Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
28-06-2024 13:16
Static task
static1
Behavioral task
behavioral1
Sample
1a43210f401834932b515731deb398f9_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
1a43210f401834932b515731deb398f9_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
1a43210f401834932b515731deb398f9_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
1a43210f401834932b515731deb398f9
-
SHA1
22820a8fefa82a6a52004522027067c5a98457f7
-
SHA256
f76c7db479887e9ed2185329fa5724f1dad254c88d3553f413dba0d2a920ad3c
-
SHA512
9b6db7e0102d1aa526ab375edcdab0e4348f664e268b522f7d928ac70d1593e25784ea3dbfaeb08b893e7142657f29eaa6baa4980125cf08d20d0da4e8b4dbb1
-
SSDEEP
24576:UgjUgmqZ5n6tkjR26s2ZKTWm9cwfThY5HW5F2vvRef1taxih1oQ:ljU1q6ta2IWWmuMTeHW74vRm6Q
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
328.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 328.exe -
Executes dropped EXE 2 IoCs
Processes:
328.exemsdcsc.exepid process 2944 328.exe 2920 msdcsc.exe -
Loads dropped DLL 2 IoCs
Processes:
328.exepid process 2944 328.exe 2944 328.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
328.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 328.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msdcsc.exedescription pid process target process PID 2920 set thread context of 2484 2920 msdcsc.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 2484 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
328.exemsdcsc.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 2944 328.exe Token: SeSecurityPrivilege 2944 328.exe Token: SeTakeOwnershipPrivilege 2944 328.exe Token: SeLoadDriverPrivilege 2944 328.exe Token: SeSystemProfilePrivilege 2944 328.exe Token: SeSystemtimePrivilege 2944 328.exe Token: SeProfSingleProcessPrivilege 2944 328.exe Token: SeIncBasePriorityPrivilege 2944 328.exe Token: SeCreatePagefilePrivilege 2944 328.exe Token: SeBackupPrivilege 2944 328.exe Token: SeRestorePrivilege 2944 328.exe Token: SeShutdownPrivilege 2944 328.exe Token: SeDebugPrivilege 2944 328.exe Token: SeSystemEnvironmentPrivilege 2944 328.exe Token: SeChangeNotifyPrivilege 2944 328.exe Token: SeRemoteShutdownPrivilege 2944 328.exe Token: SeUndockPrivilege 2944 328.exe Token: SeManageVolumePrivilege 2944 328.exe Token: SeImpersonatePrivilege 2944 328.exe Token: SeCreateGlobalPrivilege 2944 328.exe Token: 33 2944 328.exe Token: 34 2944 328.exe Token: 35 2944 328.exe Token: SeIncreaseQuotaPrivilege 2920 msdcsc.exe Token: SeSecurityPrivilege 2920 msdcsc.exe Token: SeTakeOwnershipPrivilege 2920 msdcsc.exe Token: SeLoadDriverPrivilege 2920 msdcsc.exe Token: SeSystemProfilePrivilege 2920 msdcsc.exe Token: SeSystemtimePrivilege 2920 msdcsc.exe Token: SeProfSingleProcessPrivilege 2920 msdcsc.exe Token: SeIncBasePriorityPrivilege 2920 msdcsc.exe Token: SeCreatePagefilePrivilege 2920 msdcsc.exe Token: SeBackupPrivilege 2920 msdcsc.exe Token: SeRestorePrivilege 2920 msdcsc.exe Token: SeShutdownPrivilege 2920 msdcsc.exe Token: SeDebugPrivilege 2920 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2920 msdcsc.exe Token: SeChangeNotifyPrivilege 2920 msdcsc.exe Token: SeRemoteShutdownPrivilege 2920 msdcsc.exe Token: SeUndockPrivilege 2920 msdcsc.exe Token: SeManageVolumePrivilege 2920 msdcsc.exe Token: SeImpersonatePrivilege 2920 msdcsc.exe Token: SeCreateGlobalPrivilege 2920 msdcsc.exe Token: 33 2920 msdcsc.exe Token: 34 2920 msdcsc.exe Token: 35 2920 msdcsc.exe Token: SeIncreaseQuotaPrivilege 2484 iexplore.exe Token: SeSecurityPrivilege 2484 iexplore.exe Token: SeTakeOwnershipPrivilege 2484 iexplore.exe Token: SeLoadDriverPrivilege 2484 iexplore.exe Token: SeSystemProfilePrivilege 2484 iexplore.exe Token: SeSystemtimePrivilege 2484 iexplore.exe Token: SeProfSingleProcessPrivilege 2484 iexplore.exe Token: SeIncBasePriorityPrivilege 2484 iexplore.exe Token: SeCreatePagefilePrivilege 2484 iexplore.exe Token: SeBackupPrivilege 2484 iexplore.exe Token: SeRestorePrivilege 2484 iexplore.exe Token: SeShutdownPrivilege 2484 iexplore.exe Token: SeDebugPrivilege 2484 iexplore.exe Token: SeSystemEnvironmentPrivilege 2484 iexplore.exe Token: SeChangeNotifyPrivilege 2484 iexplore.exe Token: SeRemoteShutdownPrivilege 2484 iexplore.exe Token: SeUndockPrivilege 2484 iexplore.exe Token: SeManageVolumePrivilege 2484 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid process 2672 DllHost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 2484 iexplore.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
1a43210f401834932b515731deb398f9_JaffaCakes118.exe328.exemsdcsc.exedescription pid process target process PID 2140 wrote to memory of 2944 2140 1a43210f401834932b515731deb398f9_JaffaCakes118.exe 328.exe PID 2140 wrote to memory of 2944 2140 1a43210f401834932b515731deb398f9_JaffaCakes118.exe 328.exe PID 2140 wrote to memory of 2944 2140 1a43210f401834932b515731deb398f9_JaffaCakes118.exe 328.exe PID 2140 wrote to memory of 2944 2140 1a43210f401834932b515731deb398f9_JaffaCakes118.exe 328.exe PID 2944 wrote to memory of 2920 2944 328.exe msdcsc.exe PID 2944 wrote to memory of 2920 2944 328.exe msdcsc.exe PID 2944 wrote to memory of 2920 2944 328.exe msdcsc.exe PID 2944 wrote to memory of 2920 2944 328.exe msdcsc.exe PID 2920 wrote to memory of 2484 2920 msdcsc.exe iexplore.exe PID 2920 wrote to memory of 2484 2920 msdcsc.exe iexplore.exe PID 2920 wrote to memory of 2484 2920 msdcsc.exe iexplore.exe PID 2920 wrote to memory of 2484 2920 msdcsc.exe iexplore.exe PID 2920 wrote to memory of 2484 2920 msdcsc.exe iexplore.exe PID 2920 wrote to memory of 2484 2920 msdcsc.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a43210f401834932b515731deb398f9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1a43210f401834932b515731deb398f9_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\328.exeC:\Users\Admin\AppData\Local\Temp\328.exe2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1.JPGFilesize
125KB
MD59272107027f941d9701157dc8cf40c3f
SHA1c744f12fb5548b759e78288dbd4b62b3df612632
SHA2564e6428dcd5cb61410ad161a409a8116a7dfb9faaa21e0014b50ff81797770a6a
SHA512a390ec436ad653c2ed9b8cb056217a5a3db27b010102c2069a4afc3a99d825dbda92441276bdf80eab4a3906a54055208e4e110a19b5a475869c2200dfe3a72e
-
C:\Users\Admin\AppData\Local\Temp\328.exeFilesize
848KB
MD5c3117f0ae622f67dc68c178ae1663a8c
SHA17160e08fca4f08d426437589bc9ce571a575606b
SHA2563e47503c31311544f1a78a19bae880909138eea6459a40532674bde19130c448
SHA5122c32cfd7b4a7b2a3c525501bac302eab3b449a46c38b4dd658fb8281efbc8222fc8691911860a0a54cabbedb20f0ea027e6452d26ea6c5dc5ad9c720f2b9183c
-
memory/2140-4-0x000007FEF57D0000-0x000007FEF616D000-memory.dmpFilesize
9.6MB
-
memory/2140-0-0x000007FEF5A8E000-0x000007FEF5A8F000-memory.dmpFilesize
4KB
-
memory/2140-2-0x000007FEF57D0000-0x000007FEF616D000-memory.dmpFilesize
9.6MB
-
memory/2140-15-0x000007FEF57D0000-0x000007FEF616D000-memory.dmpFilesize
9.6MB
-
memory/2140-1-0x000000001B2E0000-0x000000001B51E000-memory.dmpFilesize
2.2MB
-
memory/2484-29-0x0000000000400000-0x00000000004E2000-memory.dmpFilesize
904KB
-
memory/2672-17-0x0000000000160000-0x0000000000162000-memory.dmpFilesize
8KB
-
memory/2920-30-0x0000000000400000-0x00000000004E2000-memory.dmpFilesize
904KB
-
memory/2944-10-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/2944-16-0x00000000026A0000-0x00000000026A2000-memory.dmpFilesize
8KB
-
memory/2944-27-0x0000000000400000-0x00000000004E2000-memory.dmpFilesize
904KB