4c5d464d2636c4e155fa51be824cbf2038824683c7778738d59dee5a2cd8ab69

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb2dcc045afd144b1b743efbed7b60ce_JaffaCakes118.exe
Size

17KB
MD5

fb2dcc045afd144b1b743efbed7b60ce
SHA1

b0eb38604c9e5065f10cf35ffc8b88899c054567
SHA256

4c5d464d2636c4e155fa51be824cbf2038824683c7778738d59dee5a2cd8ab69
SHA512

3e025b8132d6457084c57267d08722c9945ec7bab4d336b9d62c23986fe104f28dcc133023b9fd7629100ae76a8b636369a2ab02cc5cf030af0beee12d9b3086
SSDEEP

384:GtBXPIffR9PaRGeRcm+WiPMDQ2Q8+Wdvm8Gzg10jds:0x+vaNcXPcd+8ugyR

Score

8^/10

persistence upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	alg.exe

Modifies Installed Components in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{H8I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}	alg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{H8I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\ = "safeint"	alg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{H8I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\stubpath = "%windir%\\Tasks\\killbase.vbs"	alg.exe

Executes dropped EXE 1 IoCs

pid	Process
4480	alg.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3812-0-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral2/memory/3812-4-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral2/files/0x000700000002326c-7.dat	upx
behavioral2/memory/4480-9-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral2/memory/4480-42-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral2/memory/4480-362-0x0000000000400000-0x0000000000411000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	alg.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	alg.exe
File opened (read-only)	\??\H:	alg.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wincap.exe	alg.exe
File created	C:\Windows\SysWOW64\arps.com	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\wsock32.dll	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\wsock32.dll	alg.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\wsock32.dll	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\wsock32.dll	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\wsock32.dll	alg.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\wsock32.dll	alg.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\wsock32.dll	alg.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ach\wsock32.dll	alg.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\wsock32.dll	alg.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\wsock32.dll	alg.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\wsock32.dll	alg.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\wsock32.dll	alg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\wsock32.dll	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\wsock32.dll	alg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Document Parts\wsock32.dll	alg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\wsock32.dll	alg.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cy\wsock32.dll	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\wsock32.dll	alg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\wsock32.dll	alg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt\wsock32.dll	alg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS\wsock32.dll	alg.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\it\wsock32.dll	alg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\wsock32.dll	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cgg\wsock32.dll	alg.exe
File created	C:\Program Files\VideoLAN\VLC\locale\it\wsock32.dll	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\wsock32.dll	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\wsock32.dll	alg.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\wsock32.dll	alg.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\wsock32.dll	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\wsock32.dll	alg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.AdomdClient\13.0.0.0__89845DCD8080CC91\wsock32.dll	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ml\wsock32.dll	alg.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\wsock32.dll	alg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\wsock32.dll	alg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\wsock32.dll	alg.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\System\wsock32.dll	alg.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\6.0.27\wsock32.dll	alg.exe
File created	C:\Program Files\Internet Explorer\uk-UA\wsock32.dll	alg.exe
File created	C:\Program Files\Microsoft Office\root\Templates\wsock32.dll	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\th\wsock32.dll	alg.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\wsock32.dll	alg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\wsock32.dll	alg.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\715237A0-ED3E-4757-88EB-471BCD0CC2DD\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\wsock32.dll	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\wsock32.dll	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tr-TR\wsock32.dll	alg.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\8.0.2\wsock32.dll	alg.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\wsock32.dll	alg.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sq\wsock32.dll	alg.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\kk\wsock32.dll	alg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\wsock32.dll	alg.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ku_IQ\wsock32.dll	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ps\wsock32.dll	alg.exe
File created	C:\Program Files\Common Files\System\Ole DB\wsock32.dll	alg.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\wsock32.dll	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sv\wsock32.dll	alg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\System\wsock32.dll	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\sd\wsock32.dll	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\wsock32.dll	alg.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\wsock32.dll	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\wsock32.dll	alg.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\wsock32.dll	alg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\AugLoop\wsock32.dll	alg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\wsock32.dll	alg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\wsock32.dll	alg.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\alg.exe	fb2dcc045afd144b1b743efbed7b60ce_JaffaCakes118.exe
File created	C:\Windows\Tasks\killbase.vbs	alg.exe
File opened for modification	C:\Windows\Tasks\killbase.vbs	alg.exe
File created	C:\Windows\Tasks\ÂÌ»¯.bat	alg.exe
File opened for modification	C:\Windows\Tasks\ÂÌ»¯.bat	alg.exe
File created	C:\Windows\Tasks\wsock32.dll	alg.exe
File created	C:\Windows\mfxixue.ini	alg.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4632	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe
4480	alg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4480	alg.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 824	3812	fb2dcc045afd144b1b743efbed7b60ce_JaffaCakes118.exe	88
PID 3812 wrote to memory of 824	3812	fb2dcc045afd144b1b743efbed7b60ce_JaffaCakes118.exe	88
PID 3812 wrote to memory of 824	3812	fb2dcc045afd144b1b743efbed7b60ce_JaffaCakes118.exe	88
PID 824 wrote to memory of 4632	824	cmd.exe	90
PID 824 wrote to memory of 4632	824	cmd.exe	90
PID 824 wrote to memory of 4632	824	cmd.exe	90
PID 824 wrote to memory of 4480	824	cmd.exe	91
PID 824 wrote to memory of 4480	824	cmd.exe	91
PID 824 wrote to memory of 4480	824	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\fb2dcc045afd144b1b743efbed7b60ce_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb2dcc045afd144b1b743efbed7b60ce_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\mfxixue.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:824
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig
    3⤵
    - Gathers network information
    PID:4632
- - C:\Windows\Tasks\alg.exe
    C:\Windows\Tasks\alg.exe
    3⤵
    - Drops file in Drivers directory
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Adds Run key to start application
    - Enumerates connected drives
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\wsock32.dll

Filesize
17KB

MD5
bb27a68ebe877eba5dbbce06d131ee6a

SHA1
f4fc6b39338922d258012e8404a9cb56d8e4c846

SHA256
8821fa495a8d553eb91e0e346990e6fd422f099baa79a01be6975fc18659a669

SHA512
0424c004d43b4e4b7b88546d7f45b6cf03247bb2b6de8a50a77f35ec5ccd29f4be61d312ebca92ef6e9486e44f6e67080ffd218788a01e0526a58bb76c1a61ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\TP62vDmiTK.pif

Filesize
41KB

MD5
9c611912dddf7526964280700c00b754

SHA1
e55ce622b4c44d258a7885ad997365a6436b485b

SHA256
fd42118c2e4696e33f5818282df82a80e1377d01fbbe72fe1467ea906e71d795

SHA512
00328535fd1ad163f980e455a758692e8e9680d7e125d642162d74d2e61b64d3a795baeaddeaee6adc6b00633eaff51e0d8b353d95ab7b0f01dac58fca6fbcf7

Download Submit
C:\Windows\SysWOW64\wincap.exe

Filesize
6KB

MD5
351e09174f8995c4ec557f7bf02bba6b

SHA1
0505b6ebe5936718b411d72803a80709e1578164

SHA256
e0c7fcbc9e9ffb877106f92ce184bca658a4ad00fec0c93d3b1255f7a8f0a709

SHA512
f6c41cd769b0ee9ccd7393305b51635cffd27708f42b9de1eed86e97e89d23caec3071ddc9807bfffbb1c343f106b6db1284d8855a9231fc744b72afdd36a9df

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
912B

MD5
48ec95bacc8186d72cce11b9584faeb7

SHA1
0a6900de60be125b545d36a55f56bd0f7db18d32

SHA256
402d34fd239a2ecdc35929964d2ba2b8094fc601cee519955734994c67d3d79c

SHA512
42115db0a178b8ff4f80d932b1c716724f52159c9e00cab154c6b984bbc1a726947c560cf74821a49876b7d9fa491791e5a5ce5a6e3545ee6fd7c5a0bfc6873d

Download Submit
C:\Windows\Tasks\alg.exe

Filesize
17KB

MD5
6c9b20460dac897528114c7d843bb93b

SHA1
87ffd916d3f781417fffecd9f433409e56c94c6a

SHA256
2c399cee34cc1fb1d220018992ad10d11c2c9f02fdff1babf75870726665ebb7

SHA512
27ada1702a58cd1f3cb0c1b66ca7efd3807276a1e42bfb346b2765e8c3b294a8caafa48255bf8fa0d04d39d1e8d3127504e8f44c9a868c78240958ce3385470c

Download Submit
C:\Windows\Tasks\killbase.vbs

Filesize
95B

MD5
b0e06ce37bba9450fb0241614a517141

SHA1
ab74f193a28e6a6eb75f171eb48e6d00f2015de3

SHA256
d19dd95ddd530c1e654f4c2b79829f5ac4b4321e94e08198b0cba7f2d9df9401

SHA512
c457bddc7c64cd8a20c6614180fba70f46f27b1c7d6229ab300e3755c5ca34e5da9b1822445e66658d8d73d124dbb6f6ed4f34f423f4bafd6f8a80f4481f99fc

Download Submit
\??\c:\mfxixue.bat

Filesize
143B

MD5
7799ae90e02ff5feede2bd319919e6ff

SHA1
384ea24428cf4931d9876fc7619db3cc08747c3f

SHA256
cdabaa0483269e242e0bed8c3bfccfd3313ed9fd411dbed3405d653e4a1a5d96

SHA512
f47ebf984d18bf5d0a5ba468bd256d4dfb41e707f71d40ca541cce4206bf64ed0afee57b800f1931e1db685abc7ca2249107523ddd08fde60c853c59f0ba221a

Download Submit
memory/3812-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3812-4-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4480-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4480-42-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4480-362-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download