Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
28-06-2024 12:18
Behavioral task
behavioral1
Sample
1a16af0922dd982139bf3eac3721480e_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
1a16af0922dd982139bf3eac3721480e_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
1a16af0922dd982139bf3eac3721480e_JaffaCakes118.exe
-
Size
660KB
-
MD5
1a16af0922dd982139bf3eac3721480e
-
SHA1
d97bf367d95b3140eec77221311c3806eac9f00d
-
SHA256
64e971ca34fbd907e30392889d8a05e1a7bdccc237d198b3906643761fd3a0c1
-
SHA512
5ad04f5a1512273e4dcdd5df579a3c8be0404c979fa773e504de03cda2b4eb39222eee84cd7751d4b5fad33a1ba40afe2d708c2ab7ecd6e4a9028bbd79b7bdad
-
SSDEEP
12288:QXhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuXksh/fy452Us:2nAw2WWeFcfbP9VPSPMTSPL/rWvzq4Jh
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
1a16af0922dd982139bf3eac3721480e_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 1a16af0922dd982139bf3eac3721480e_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 3032 msdcsc.exe -
Loads dropped DLL 2 IoCs
Processes:
1a16af0922dd982139bf3eac3721480e_JaffaCakes118.exepid process 2956 1a16af0922dd982139bf3eac3721480e_JaffaCakes118.exe 2956 1a16af0922dd982139bf3eac3721480e_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1a16af0922dd982139bf3eac3721480e_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeyName = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 1a16af0922dd982139bf3eac3721480e_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
1a16af0922dd982139bf3eac3721480e_JaffaCakes118.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2956 1a16af0922dd982139bf3eac3721480e_JaffaCakes118.exe Token: SeSecurityPrivilege 2956 1a16af0922dd982139bf3eac3721480e_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2956 1a16af0922dd982139bf3eac3721480e_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2956 1a16af0922dd982139bf3eac3721480e_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2956 1a16af0922dd982139bf3eac3721480e_JaffaCakes118.exe Token: SeSystemtimePrivilege 2956 1a16af0922dd982139bf3eac3721480e_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2956 1a16af0922dd982139bf3eac3721480e_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2956 1a16af0922dd982139bf3eac3721480e_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2956 1a16af0922dd982139bf3eac3721480e_JaffaCakes118.exe Token: SeBackupPrivilege 2956 1a16af0922dd982139bf3eac3721480e_JaffaCakes118.exe Token: SeRestorePrivilege 2956 1a16af0922dd982139bf3eac3721480e_JaffaCakes118.exe Token: SeShutdownPrivilege 2956 1a16af0922dd982139bf3eac3721480e_JaffaCakes118.exe Token: SeDebugPrivilege 2956 1a16af0922dd982139bf3eac3721480e_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2956 1a16af0922dd982139bf3eac3721480e_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2956 1a16af0922dd982139bf3eac3721480e_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2956 1a16af0922dd982139bf3eac3721480e_JaffaCakes118.exe Token: SeUndockPrivilege 2956 1a16af0922dd982139bf3eac3721480e_JaffaCakes118.exe Token: SeManageVolumePrivilege 2956 1a16af0922dd982139bf3eac3721480e_JaffaCakes118.exe Token: SeImpersonatePrivilege 2956 1a16af0922dd982139bf3eac3721480e_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2956 1a16af0922dd982139bf3eac3721480e_JaffaCakes118.exe Token: 33 2956 1a16af0922dd982139bf3eac3721480e_JaffaCakes118.exe Token: 34 2956 1a16af0922dd982139bf3eac3721480e_JaffaCakes118.exe Token: 35 2956 1a16af0922dd982139bf3eac3721480e_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 3032 msdcsc.exe Token: SeSecurityPrivilege 3032 msdcsc.exe Token: SeTakeOwnershipPrivilege 3032 msdcsc.exe Token: SeLoadDriverPrivilege 3032 msdcsc.exe Token: SeSystemProfilePrivilege 3032 msdcsc.exe Token: SeSystemtimePrivilege 3032 msdcsc.exe Token: SeProfSingleProcessPrivilege 3032 msdcsc.exe Token: SeIncBasePriorityPrivilege 3032 msdcsc.exe Token: SeCreatePagefilePrivilege 3032 msdcsc.exe Token: SeBackupPrivilege 3032 msdcsc.exe Token: SeRestorePrivilege 3032 msdcsc.exe Token: SeShutdownPrivilege 3032 msdcsc.exe Token: SeDebugPrivilege 3032 msdcsc.exe Token: SeSystemEnvironmentPrivilege 3032 msdcsc.exe Token: SeChangeNotifyPrivilege 3032 msdcsc.exe Token: SeRemoteShutdownPrivilege 3032 msdcsc.exe Token: SeUndockPrivilege 3032 msdcsc.exe Token: SeManageVolumePrivilege 3032 msdcsc.exe Token: SeImpersonatePrivilege 3032 msdcsc.exe Token: SeCreateGlobalPrivilege 3032 msdcsc.exe Token: 33 3032 msdcsc.exe Token: 34 3032 msdcsc.exe Token: 35 3032 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 3032 msdcsc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
1a16af0922dd982139bf3eac3721480e_JaffaCakes118.exedescription pid process target process PID 2956 wrote to memory of 3032 2956 1a16af0922dd982139bf3eac3721480e_JaffaCakes118.exe msdcsc.exe PID 2956 wrote to memory of 3032 2956 1a16af0922dd982139bf3eac3721480e_JaffaCakes118.exe msdcsc.exe PID 2956 wrote to memory of 3032 2956 1a16af0922dd982139bf3eac3721480e_JaffaCakes118.exe msdcsc.exe PID 2956 wrote to memory of 3032 2956 1a16af0922dd982139bf3eac3721480e_JaffaCakes118.exe msdcsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a16af0922dd982139bf3eac3721480e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1a16af0922dd982139bf3eac3721480e_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
660KB
MD51a16af0922dd982139bf3eac3721480e
SHA1d97bf367d95b3140eec77221311c3806eac9f00d
SHA25664e971ca34fbd907e30392889d8a05e1a7bdccc237d198b3906643761fd3a0c1
SHA5125ad04f5a1512273e4dcdd5df579a3c8be0404c979fa773e504de03cda2b4eb39222eee84cd7751d4b5fad33a1ba40afe2d708c2ab7ecd6e4a9028bbd79b7bdad
-
memory/2956-10-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/2956-0-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/3032-11-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/3032-12-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/3032-13-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/3032-14-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/3032-15-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB