53 B
1
222.254.64.135:11471

msserv.exe

53 B
1
210.131.218.46:18594

msserv.exe

53 B
1
189.71.90.15:21956

msserv.exe

53 B
1
201.68.28.70:2624

msserv.exe

53 B
1
189.10.132.99:19455

msserv.exe

53 B
1
70.215.241.199:19456

msserv.exe

53 B
1
116.118.32.95:18606

msserv.exe

53 B
1
122.53.175.1:6499

msserv.exe

53 B
1
98.200.44.34:6362

msserv.exe

53 B
1
80.195.94.233:1239

msserv.exe

53 B
1
123.23.49.28:24053

msserv.exe

53 B
1
116.122.152.11:18744

msserv.exe

53 B
1
92.244.32.19:5384

msserv.exe

53 B
1
210.165.221.231:9303

msserv.exe

53 B
1
98.214.3.189:3026

msserv.exe

53 B
1
8.8.8.8:53

cadeaux-avenue.cn

dns

msserv.exe

63 B
116 B
1
1

DNS Request

cadeaux-avenue.cn
127.0.0.1:16778

msserv.exe

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\msserv.config

Filesize
13KB

MD5
25aeacba4ade2a5ea3fd37bf9e44f08c

SHA1
a8380ad1fc86c4a11ab48fa591ad4351414be34c

SHA256
d48ba9cf963b48a5abe0b9353b336273e0e9550f05a63de3ce24cbb898a23132

SHA512
b071a2beade6b8ba43a8fdf67999babfd9be27422c179a584210b1a35d35f2f8659457a36ca3380f689322815d789f8f8703c03a4150735a54fd806ea9893e79

Download Submit
C:\Windows\msserv.config

Filesize
13KB

MD5
0eead582153500a09c2e902d6d78ed60

SHA1
56b69a2d8597e4b67c59bc52ca5e114afd8e9cb5

SHA256
f51381be136d8f94d0d51a88bf64463517b98a2560567c7ab57df5bffab09167

SHA512
81364630aeba504a6fcea2e2d23ea9b32644617a29d073673a1af5c6251e71ab0cc3b2b22d8e4b58a5393a181e4868fd6503c964318be2c99201f5384b487d4e

Download Submit
C:\Windows\msserv.exe

Filesize
111KB

MD5
ebb6eedcb868b4940409ec48e73688b3

SHA1
9e5b7f1c4ba3eba88dd307e46af1d084cf5f8b03

SHA256
506342243db5998de802937dd8a1a0ce63bd4822703150a36469c8f22f55060c

SHA512
250773f7fc4745130de22e80b5c00102df81e7eb810d76c928af74dafcef315de7669f33095f5c36c8257ad43bffdc9f331ce105b229a4f7bfb2fbd963811f08

Download Submit
memory/2572-282-0x0000000000250000-0x0000000000280000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.