Analysis
-
max time kernel
148s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
14-10-2024 23:59
Behavioral task
behavioral1
Sample
44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe
-
Size
723KB
-
MD5
44d17629be594dd6886d43027f71aa26
-
SHA1
239f3e93bc49178f877e70bcf771465f19fa85df
-
SHA256
d68315d514bb29e78f97d755b5170fa3a16d4c2d486236e07ea40c30f1078710
-
SHA512
06d34d63b1de6d40987e3dffbdfb8ca821e666b8a6cabcf5220c39621aafa824e6d8d039b0e8a85356528e097d6e7308d3836d3891057a5136798f9a78646470
-
SSDEEP
12288:gFLlJnnbWOtz6sVJhvaz1Qc/WdI//vfM4qwrbkniafLo6vUTyl0w/q9jJa:Q3nbWmJVJFwSddIXvfhqbiaxvRxq9o
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
44d17629be594dd6886d43027f71aa26_JaffaCakes118.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\saSC\\PDcsc.exe" 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid Process 2764 attrib.exe 2964 attrib.exe -
Executes dropped EXE 1 IoCs
Processes:
PDcsc.exepid Process 2852 PDcsc.exe -
Loads dropped DLL 2 IoCs
Processes:
44d17629be594dd6886d43027f71aa26_JaffaCakes118.exepid Process 2204 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe 2204 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
44d17629be594dd6886d43027f71aa26_JaffaCakes118.exePDcsc.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\MEM2 = "C:\\Users\\Admin\\Documents\\saSC\\PDcsc.exe" 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\MEM2 = "C:\\Users\\Admin\\Documents\\saSC\\PDcsc.exe" PDcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
attrib.exeattrib.exePDcsc.exe44d17629be594dd6886d43027f71aa26_JaffaCakes118.execmd.execmd.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PDcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
PDcsc.exepid Process 2852 PDcsc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
44d17629be594dd6886d43027f71aa26_JaffaCakes118.exePDcsc.exedescription pid Process Token: SeIncreaseQuotaPrivilege 2204 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: SeSecurityPrivilege 2204 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2204 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2204 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2204 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: SeSystemtimePrivilege 2204 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2204 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2204 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2204 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: SeBackupPrivilege 2204 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: SeRestorePrivilege 2204 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: SeShutdownPrivilege 2204 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: SeDebugPrivilege 2204 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2204 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2204 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2204 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: SeUndockPrivilege 2204 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: SeManageVolumePrivilege 2204 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: SeImpersonatePrivilege 2204 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2204 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: 33 2204 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: 34 2204 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: 35 2204 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2852 PDcsc.exe Token: SeSecurityPrivilege 2852 PDcsc.exe Token: SeTakeOwnershipPrivilege 2852 PDcsc.exe Token: SeLoadDriverPrivilege 2852 PDcsc.exe Token: SeSystemProfilePrivilege 2852 PDcsc.exe Token: SeSystemtimePrivilege 2852 PDcsc.exe Token: SeProfSingleProcessPrivilege 2852 PDcsc.exe Token: SeIncBasePriorityPrivilege 2852 PDcsc.exe Token: SeCreatePagefilePrivilege 2852 PDcsc.exe Token: SeBackupPrivilege 2852 PDcsc.exe Token: SeRestorePrivilege 2852 PDcsc.exe Token: SeShutdownPrivilege 2852 PDcsc.exe Token: SeDebugPrivilege 2852 PDcsc.exe Token: SeSystemEnvironmentPrivilege 2852 PDcsc.exe Token: SeChangeNotifyPrivilege 2852 PDcsc.exe Token: SeRemoteShutdownPrivilege 2852 PDcsc.exe Token: SeUndockPrivilege 2852 PDcsc.exe Token: SeManageVolumePrivilege 2852 PDcsc.exe Token: SeImpersonatePrivilege 2852 PDcsc.exe Token: SeCreateGlobalPrivilege 2852 PDcsc.exe Token: 33 2852 PDcsc.exe Token: 34 2852 PDcsc.exe Token: 35 2852 PDcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
PDcsc.exepid Process 2852 PDcsc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
44d17629be594dd6886d43027f71aa26_JaffaCakes118.execmd.execmd.exedescription pid Process procid_target PID 2204 wrote to memory of 2704 2204 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe 30 PID 2204 wrote to memory of 2704 2204 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe 30 PID 2204 wrote to memory of 2704 2204 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe 30 PID 2204 wrote to memory of 2704 2204 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe 30 PID 2204 wrote to memory of 2760 2204 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe 32 PID 2204 wrote to memory of 2760 2204 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe 32 PID 2204 wrote to memory of 2760 2204 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe 32 PID 2204 wrote to memory of 2760 2204 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe 32 PID 2760 wrote to memory of 2764 2760 cmd.exe 34 PID 2760 wrote to memory of 2764 2760 cmd.exe 34 PID 2760 wrote to memory of 2764 2760 cmd.exe 34 PID 2760 wrote to memory of 2764 2760 cmd.exe 34 PID 2704 wrote to memory of 2964 2704 cmd.exe 35 PID 2704 wrote to memory of 2964 2704 cmd.exe 35 PID 2704 wrote to memory of 2964 2704 cmd.exe 35 PID 2704 wrote to memory of 2964 2704 cmd.exe 35 PID 2204 wrote to memory of 2852 2204 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe 36 PID 2204 wrote to memory of 2852 2204 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe 36 PID 2204 wrote to memory of 2852 2204 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe 36 PID 2204 wrote to memory of 2852 2204 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe 36 -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid Process 2764 attrib.exe 2964 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2964
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2764
-
-
-
C:\Users\Admin\Documents\saSC\PDcsc.exe"C:\Users\Admin\Documents\saSC\PDcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2852
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
101B
MD51cc94b87efdd777679fbf471de485604
SHA19624ce4f1a0a94b26dd8938177930dc970bc91ae
SHA25687e408ac9b11bb038b1362225e4a1609eaa0fbc2e98376dee6f1015058c3f8cf
SHA512e213be5a10f8b377109a91b1ff72766d4ab45463982efc7956ece2c7194011b40fc7b5ecdfb43f0fc852ad4f219354e75ff20b81a2cec7c2833840126d504b81
-
Filesize
50B
MD5b774ae3fb1da087e1f83b4f7b2060e5a
SHA197eb9be49ac3af9c851c9e1e84e32bfd53e325a8
SHA256adaf4a84b41e410b02e261cfd0fe7739d98647eab73c3badd32ac6e39f26351b
SHA512f75d0f95f7306d26a12b414bfe37b97fbd37546cb3c6e403def7077329ddffb4b45d5c5f0ba0e7bb6d72851d2d691b0a85267beead42f7cbf2e8c3d45a3b4701
-
Filesize
723KB
MD544d17629be594dd6886d43027f71aa26
SHA1239f3e93bc49178f877e70bcf771465f19fa85df
SHA256d68315d514bb29e78f97d755b5170fa3a16d4c2d486236e07ea40c30f1078710
SHA51206d34d63b1de6d40987e3dffbdfb8ca821e666b8a6cabcf5220c39621aafa824e6d8d039b0e8a85356528e097d6e7308d3836d3891057a5136798f9a78646470