Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-10-2024 23:59
Behavioral task
behavioral1
Sample
44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe
-
Size
723KB
-
MD5
44d17629be594dd6886d43027f71aa26
-
SHA1
239f3e93bc49178f877e70bcf771465f19fa85df
-
SHA256
d68315d514bb29e78f97d755b5170fa3a16d4c2d486236e07ea40c30f1078710
-
SHA512
06d34d63b1de6d40987e3dffbdfb8ca821e666b8a6cabcf5220c39621aafa824e6d8d039b0e8a85356528e097d6e7308d3836d3891057a5136798f9a78646470
-
SSDEEP
12288:gFLlJnnbWOtz6sVJhvaz1Qc/WdI//vfM4qwrbkniafLo6vUTyl0w/q9jJa:Q3nbWmJVJFwSddIXvfhqbiaxvRxq9o
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
44d17629be594dd6886d43027f71aa26_JaffaCakes118.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\saSC\\PDcsc.exe" 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid Process 2892 attrib.exe 1008 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
44d17629be594dd6886d43027f71aa26_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
PDcsc.exepid Process 5008 PDcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
44d17629be594dd6886d43027f71aa26_JaffaCakes118.exePDcsc.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MEM2 = "C:\\Users\\Admin\\Documents\\saSC\\PDcsc.exe" 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MEM2 = "C:\\Users\\Admin\\Documents\\saSC\\PDcsc.exe" PDcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
44d17629be594dd6886d43027f71aa26_JaffaCakes118.execmd.exeattrib.execmd.exeattrib.exePDcsc.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PDcsc.exe -
Modifies registry class 1 IoCs
Processes:
44d17629be594dd6886d43027f71aa26_JaffaCakes118.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
PDcsc.exepid Process 5008 PDcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
44d17629be594dd6886d43027f71aa26_JaffaCakes118.exePDcsc.exedescription pid Process Token: SeIncreaseQuotaPrivilege 1244 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: SeSecurityPrivilege 1244 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1244 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: SeLoadDriverPrivilege 1244 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: SeSystemProfilePrivilege 1244 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: SeSystemtimePrivilege 1244 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 1244 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1244 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 1244 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: SeBackupPrivilege 1244 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: SeRestorePrivilege 1244 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: SeShutdownPrivilege 1244 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: SeDebugPrivilege 1244 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 1244 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 1244 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 1244 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: SeUndockPrivilege 1244 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: SeManageVolumePrivilege 1244 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: SeImpersonatePrivilege 1244 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 1244 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: 33 1244 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: 34 1244 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: 35 1244 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: 36 1244 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 5008 PDcsc.exe Token: SeSecurityPrivilege 5008 PDcsc.exe Token: SeTakeOwnershipPrivilege 5008 PDcsc.exe Token: SeLoadDriverPrivilege 5008 PDcsc.exe Token: SeSystemProfilePrivilege 5008 PDcsc.exe Token: SeSystemtimePrivilege 5008 PDcsc.exe Token: SeProfSingleProcessPrivilege 5008 PDcsc.exe Token: SeIncBasePriorityPrivilege 5008 PDcsc.exe Token: SeCreatePagefilePrivilege 5008 PDcsc.exe Token: SeBackupPrivilege 5008 PDcsc.exe Token: SeRestorePrivilege 5008 PDcsc.exe Token: SeShutdownPrivilege 5008 PDcsc.exe Token: SeDebugPrivilege 5008 PDcsc.exe Token: SeSystemEnvironmentPrivilege 5008 PDcsc.exe Token: SeChangeNotifyPrivilege 5008 PDcsc.exe Token: SeRemoteShutdownPrivilege 5008 PDcsc.exe Token: SeUndockPrivilege 5008 PDcsc.exe Token: SeManageVolumePrivilege 5008 PDcsc.exe Token: SeImpersonatePrivilege 5008 PDcsc.exe Token: SeCreateGlobalPrivilege 5008 PDcsc.exe Token: 33 5008 PDcsc.exe Token: 34 5008 PDcsc.exe Token: 35 5008 PDcsc.exe Token: 36 5008 PDcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
PDcsc.exepid Process 5008 PDcsc.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
44d17629be594dd6886d43027f71aa26_JaffaCakes118.execmd.execmd.exedescription pid Process procid_target PID 1244 wrote to memory of 2216 1244 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe 92 PID 1244 wrote to memory of 2216 1244 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe 92 PID 1244 wrote to memory of 2216 1244 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe 92 PID 1244 wrote to memory of 4752 1244 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe 94 PID 1244 wrote to memory of 4752 1244 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe 94 PID 1244 wrote to memory of 4752 1244 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe 94 PID 2216 wrote to memory of 2892 2216 cmd.exe 96 PID 2216 wrote to memory of 2892 2216 cmd.exe 96 PID 2216 wrote to memory of 2892 2216 cmd.exe 96 PID 4752 wrote to memory of 1008 4752 cmd.exe 97 PID 4752 wrote to memory of 1008 4752 cmd.exe 97 PID 4752 wrote to memory of 1008 4752 cmd.exe 97 PID 1244 wrote to memory of 5008 1244 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe 98 PID 1244 wrote to memory of 5008 1244 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe 98 PID 1244 wrote to memory of 5008 1244 44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe 98 -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid Process 2892 attrib.exe 1008 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\44d17629be594dd6886d43027f71aa26_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2892
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1008
-
-
-
C:\Users\Admin\Documents\saSC\PDcsc.exe"C:\Users\Admin\Documents\saSC\PDcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5008
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50B
MD5b774ae3fb1da087e1f83b4f7b2060e5a
SHA197eb9be49ac3af9c851c9e1e84e32bfd53e325a8
SHA256adaf4a84b41e410b02e261cfd0fe7739d98647eab73c3badd32ac6e39f26351b
SHA512f75d0f95f7306d26a12b414bfe37b97fbd37546cb3c6e403def7077329ddffb4b45d5c5f0ba0e7bb6d72851d2d691b0a85267beead42f7cbf2e8c3d45a3b4701
-
Filesize
723KB
MD544d17629be594dd6886d43027f71aa26
SHA1239f3e93bc49178f877e70bcf771465f19fa85df
SHA256d68315d514bb29e78f97d755b5170fa3a16d4c2d486236e07ea40c30f1078710
SHA51206d34d63b1de6d40987e3dffbdfb8ca821e666b8a6cabcf5220c39621aafa824e6d8d039b0e8a85356528e097d6e7308d3836d3891057a5136798f9a78646470