Analysis
-
max time kernel
141s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 14:42
Static task
static1
Behavioral task
behavioral1
Sample
1bb0e36a487c3ae5f9507ea0285d6416_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
1bb0e36a487c3ae5f9507ea0285d6416_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
1bb0e36a487c3ae5f9507ea0285d6416_JaffaCakes118.exe
-
Size
2.0MB
-
MD5
1bb0e36a487c3ae5f9507ea0285d6416
-
SHA1
0255931a7006c73090d98d7e1ed0e296a55454d1
-
SHA256
e41162a023fe7e4e3a764c2e8595f9b3c1a019a87e84410b6104b9971d45c565
-
SHA512
c433389874b17002fd60f03da0b9f91d3ca421f091f8139d045bc04c01e46be387542798bdb79045b762f87d252c82333d0c5b739c98898d39d7f7b32997c07b
-
SSDEEP
24576:fv5rzBjpZ9STx44vIXnd7s6WSu0H8O57HJ:ZQIXnx/cO
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
528.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 528.exe -
Drops file in Drivers directory 1 IoCs
Processes:
528.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts 528.exe -
Executes dropped EXE 2 IoCs
Processes:
528.exe528.exepid process 892 528.exe 2104 528.exe -
Loads dropped DLL 11 IoCs
Processes:
528.exeWerFault.exeWerFault.exepid process 892 528.exe 2780 WerFault.exe 2780 WerFault.exe 2780 WerFault.exe 2780 WerFault.exe 2780 WerFault.exe 2968 WerFault.exe 2968 WerFault.exe 2968 WerFault.exe 2968 WerFault.exe 2968 WerFault.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
528.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 528.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
528.exedescription pid process target process PID 892 set thread context of 2104 892 528.exe 528.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2780 892 WerFault.exe 528.exe 2968 2104 WerFault.exe 528.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
528.exedescription pid process Token: SeIncreaseQuotaPrivilege 2104 528.exe Token: SeSecurityPrivilege 2104 528.exe Token: SeTakeOwnershipPrivilege 2104 528.exe Token: SeLoadDriverPrivilege 2104 528.exe Token: SeSystemProfilePrivilege 2104 528.exe Token: SeSystemtimePrivilege 2104 528.exe Token: SeProfSingleProcessPrivilege 2104 528.exe Token: SeIncBasePriorityPrivilege 2104 528.exe Token: SeCreatePagefilePrivilege 2104 528.exe Token: SeBackupPrivilege 2104 528.exe Token: SeRestorePrivilege 2104 528.exe Token: SeShutdownPrivilege 2104 528.exe Token: SeDebugPrivilege 2104 528.exe Token: SeSystemEnvironmentPrivilege 2104 528.exe Token: SeChangeNotifyPrivilege 2104 528.exe Token: SeRemoteShutdownPrivilege 2104 528.exe Token: SeUndockPrivilege 2104 528.exe Token: SeManageVolumePrivilege 2104 528.exe Token: SeImpersonatePrivilege 2104 528.exe Token: SeCreateGlobalPrivilege 2104 528.exe Token: 33 2104 528.exe Token: 34 2104 528.exe Token: 35 2104 528.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
528.exepid process 892 528.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
1bb0e36a487c3ae5f9507ea0285d6416_JaffaCakes118.exe528.exe528.exedescription pid process target process PID 1748 wrote to memory of 892 1748 1bb0e36a487c3ae5f9507ea0285d6416_JaffaCakes118.exe 528.exe PID 1748 wrote to memory of 892 1748 1bb0e36a487c3ae5f9507ea0285d6416_JaffaCakes118.exe 528.exe PID 1748 wrote to memory of 892 1748 1bb0e36a487c3ae5f9507ea0285d6416_JaffaCakes118.exe 528.exe PID 1748 wrote to memory of 892 1748 1bb0e36a487c3ae5f9507ea0285d6416_JaffaCakes118.exe 528.exe PID 892 wrote to memory of 2104 892 528.exe 528.exe PID 892 wrote to memory of 2104 892 528.exe 528.exe PID 892 wrote to memory of 2104 892 528.exe 528.exe PID 892 wrote to memory of 2104 892 528.exe 528.exe PID 892 wrote to memory of 2104 892 528.exe 528.exe PID 892 wrote to memory of 2104 892 528.exe 528.exe PID 892 wrote to memory of 2104 892 528.exe 528.exe PID 892 wrote to memory of 2104 892 528.exe 528.exe PID 892 wrote to memory of 2104 892 528.exe 528.exe PID 892 wrote to memory of 2104 892 528.exe 528.exe PID 892 wrote to memory of 2104 892 528.exe 