Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 14:14
Static task
static1
Behavioral task
behavioral1
Sample
1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe
-
Size
231KB
-
MD5
1a6f6227d4407dd10f4ca1bbc771357d
-
SHA1
a833b40efc4821e9ebf18cb82382596bdaa6d33e
-
SHA256
efe8d10184f741f9d26315f7914c0b3920a008ba89b0b1308f5e1e291ba54c91
-
SHA512
0c9ac3337c9338823b3a68fe8578bc12bbe8bdd08168b4c89334240da4429146c92eca1aedd8882bff7bbede1a01e4dd769a092ac2791a03abd8df24328c69c6
-
SSDEEP
3072:NtezRfHWyHsZ6PJcuBsZ2qAP7o7UUy47WoZ5iN9uQyOi4RoJGHxtQoBJhBGF9Pb:nixHwZUqf7JWo3wFRoJGHxfBLBg9z
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies security service 2 TTPs 2 IoCs
Processes:
ntservice.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" ntservice.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" ntservice.exe -
Executes dropped EXE 2 IoCs
Processes:
ntservice.exentservice.exepid process 3256 ntservice.exe 2720 ntservice.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
ntservice.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Intec Service Drivers = "ntservice.exe" ntservice.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\Intec Service Drivers = "ntservice.exe" ntservice.exe Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Intec Service Drivers = "ntservice.exe" ntservice.exe Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Intec Service Drivers = "ntservice.exe" ntservice.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exentservice.exedescription pid process target process PID 396 set thread context of 4252 396 1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe 1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe PID 396 set thread context of 4252 396 1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe 1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe PID 3256 set thread context of 2720 3256 ntservice.exe ntservice.exe PID 3256 set thread context of 2720 3256 ntservice.exe ntservice.exe -
Drops file in Windows directory 3 IoCs
Processes:
ntservice.exe1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\127.0.200.200 update.msiservers.lan ntservice.exe File created C:\Windows\ntservice.exe 1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe File opened for modification C:\Windows\ntservice.exe 1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ntservice.exepid process 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe 2720 ntservice.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ntservice.exedescription pid process Token: SeDebugPrivilege 2720 ntservice.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exentservice.exedescription pid process target process PID 396 wrote to memory of 4252 396 1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe 1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe PID 396 wrote to memory of 4252 396 1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe 1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe PID 396 wrote to memory of 4252 396 1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe 1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe PID 396 wrote to memory of 4252 396 1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe 1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe PID 396 wrote to memory of 4252 396 1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe 1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe PID 396 wrote to memory of 4252 396 1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe 1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe PID 4252 wrote to memory of 3256 4252 1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe ntservice.exe PID 4252 wrote to memory of 3256 4252 1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe ntservice.exe PID 4252 wrote to memory of 3256 4252 1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe ntservice.exe PID 3256 wrote to memory of 2720 3256 ntservice.exe ntservice.exe PID 3256 wrote to memory of 2720 3256 ntservice.exe ntservice.exe PID 3256 wrote to memory of 2720 3256 ntservice.exe ntservice.exe PID 3256 wrote to memory of 2720 3256 ntservice.exe ntservice.exe PID 3256 wrote to memory of 2720 3256 ntservice.exe ntservice.exe PID 3256 wrote to memory of 2720 3256 ntservice.exe ntservice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\ntservice.exeC:\Windows\ntservice.exe 968 "C:\Users\Admin\AppData\Local\Temp\1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\ntservice.exeC:\Windows\ntservice.exe4⤵
- Modifies security service
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4344,i,11049150160560877369,2866371920339304689,262144 --variations-seed-version --mojo-platform-channel-handle=3940 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\ntservice.exeFilesize
231KB
MD51a6f6227d4407dd10f4ca1bbc771357d
SHA1a833b40efc4821e9ebf18cb82382596bdaa6d33e
SHA256efe8d10184f741f9d26315f7914c0b3920a008ba89b0b1308f5e1e291ba54c91
SHA5120c9ac3337c9338823b3a68fe8578bc12bbe8bdd08168b4c89334240da4429146c92eca1aedd8882bff7bbede1a01e4dd769a092ac2791a03abd8df24328c69c6
-
memory/396-7-0x0000000011000000-0x0000000011040000-memory.dmpFilesize
256KB
-
memory/396-0-0x0000000011000000-0x0000000011040000-memory.dmpFilesize
256KB
-
memory/2720-22-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/2720-24-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/2720-23-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/2720-26-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/3256-21-0x0000000011000000-0x0000000011040000-memory.dmpFilesize
256KB
-
memory/4252-4-0x0000000011000000-0x0000000011040000-memory.dmpFilesize
256KB
-
memory/4252-1-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/4252-8-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/4252-5-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/4252-25-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB