Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2024 00:02
Static task
static1
Behavioral task
behavioral1
Sample
d446284002f47cbf7f565e80a16c3854_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d446284002f47cbf7f565e80a16c3854_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
d446284002f47cbf7f565e80a16c3854_JaffaCakes118.exe
-
Size
137KB
-
MD5
d446284002f47cbf7f565e80a16c3854
-
SHA1
9bd0cd9833efdc7154c3d7dd99914dbb17e6fbd3
-
SHA256
11c0fd540f52098dd29fd81ade38bdee44e3f45a44485a43699d1275d253e7b6
-
SHA512
9002454217757f2d225f81d0f967141771663ee01fc8a13ee429a8a5da67760990f6e1997eebe8169a8ff2c0c8619b6b025cd388d92d6216947a2a391556b8b8
-
SSDEEP
3072:sjcrKunQngXHNz1i2XlCmYBsqy0f7VMzRmle4YPvjil47tJYY3:sjdu4eHL91CmYWqrxMglaWl4Z
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Modifies firewall policy service 3 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0" unwise_.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1" unwise_.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile unwise_.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" unwise_.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" unwise_.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" unwise_.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile unwise_.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" unwise_.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" unwise_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" unwise_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" unwise_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" unwise_.exe -
Modifies Windows Firewall 2 TTPs 7 IoCs
pid Process 4960 netsh.exe 4844 netsh.exe 2016 netsh.exe 3740 netsh.exe 3108 netsh.exe 1172 netsh.exe 1568 netsh.exe -
Deletes itself 1 IoCs
pid Process 1956 unwise_.exe -
Executes dropped EXE 1 IoCs
pid Process 1956 unwise_.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" unwise_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" unwise_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" unwise_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" unwise_.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Fonts\unwise_.exe d446284002f47cbf7f565e80a16c3854_JaffaCakes118.exe File opened for modification C:\Windows\Fonts\unwise_.exe d446284002f47cbf7f565e80a16c3854_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 21 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unwise_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d446284002f47cbf7f565e80a16c3854_JaffaCakes118.exe -
Modifies data under HKEY_USERS 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" unwise_.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" unwise_.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings unwise_.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server = "65534" unwise_.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerServer = "65534" unwise_.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ unwise_.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" unwise_.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" unwise_.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: 33 512 d446284002f47cbf7f565e80a16c3854_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 512 d446284002f47cbf7f565e80a16c3854_JaffaCakes118.exe Token: 33 1956 unwise_.exe Token: SeIncBasePriorityPrivilege 1956 unwise_.exe Token: SeBackupPrivilege 1956 unwise_.exe Token: SeSecurityPrivilege 1956 unwise_.exe Token: SeSecurityPrivilege 1956 unwise_.exe Token: SeBackupPrivilege 1956 unwise_.exe Token: SeSecurityPrivilege 1956 unwise_.exe Token: SeBackupPrivilege 1956 unwise_.exe Token: SeSecurityPrivilege 1956 unwise_.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1956 wrote to memory of 3108 1956 unwise_.exe 84 PID 1956 wrote to memory of 3108 1956 unwise_.exe 84 PID 1956 wrote to memory of 3108 1956 unwise_.exe 84 PID 1956 wrote to memory of 1172 1956 unwise_.exe 86 PID 1956 wrote to memory of 1172 1956 unwise_.exe 86 PID 1956 wrote to memory of 1172 1956 unwise_.exe 86 PID 1956 wrote to memory of 1568 1956 unwise_.exe 88 PID 1956 wrote to memory of 1568 1956 unwise_.exe 88 PID 1956 wrote to memory of 1568 1956 unwise_.exe 88 PID 1956 wrote to memory of 4960 1956 unwise_.exe 90 PID 1956 wrote to memory of 4960 1956 unwise_.exe 90 PID 1956 wrote to memory of 4960 1956 unwise_.exe 90 PID 1956 wrote to memory of 4844 1956 unwise_.exe 92 PID 1956 wrote to memory of 4844 1956 unwise_.exe 92 PID 1956 wrote to memory of 4844 1956 unwise_.exe 92 PID 1956 wrote to memory of 2016 1956 unwise_.exe 94 PID 1956 wrote to memory of 2016 1956 unwise_.exe 94 PID 1956 wrote to memory of 2016 1956 unwise_.exe 94 PID 1956 wrote to memory of 3740 1956 unwise_.exe 96 PID 1956 wrote to memory of 3740 1956 unwise_.exe 96 PID 1956 wrote to memory of 3740 1956 unwise_.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\d446284002f47cbf7f565e80a16c3854_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d446284002f47cbf7f565e80a16c3854_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:512
-
C:\Windows\Fonts\unwise_.exe"C:\Windows\Fonts\unwise_.exe"1⤵
- Modifies firewall policy service
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" firewall set portopening TCP 445 NB2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3108
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" firewall set portopening TCP 139 NB2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1172
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" firewall set portopening TCP 1013 BS2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1568
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" firewall set portopening TCP 9999 PORT12⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4960
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" firewall set portopening TCP 9991 PORT22⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4844
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Windows\Fonts\unwise_.exe" workstation ENABLE ALL2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2016
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" firewall set allowedprogram "C:\Windows\Fonts\unwise_.exe" workstation ENABLE ALL2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3740
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
4Disable or Modify System Firewall
2Disable or Modify Tools
2Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
137KB
MD5d446284002f47cbf7f565e80a16c3854
SHA19bd0cd9833efdc7154c3d7dd99914dbb17e6fbd3
SHA25611c0fd540f52098dd29fd81ade38bdee44e3f45a44485a43699d1275d253e7b6
SHA5129002454217757f2d225f81d0f967141771663ee01fc8a13ee429a8a5da67760990f6e1997eebe8169a8ff2c0c8619b6b025cd388d92d6216947a2a391556b8b8