98f4f94d0bfff8bceb85c9bbc537b32c33e54036290ef77966dc5f9003f83631

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee863dc8736dd93e2f9caae2b997d3fe_JaffaCakes118.exe
Size

1.1MB
MD5

ee863dc8736dd93e2f9caae2b997d3fe
SHA1

05e002b27e64a8c895051c84b791151b7febb0b0
SHA256

98f4f94d0bfff8bceb85c9bbc537b32c33e54036290ef77966dc5f9003f83631
SHA512

5c8778fb4f363a4da6bef37917ea3c76c4d8f2574fa214f3b4df38d30a1a912765ab6871ae65a2119506b050619f86f97bc8e498adc76e178668ff6f3e8c1f23
SSDEEP

768:uD9Wd1N5DLAwnVWEAaUIgKZhdTTgZrBC6v5WU8XOWI:ua1N53XEE3UIgMhdT0Ztf5/8+WI

Score

10^/10

discovery evasion persistence privilege_escalation trojan

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsmass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ee863dc8736dd93e2f9caae2b997d3fe_JaffaCakes118.exe

Adds policy Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ee863dc8736dd93e2f9caae2b997d3fe_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows-Network Component = "C:\\Program Files (x86)\\Common Files\\lsmass.exe"	ee863dc8736dd93e2f9caae2b997d3fe_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows-Network Component = "C:\\Program Files (x86)\\Common Files\\lsmass.exe"	lsmass.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EE95D7A-F6BC-16BC-9B93-AB0F85344B2C}	ee863dc8736dd93e2f9caae2b997d3fe_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EE95D7A-F6BC-16BC-9B93-AB0F85344B2C}\StubPath = "C:\\ProgramData\\wscntfy.exe -r"	ee863dc8736dd93e2f9caae2b997d3fe_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EE95D7A-F6BC-16BC-9B93-AB0F85344B2C}\IsInstalled = "1"	ee863dc8736dd93e2f9caae2b997d3fe_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EE95D7A-F6BC-16BC-9B93-AB0F85344B2C}\StubPath = "C:\\ProgramData\\wscntfy.exe -r"	lsmass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EE95D7A-F6BC-16BC-9B93-AB0F85344B2C}\IsInstalled = "1"	lsmass.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5112	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	ee863dc8736dd93e2f9caae2b997d3fe_JaffaCakes118.exe

Executes dropped EXE 4 IoCs

pid	Process
2364	wscntfy.exe
1972	lsmass.exe
3240	lsmass.exe
1592	wscntfy.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows-Audio Driver = "C:\\ProgramData\\wscntfy.exe"	lsmass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows-Audio Driver = "C:\\ProgramData\\wscntfy.exe"	ee863dc8736dd93e2f9caae2b997d3fe_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ee863dc8736dd93e2f9caae2b997d3fe_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsmass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsmass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ee863dc8736dd93e2f9caae2b997d3fe_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1940 set thread context of 3272	1940	ee863dc8736dd93e2f9caae2b997d3fe_JaffaCakes118.exe	84
PID 1972 set thread context of 3240	1972	lsmass.exe	88
PID 2364 set thread context of 1592	2364	wscntfy.exe	89

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\lsmass.exe	ee863dc8736dd93e2f9caae2b997d3fe_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\lsmass.exe	ee863dc8736dd93e2f9caae2b997d3fe_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee863dc8736dd93e2f9caae2b997d3fe_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee863dc8736dd93e2f9caae2b997d3fe_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsmass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsmass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscntfy.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1940	ee863dc8736dd93e2f9caae2b997d3fe_JaffaCakes118.exe
Token: SeDebugPrivilege	3272	ee863dc8736dd93e2f9caae2b997d3fe_JaffaCakes118.exe
Token: SeDebugPrivilege	1972	lsmass.exe
Token: SeDebugPrivilege	2364	wscntfy.exe
Token: SeDebugPrivilege	1592	wscntfy.exe
Token: SeDebugPrivilege	3240	lsmass.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 3272	1940	ee863dc8736dd93e2f9caae2b997d3fe_JaffaCakes118.exe	84
PID 1940 wrote to memory of 3272	1940	ee863dc8736dd93e2f9caae2b997d3fe_JaffaCakes118.exe	84
PID 1940 wrote to memory of 3272	1940	ee863dc8736dd93e2f9caae2b997d3fe_JaffaCakes118.exe	84
PID 1940 wrote to memory of 3272	1940	ee863dc8736dd93e2f9caae2b997d3fe_JaffaCakes118.exe	84
PID 1940 wrote to memory of 3272	1940	ee863dc8736dd93e2f9caae2b997d3fe_JaffaCakes118.exe	84
PID 1940 wrote to memory of 3272	1940	ee863dc8736dd93e2f9caae2b997d3fe_JaffaCakes118.exe	84
PID 1940 wrote to memory of 3272	1940	ee863dc8736dd93e2f9caae2b997d3fe_JaffaCakes118.exe	84
PID 1940 wrote to memory of 3272	1940	ee863dc8736dd93e2f9caae2b997d3fe_JaffaCakes118.exe	84
PID 3272 wrote to memory of 2364	3272	ee863dc8736dd93e2f9caae2b997d3fe_JaffaCakes118.exe	86
PID 3272 wrote to memory of 2364	3272	ee863dc8736dd93e2f9caae2b997d3fe_JaffaCakes118.exe	86
PID 3272 wrote to memory of 2364	3272	ee863dc8736dd93e2f9caae2b997d3fe_JaffaCakes118.exe	86
PID 3272 wrote to memory of 1972	3272	ee863dc8736dd93e2f9caae2b997d3fe_JaffaCakes118.exe	87
PID 3272 wrote to memory of 1972	3272	ee863dc8736dd93e2f9caae2b997d3fe_JaffaCakes118.exe	87
PID 3272 wrote to memory of 1972	3272	ee863dc8736dd93e2f9caae2b997d3fe_JaffaCakes118.exe	87
PID 1972 wrote to memory of 3240	1972	lsmass.exe	88
PID 1972 wrote to memory of 3240	1972	lsmass.exe	88
PID 1972 wrote to memory of 3240	1972	lsmass.exe	88
PID 1972 wrote to memory of 3240	1972	lsmass.exe	88
PID 1972 wrote to memory of 3240	1972	lsmass.exe	88
PID 1972 wrote to memory of 3240	1972	lsmass.exe	88
PID 1972 wrote to memory of 3240	1972	lsmass.exe	88
PID 2364 wrote to memory of 1592	2364	wscntfy.exe	89
PID 2364 wrote to memory of 1592	2364	wscntfy.exe	89
PID 2364 wrote to memory of 1592	2364	wscntfy.exe	89
PID 2364 wrote to memory of 1592	2364	wscntfy.exe	89
PID 2364 wrote to memory of 1592	2364	wscntfy.exe	89
PID 2364 wrote to memory of 1592	2364	wscntfy.exe	89
PID 2364 wrote to memory of 1592	2364	wscntfy.exe	89
PID 1972 wrote to memory of 3240	1972	lsmass.exe	88
PID 2364 wrote to memory of 1592	2364	wscntfy.exe	89
PID 3240 wrote to memory of 5112	3240	lsmass.exe	92
PID 3240 wrote to memory of 5112	3240	lsmass.exe	92
PID 3240 wrote to memory of 5112	3240	lsmass.exe	92

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ee863dc8736dd93e2f9caae2b997d3fe_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsmass.exe

C:\Users\Admin\AppData\Local\Temp\ee863dc8736dd93e2f9caae2b997d3fe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ee863dc8736dd93e2f9caae2b997d3fe_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Users\Admin\AppData\Local\Temp\ee863dc8736dd93e2f9caae2b997d3fe_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ee863dc8736dd93e2f9caae2b997d3fe_JaffaCakes118.exe"
  2⤵
  - UAC bypass
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Checks computer location settings
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3272
- - C:\ProgramData\wscntfy.exe
    "C:\ProgramData\wscntfy.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\ProgramData\wscntfy.exe
      "C:\ProgramData\wscntfy.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1592
- - C:\Program Files (x86)\Common Files\lsmass.exe
    "C:\Program Files (x86)\Common Files\lsmass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Program Files (x86)\Common Files\lsmass.exe
      "C:\Program Files (x86)\Common Files\lsmass.exe"
      4⤵
      UAC bypass
      Adds policy Run key to start application
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3240
    - - C:\Windows\SysWOW64\netsh.exe
        
        "netsh.exe" firewall add allowedprogram program="C:\Program Files (x86)\Common Files\lsmass.exe" name="Windows-Audio Driver" mode=ENABLE scope=ALL profile=ALL
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\wscntfy.exe

Filesize
1.1MB

MD5
ee863dc8736dd93e2f9caae2b997d3fe

SHA1
05e002b27e64a8c895051c84b791151b7febb0b0

SHA256
98f4f94d0bfff8bceb85c9bbc537b32c33e54036290ef77966dc5f9003f83631

SHA512
5c8778fb4f363a4da6bef37917ea3c76c4d8f2574fa214f3b4df38d30a1a912765ab6871ae65a2119506b050619f86f97bc8e498adc76e178668ff6f3e8c1f23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\ee863dc8736dd93e2f9caae2b997d3fe_JaffaCakes118.exe.log

Filesize
128B

MD5
a5dcc7c9c08af7dddd82be5b036a4416

SHA1
4f998ca1526d199e355ffb435bae111a2779b994

SHA256
e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5

SHA512
56035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a

Download Submit
memory/1940-1-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/1940-2-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/1940-6-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/1940-0-0x0000000075162000-0x0000000075163000-memory.dmp

Filesize
4KB

Download
memory/1972-46-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/1972-35-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/2364-34-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/2364-30-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/2364-45-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/3272-8-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/3272-7-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/3272-37-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/3272-3-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads