f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3

Analysis

max time kernel
148s
max time network
118s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe
Size

23.5MB
MD5

7b6d02a459fdaa4caa1a5bf741c4bd42
SHA1

4eea45c22881a092ac7a8b0a5379076d5803e83e
SHA256

f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3
SHA512

d8d67ba37263832e7f7d0a945a04afe3d9cea24e78a2d82b00463a2ab575ddb0b53f020c9967391c8469a831c3205f68d010d752a17419d7c2bb34ae8dc55384
SSDEEP

393216:zCTLRrqyYTljCQppkgSGlNoggc7k18J1unrY+M4ZtquYfZZrjMaDF1i:zCTLI3TZCQKGlZgc7k181W7fFOjMQ1i

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2804	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2504	NXTPKIENTS.exe
2508	NXTPKIENTS.tmp

Loads dropped DLL 2 IoCs

pid	Process
2592	rundll32.exe
2504	NXTPKIENTS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 8 IoCs

evasion

pid	Process
2584	taskkill.exe
768	taskkill.exe
1704	taskkill.exe
2628	taskkill.exe
2420	taskkill.exe
824	taskkill.exe
2892	taskkill.exe
2948	taskkill.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2592	rundll32.exe
2592	rundll32.exe
3004	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2508	NXTPKIENTS.tmp

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2420	taskkill.exe
Token: SeDebugPrivilege	824	taskkill.exe
Token: SeDebugPrivilege	2892	taskkill.exe
Token: SeDebugPrivilege	2948	taskkill.exe
Token: SeDebugPrivilege	2584	taskkill.exe
Token: SeDebugPrivilege	768	taskkill.exe
Token: SeDebugPrivilege	1704	taskkill.exe
Token: SeDebugPrivilege	2628	taskkill.exe
Token: SeDebugPrivilege	3004	powershell.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2804	1724	f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe	28
PID 1724 wrote to memory of 2804	1724	f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe	28
PID 1724 wrote to memory of 2804	1724	f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe	28
PID 1724 wrote to memory of 2592	1724	f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe	29
PID 1724 wrote to memory of 2592	1724	f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe	29
PID 1724 wrote to memory of 2592	1724	f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe	29
PID 1724 wrote to memory of 2504	1724	f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe	31
PID 1724 wrote to memory of 2504	1724	f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe	31
PID 1724 wrote to memory of 2504	1724	f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe	31
PID 1724 wrote to memory of 2504	1724	f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe	31
PID 1724 wrote to memory of 2504	1724	f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe	31
PID 1724 wrote to memory of 2504	1724	f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe	31
PID 1724 wrote to memory of 2504	1724	f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe	31
PID 2504 wrote to memory of 2508	2504	NXTPKIENTS.exe	32
PID 2504 wrote to memory of 2508	2504	NXTPKIENTS.exe	32
PID 2504 wrote to memory of 2508	2504	NXTPKIENTS.exe	32
PID 2504 wrote to memory of 2508	2504	NXTPKIENTS.exe	32
PID 2504 wrote to memory of 2508	2504	NXTPKIENTS.exe	32
PID 2504 wrote to memory of 2508	2504	NXTPKIENTS.exe	32
PID 2504 wrote to memory of 2508	2504	NXTPKIENTS.exe	32
PID 2592 wrote to memory of 2572	2592	rundll32.exe	33
PID 2592 wrote to memory of 2572	2592	rundll32.exe	33
PID 2592 wrote to memory of 2572	2592	rundll32.exe	33
PID 2508 wrote to memory of 2420	2508	NXTPKIENTS.tmp	35
PID 2508 wrote to memory of 2420	2508	NXTPKIENTS.tmp	35
PID 2508 wrote to memory of 2420	2508	NXTPKIENTS.tmp	35
PID 2508 wrote to memory of 2420	2508	NXTPKIENTS.tmp	35
PID 2508 wrote to memory of 824	2508	NXTPKIENTS.tmp	38
PID 2508 wrote to memory of 824	2508	NXTPKIENTS.tmp	38
PID 2508 wrote to memory of 824	2508	NXTPKIENTS.tmp	38
PID 2508 wrote to memory of 824	2508	NXTPKIENTS.tmp	38
PID 2508 wrote to memory of 2892	2508	NXTPKIENTS.tmp	40
PID 2508 wrote to memory of 2892	2508	NXTPKIENTS.tmp	40
PID 2508 wrote to memory of 2892	2508	NXTPKIENTS.tmp	40
PID 2508 wrote to memory of 2892	2508	NXTPKIENTS.tmp	40
PID 2508 wrote to memory of 2948	2508	NXTPKIENTS.tmp	42
PID 2508 wrote to memory of 2948	2508	NXTPKIENTS.tmp	42
PID 2508 wrote to memory of 2948	2508	NXTPKIENTS.tmp	42
PID 2508 wrote to memory of 2948	2508	NXTPKIENTS.tmp	42
PID 2508 wrote to memory of 2584	2508	NXTPKIENTS.tmp	44
PID 2508 wrote to memory of 2584	2508	NXTPKIENTS.tmp	44
PID 2508 wrote to memory of 2584	2508	NXTPKIENTS.tmp	44
PID 2508 wrote to memory of 2584	2508	NXTPKIENTS.tmp	44
PID 2508 wrote to memory of 768	2508	NXTPKIENTS.tmp	46
PID 2508 wrote to memory of 768	2508	NXTPKIENTS.tmp	46
PID 2508 wrote to memory of 768	2508	NXTPKIENTS.tmp	46
PID 2508 wrote to memory of 768	2508	NXTPKIENTS.tmp	46
PID 2508 wrote to memory of 1704	2508	NXTPKIENTS.tmp	48
PID 2508 wrote to memory of 1704	2508	NXTPKIENTS.tmp	48
PID 2508 wrote to memory of 1704	2508	NXTPKIENTS.tmp	48
PID 2508 wrote to memory of 1704	2508	NXTPKIENTS.tmp	48
PID 2508 wrote to memory of 2628	2508	NXTPKIENTS.tmp	50
PID 2508 wrote to memory of 2628	2508	NXTPKIENTS.tmp	50
PID 2508 wrote to memory of 2628	2508	NXTPKIENTS.tmp	50
PID 2508 wrote to memory of 2628	2508	NXTPKIENTS.tmp	50
PID 2592 wrote to memory of 3028	2592	rundll32.exe	54
PID 2592 wrote to memory of 3028	2592	rundll32.exe	54
PID 2592 wrote to memory of 3028	2592	rundll32.exe	54
PID 2592 wrote to memory of 3004	2592	rundll32.exe	55
PID 2592 wrote to memory of 3004	2592	rundll32.exe	55
PID 2592 wrote to memory of 3004	2592	rundll32.exe	55

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\system32\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\C7F.tmp.bat
  2⤵
  - Deletes itself
  PID:2804
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe "C:\Users\Admin\AppData\Roaming\Hancom\hc-f8002b32.png" limsjo
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /f /tn "ChromeUpdateTaskMachineUAC"
    3⤵
    PID:2572
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /f /tn "ChromeUpdateTaskMachineUAC"
    3⤵
    PID:3028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -executionpolicy bypass -File "C:\Users\Admin\.tmp\3205861455.ps1"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3004
- C:\Users\Admin\AppData\Local\Temp\NXTPKIENTS.exe
  "C:\Users\Admin\AppData\Local\Temp\NXTPKIENTS.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Users\Admin\AppData\Local\Temp\is-1ED18.tmp\NXTPKIENTS.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-1ED18.tmp\NXTPKIENTS.tmp" /SL5="$50108,6291726,231424,C:\Users\Admin\AppData\Local\Temp\NXTPKIENTS.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /F /IM iexplore.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2420
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /F /IM firefox.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:824
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /F /IM opera.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2892
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /F /IM safari.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2948
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /F /IM chrome.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2584
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /F /IM MicrosoftEdge.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:768
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /F /IM msedge.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1704
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /F /IM NXTPKIENTSI.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.tmp\3205861455.ps1

Filesize
266B

MD5
ac25a41868ffe2fbb543b019fecb029a

SHA1
e180d40336a34e0676c2489e690dd2dbcb9ba21c

SHA256
70cb6fa136134300d560145f46304b7a96d4ec36cc34f81fb91e835c8d4dc49d

SHA512
a5a7b8e145be753f1212b7a9b5cca54eb49a837ec3329273eecdceeac20da155c33514a6116b40c03179ca39a0a3cb253985f4a87d5a4e0176a3047de36398ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\C7F.tmp.bat

Filesize
462B

MD5
104c57efa8f00f8769bf33227bae5dc4

SHA1
af99397ca760b417e2a3eaa55ad3d44bde16f315

SHA256
0069c041fb5e8bfe9b244805a4e6840fef9830649ed6d7bea596641de3b8264b

SHA512
2787e0ef41d45c08c610f8352865f9c89802bddcc545ae0c64de5ba2b2e7cdebdecd9f63d19f3c033a5bee2d7a53024e5cd3a386827d9895c249a75e4b86c56e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NXTPKIENTS.exe

Filesize
6.3MB

MD5
eb8d073840e95cf24c9c3f5a2b6470e0

SHA1
2399567292f1e81630997fb4a151786d3e4938bb

SHA256
0dd9aa5b650f519a55c96bf0dee73162d9ba510b60521780c34811de25cd7bb6

SHA512
1347d8898b3e405c3de0ac90ea2880e215b745a58275b6ad8c027fa75c1f449949e7d77f820bb9bca445982b13c9f05f20ae6824445830ff7e65c71d12b18a8e

Download Submit
C:\Users\Admin\AppData\Roaming\Hancom\hc-f8002b32.png

Filesize
8.6MB

MD5
88f183304b99c897aacfa321d58e1840

SHA1
4a705f58918c00431de453d5b5f621fa42ff7169

SHA256
61b8fbea8c0dfa337eb7ff978124ddf496d0c5f29bcb5672f3bd3d6bf832ac92

SHA512
8005d45f6b8321a3a925308c9f5683b868ad7f78cd37be619500d25a1ddd45d282d91ce8275300486c0397b4aefba78b9cd67d4cd50e763e3ca51dffc67c6115

Download Submit
\??\c:\programdata\limsjo.a

Filesize
1B

MD5
4c761f170e016836ff84498202b99827

SHA1
fb3c6e4de85bd9eae26fdc63e75f10a7f39e850e

SHA256
7ace431cb61584cb9b8dc7ec08cf38ac0a2d649660be86d349fb43108b542fa4

SHA512
19d147676eb275f0f0125762f223719fde9958859f5400cc34e2887b64a26d96c3c4f9d5c0fbbda48f22820d4415a68a4fdb99028b3ba19778873a7125e56477

Download Submit
\Users\Admin\AppData\Local\Temp\is-1ED18.tmp\NXTPKIENTS.tmp

Filesize
871KB

MD5
bba6e056a5595fd2d9b50cce5ce602a1

SHA1
1405ba0d049270b5013a8ce79c879c781a140245

SHA256
5ac7e37459228cb19d9be74e24a4963c28222d8ed2665caa8857ba1c9105401a

SHA512
5a9e86396355e0681b8d2e6c464dc3cb22e96ac6d2d1ededbd96c1de6c05eb2d943ced98985d6ff805d1a42dee256d91e4502edc0e4020f1e990224d5a4d9b05

Download Submit
memory/2504-22-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2504-45-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2508-48-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2508-46-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2508-30-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2592-80-0x000007FEF5130000-0x000007FEF6710000-memory.dmp

Filesize
21.9MB

Download
memory/2592-39-0x0000000077B90000-0x0000000077D39000-memory.dmp

Filesize
1.7MB

Download
memory/2592-35-0x0000000077D40000-0x0000000077D42000-memory.dmp

Filesize
8KB

Download
memory/2592-34-0x000007FEF5130000-0x000007FEF6710000-memory.dmp

Filesize
21.9MB

Download
memory/2592-32-0x0000000077D40000-0x0000000077D42000-memory.dmp

Filesize
8KB

Download
memory/2592-50-0x000007FEF5130000-0x000007FEF6710000-memory.dmp

Filesize
21.9MB

Download
memory/2592-51-0x0000000077B90000-0x0000000077D39000-memory.dmp

Filesize
1.7MB

Download
memory/2592-73-0x0000000077B90000-0x0000000077D39000-memory.dmp

Filesize
1.7MB

Download
memory/2592-37-0x0000000077D40000-0x0000000077D42000-memory.dmp

Filesize
8KB

Download
memory/3004-78-0x000000001B4A0000-0x000000001B782000-memory.dmp

Filesize
2.9MB

Download
memory/3004-79-0x0000000002000000-0x0000000002008000-memory.dmp

Filesize
32KB

Download
memory/3004-82-0x000007FEF4790000-0x000007FEF512D000-memory.dmp

Filesize
9.6MB

Download
memory/3004-83-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/3004-84-0x000007FEF4790000-0x000007FEF512D000-memory.dmp

Filesize
9.6MB

Download
memory/3004-86-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/3004-85-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/3004-91-0x000007FEF4790000-0x000007FEF512D000-memory.dmp

Filesize
9.6MB

Download
memory/3004-92-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download