528.exe PID 892 wrote to memory of 2104 892 528.exe 528.exe PID 892 wrote to memory of 2104 892 528.exe 528.exe PID 892 wrote to memory of 2780 892 528.exe WerFault.exe PID 892 wrote to memory of 2780 892 528.exe WerFault.exe PID 892 wrote to memory of 2780 892 528.exe WerFault.exe PID 892 wrote to memory of 2780 892 528.exe WerFault.exe PID 2104 wrote to memory of 2592 2104 528.exe cmd.exe PID 2104 wrote to memory of 2592 2104 528.exe cmd.exe PID 2104 wrote to memory of 2592 2104 528.exe cmd.exe PID 2104 wrote to memory of 2592 2104 528.exe cmd.exe PID 2104 wrote to memory of 1324 2104 528.exe cmd.exe PID 2104 wrote to memory of 1324 2104 528.exe cmd.exe PID 2104 wrote to memory of 1324 2104 528.exe cmd.exe PID 2104 wrote to memory of 1324 2104 528.exe cmd.exe PID 2104 wrote to memory of 2968 2104 528.exe WerFault.exe PID 2104 wrote to memory of 2968 2104 528.exe WerFault.exe PID 2104 wrote to memory of 2968 2104 528.exe WerFault.exe PID 2104 wrote to memory of 2968 2104 528.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1bb0e36a487c3ae5f9507ea0285d6416_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1bb0e36a487c3ae5f9507ea0285d6416_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\528.exeC:\Users\Admin\AppData\Local\Temp\528.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\528.exeC:\Users\Admin\AppData\Local\Temp\5283⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 6244⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 2363⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\528.exeFilesize
755KB
MD57d9f73236d47178e2447ffdd4583f94c
SHA1c118d94ea20eea01214ac5bcdc4f01741daf075f
SHA2565515679bd5ffd508df258c4339c5e2fcc0158c015e9d3cd8a9b10a9e7c29ab22
SHA5122936d2e387aff3503d759cff5b3da0d1fc91f2e9152e9e9713f15a8eb6f0173290fd60c418b1cad1a9868539b73126e42bacf64704d5e1aaa2364a20adae5c3d
-
C:\Users\Admin\AppData\Local\Temp\tmpcmd.batFilesize
58B
MD5e030bf1e87a3a28e2f2fc84b1f30eeff
SHA1311796cdb47375f814ee069b97fb119252189b74
SHA2562f08a1c056f80663c74c117bcae2d42b05be0be2bb85c4e3fff8821d978f81f9
SHA512e89b80e5369a2327b35757f5182627f3db36c8d43306d6ab47752ae56e450d9855137d6c4035ce4416c93d63a0a68c6fe57b7261600642a267dee98b9abd4664
-
C:\Users\Admin\AppData\Local\Temp\tmpcmd.batFilesize
50B
MD5b774ae3fb1da087e1f83b4f7b2060e5a
SHA197eb9be49ac3af9c851c9e1e84e32bfd53e325a8
SHA256adaf4a84b41e410b02e261cfd0fe7739d98647eab73c3badd32ac6e39f26351b
SHA512f75d0f95f7306d26a12b414bfe37b97fbd37546cb3c6e403def7077329ddffb4b45d5c5f0ba0e7bb6d72851d2d691b0a85267beead42f7cbf2e8c3d45a3b4701
-
memory/892-10-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/892-13-0x0000000000260000-0x000000000026B000-memory.dmpFilesize
44KB
-
memory/1748-47-0x000007FEF4DA0000-0x000007FEF573D000-memory.dmpFilesize
9.6MB
-
memory/1748-7-0x000007FEF4DA0000-0x000007FEF573D000-memory.dmpFilesize
9.6MB
-
memory/1748-0-0x000007FEF505E000-0x000007FEF505F000-memory.dmpFilesize
4KB
-
memory/2104-37-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/2104-16-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/2104-28-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/2104-25-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/2104-22-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/2104-38-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/2104-20-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/2104-30-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/2104-18-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/2104-39-0x00000000002A0000-0x00000000002A1000-memory.dmpFilesize
4KB
-
memory/2104-32-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/2104-48-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/2104-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2104-14-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/2104-74-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/2104-75-0x00000000002A0000-0x00000000002A1000-memory.dmpFilesize
4KB