19eaa99708bc3434d74a8bad49f53605c42f833562a31de1e5b0285af1cbfa5e

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06-04-2024 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe
Size

634KB
MD5

e258998d52ed363732ca5dd9f4ac5602
SHA1

1ca86f2b294f3ab3efff61885ece0a83ae6ea984
SHA256

19eaa99708bc3434d74a8bad49f53605c42f833562a31de1e5b0285af1cbfa5e
SHA512

c70efa1fd052d31c1bac70e6c00c090f8ecc2c0be79fdd238cb94850cec63bfca7afb6026a19160133077f511c1df600589c071ca496cdf298a7d951da62e8fc
SSDEEP

6144:Z3OOCKLlcPKJEld2zJQPfuSlMHyaXXu6FQGkcC+V5R5azYBONNYJ7efR9tF:lOOZpUtlwX+zc7V5Rn1JyfP

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2972	VWE.EXE

Loads dropped DLL 2 IoCs

pid	Process
2872	e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe
2872	e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe

Modifies system executable filetype association 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell	VWE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open	VWE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\PerfLogs\\BMO.EXE \"%1\" %*"	e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	VWE.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BMO.EXE = "C:\\PerfLogs\\BMO.EXE"	e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 34 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe
File opened (read-only)	\??\E:	VWE.EXE
File opened (read-only)	\??\H:	VWE.EXE
File opened (read-only)	\??\K:	VWE.EXE
File opened (read-only)	\??\N:	VWE.EXE
File opened (read-only)	\??\M:	e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe
File opened (read-only)	\??\O:	VWE.EXE
File opened (read-only)	\??\Q:	VWE.EXE
File opened (read-only)	\??\I:	e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe
File opened (read-only)	\??\L:	e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe
File opened (read-only)	\??\V:	VWE.EXE
File opened (read-only)	\??\T:	e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe
File opened (read-only)	\??\P:	VWE.EXE
File opened (read-only)	\??\S:	VWE.EXE
File opened (read-only)	\??\N:	e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe
File opened (read-only)	\??\S:	e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe
File opened (read-only)	\??\M:	VWE.EXE
File opened (read-only)	\??\J:	VWE.EXE
File opened (read-only)	\??\G:	e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe
File opened (read-only)	\??\H:	e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe
File opened (read-only)	\??\K:	e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe
File opened (read-only)	\??\O:	e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe
File opened (read-only)	\??\U:	e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe
File opened (read-only)	\??\I:	VWE.EXE
File opened (read-only)	\??\R:	VWE.EXE
File opened (read-only)	\??\T:	VWE.EXE
File opened (read-only)	\??\E:	e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe
File opened (read-only)	\??\J:	e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe
File opened (read-only)	\??\Q:	e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe
File opened (read-only)	\??\V:	e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe
File opened (read-only)	\??\G:	VWE.EXE
File opened (read-only)	\??\R:	e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe
File opened (read-only)	\??\L:	VWE.EXE
File opened (read-only)	\??\U:	VWE.EXE

Modifies registry class 38 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command	e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\PerfLogs\\BMO.EXE \"%1\""	e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open	VWE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open	VWE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command	e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell	e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\PerfLogs\\BMO.EXE \"%1\" %*"	e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	VWE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file	VWE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell	VWE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file	e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open	VWE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command	VWE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\System Volume Information\\PINQZK.EXE %1"	e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command	VWE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile	VWE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	VWE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open	VWE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command	VWE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	VWE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	VWE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\System Volume Information\\PINQZK.EXE \"%1\""	e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\PerfLogs\\BMO.EXE %1"	e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile	VWE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	VWE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile	VWE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell	VWE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open	VWE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell	VWE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open	VWE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell	VWE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open	e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command	e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell	VWE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell	VWE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2972	2872	e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe	28
PID 2872 wrote to memory of 2972	2872	e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe	28
PID 2872 wrote to memory of 2972	2872	e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe	28
PID 2872 wrote to memory of 2972	2872	e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e258998d52ed363732ca5dd9f4ac5602_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2872
- C:\$Recycle.Bin\VWE.EXE
  C:\$Recycle.Bin\VWE.EXE
  2⤵
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Enumerates connected drives
  - Modifies registry class
  PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\BMO.EXE

Filesize
635KB

MD5
3d75de83005ef831fde7196c4a993d7d

SHA1
e4359b00f6a70cdcc8b0865bade96947e0a717fe

SHA256
6c0e52e3c03177bc35e894cde9fb611d3edd3b58229cf68537060f948d2cce6a

SHA512
33fc89f4547c8d9e62dbbf6f584616d0c4add508c8081f44c3f04eb8873ee74b01baebc68ab2467b7723e681f86cae18076b9cee2485ac3eb822fd35e88eed8d

Download Submit
C:\filedebug

Filesize
253B

MD5
86d0cac50401d7e41142b7fb16642b99

SHA1
d23ff56803c0d640b4d8d11c47cf04f6cd2cffc8

SHA256
7312b745fcb4f6ebf0be33c81437a0d28cf05fc56d03f95bdc308b768bf894ff

SHA512
a42088eb6b0b4d3fd46df950bf940d2ffce0e8105fd80b1e28e1025acb592b0f19ab5677d3bfbe43befd6e9fb72a0ab410ce902cd493f6f59a168d2a8a72aaf0

Download Submit
\$Recycle.Bin\VWE.EXE

Filesize
634KB

MD5
836fdcdcc0c21badc69e18f38aeea171

SHA1
386f03ab4d8cb85301dcb43ac052eaaf434ee826

SHA256
1bbae2a5d0ff4aabda2f233ca74282ba90ecf2023fbc798082e6f6700e7ae22d

SHA512
fb1a7ff48962b0833504fe724c01d693e341121b1284665d503a4390d8837944799cacda26d87ad6f49700661d786db8af342271181c2f54495bf090dd1d2bc7

Download Submit
memory/2872-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2872-26-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2972-24-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2972-25-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads