7df70b2b9b90e359fed38d7a92896c946a63d6ec070d2e8f4c8a2e74e778c60e

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/04/2024, 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe
Size

1.0MB
MD5

fb2042a727ec8e80cd04f3f112dee1a0
SHA1

df54b67a319953895c0adc04a32ed18fdb43defc
SHA256

7df70b2b9b90e359fed38d7a92896c946a63d6ec070d2e8f4c8a2e74e778c60e
SHA512

81e89e90c0cadea4bfc41757ccff8fb33d541c469dfeeaa46ba25fd365e76ad9c8b1c1337038762ec2713a8b9bb9ab536afd9b172e1ed043efd726ff88ff492b
SSDEEP

24576:LgkKvjPaEFFObYj07tdjFvoVWezwDWcHtXVx1Rgw:L6lFBmvoVWFFNlx1Rg

Score

7^/10

persistence

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe

Executes dropped EXE 3 IoCs

pid	Process
2584	OZZY.EXE
2756	setup.exe
2296	svchost.exe

Loads dropped DLL 8 IoCs

pid	Process
2864	fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe
2864	fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe
2584	OZZY.EXE
2756	setup.exe
2756	setup.exe
2756	setup.exe
2864	fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe
2864	fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\svChost = "C:\\Program Files\\Common Files\\svchost.exe"	fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\svchost.exe	fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\svchost.exe	fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\	fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2864	fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe
Token: SeSecurityPrivilege	2864	fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2864	fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2864	fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2864	fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2864	fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2864	fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2864	fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2864	fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe
Token: SeBackupPrivilege	2864	fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe
Token: SeRestorePrivilege	2864	fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe
Token: SeShutdownPrivilege	2864	fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2864	fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2864	fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2864	fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2864	fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe
Token: SeUndockPrivilege	2864	fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2864	fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2864	fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2864	fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe
Token: 33	2864	fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe
Token: 34	2864	fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe
Token: 35	2864	fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2296	svchost.exe
Token: SeSecurityPrivilege	2296	svchost.exe
Token: SeTakeOwnershipPrivilege	2296	svchost.exe
Token: SeLoadDriverPrivilege	2296	svchost.exe
Token: SeSystemProfilePrivilege	2296	svchost.exe
Token: SeSystemtimePrivilege	2296	svchost.exe
Token: SeProfSingleProcessPrivilege	2296	svchost.exe
Token: SeIncBasePriorityPrivilege	2296	svchost.exe
Token: SeCreatePagefilePrivilege	2296	svchost.exe
Token: SeBackupPrivilege	2296	svchost.exe
Token: SeRestorePrivilege	2296	svchost.exe
Token: SeShutdownPrivilege	2296	svchost.exe
Token: SeDebugPrivilege	2296	svchost.exe
Token: SeSystemEnvironmentPrivilege	2296	svchost.exe
Token: SeChangeNotifyPrivilege	2296	svchost.exe
Token: SeRemoteShutdownPrivilege	2296	svchost.exe
Token: SeUndockPrivilege	2296	svchost.exe
Token: SeManageVolumePrivilege	2296	svchost.exe
Token: SeImpersonatePrivilege	2296	svchost.exe
Token: SeCreateGlobalPrivilege	2296	svchost.exe
Token: 33	2296	svchost.exe
Token: 34	2296	svchost.exe
Token: 35	2296	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2756	setup.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2584	2864	fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe	28
PID 2864 wrote to memory of 2584	2864	fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe	28
PID 2864 wrote to memory of 2584	2864	fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe	28
PID 2864 wrote to memory of 2584	2864	fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe	28
PID 2584 wrote to memory of 2756	2584	OZZY.EXE	29
PID 2584 wrote to memory of 2756	2584	OZZY.EXE	29
PID 2584 wrote to memory of 2756	2584	OZZY.EXE	29
PID 2584 wrote to memory of 2756	2584	OZZY.EXE	29
PID 2584 wrote to memory of 2756	2584	OZZY.EXE	29
PID 2584 wrote to memory of 2756	2584	OZZY.EXE	29
PID 2584 wrote to memory of 2756	2584	OZZY.EXE	29
PID 2864 wrote to memory of 2296	2864	fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe	30
PID 2864 wrote to memory of 2296	2864	fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe	30
PID 2864 wrote to memory of 2296	2864	fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe	30
PID 2864 wrote to memory of 2296	2864	fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb2042a727ec8e80cd04f3f112dee1a0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Users\Admin\AppData\Local\Temp\OZZY.EXE
  "C:\Users\Admin\AppData\Local\Temp\OZZY.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Users\Admin\AppData\Local\Temp\tsldrl6660\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\tsldrl6660\setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    PID:2756
- C:\Program Files\Common Files\svchost.exe
  "C:\Program Files\Common Files\svchost.exe"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dif982.tmp

Filesize
734B

MD5
78072ab0b5708a550a4e7e9a4498ca53

SHA1
fb104d62016a9f29a8b2925a681f72dbd5ec9d8d

SHA256
16cbc6fb7be478ffc23313f98ba606c55169c4cb34fa1175bfd66b3614531ce2

SHA512
56c844ff87c01d3529713ec6223f49a88a5f5b299e97537c8c8fa85a0aaddc39cd72a587d8c7448dbeb40ec4df5e4d505efe60d6e519e730e4d190433f5d167d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsldrl6660\data.pck

Filesize
345KB

MD5
a9e61ee985ebf5db9351663ab8a1bfe4

SHA1
ac7cc946428329d1c6810de1c33d045329ee214e

SHA256
f9bbaa1aaa5108a676f2343934b3217882cf18a24b5673349df2e5a7e48bcdd8

SHA512
4645105769ed16eec35fb9b1f051c912280cdcf8ca8b42070bba396e76051371ee4f13f929030d66f17cfaeb6e3bd75f6e0f83dbf32aa3984d048d256bc42600

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsldrl6660\index.scr

Filesize
734B

MD5
5720858781f74e82589a3402d0bb3d52

SHA1
4da429299036c3e0b9710a980994055228140a0f

SHA256
0f2b1449a98034429be3706a871274b7372a13f95e031576e110c2c042525f3e

SHA512
8a3495a4f23049a7004ecbfc9ce9825d46ec9f583d88e6384d27414bd18e22e4749a990b0e826c1ff9390ec8ad64dcfe722b95c38a88ecb1c92ede6618164be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsldrl6660\link.dat

Filesize
27B

MD5
fb14715753c4d2e8b65ffb534805a3f3

SHA1
37fdc4b2bbf0909664cc3c3a39ddbae68f2e599e

SHA256
08e07b8f7b8bf9ff9bb20f5b17050172c0c272dcb7fbed1f8ebad173770d188d

SHA512
bbe10cd29706cf56a979ce5831c485ede9de6c1f27365688b26a8fa2666e7f0d52b373bea2109becca7d70a251bafa343248d8db93ca4d5e0415045cd74168bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsldrl6660\pbin.da_

Filesize
183KB

MD5
0cf499099c5ae8a1b36b48b6a2b9850d

SHA1
2fd27e4bbb9daddebf02556705b3d33d3410830b

SHA256
e6b304f9842ee1015125d02b6e61cda0c1ede460ae5c60004944a3885ba99a2a

SHA512
3a83dc0638923acf56f00047381f95090199bf2ffbf5066c11ca2767e633a3ab611979d50deeac8a60b9325382d2e3b73697cf84631e191e69c00aec68c0ff49

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsldrl6660\puzzle.pzl

Filesize
60KB

MD5
0cc97b40c20ec573f8c48346e77b96f5

SHA1
9a6d87f5399ad435118faaa597e2b457d64534b7

SHA256
39de4edb63d25121131f8cb29a8828ab1f8da5ff20aa227c77ee1d92e170b8d8

SHA512
295c69097fbe1f7b0b0594b0a6cab84d9305178744c7fb0a263d972cd222bc3556cde0940cb4ab1a9a93ba6491e21ac288400b5bc2d2392a8fc758e2018a3e83

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsldrl6660\sfiles\lang.ini

Filesize
10KB

MD5
cedfd1c79c51b026a3f87794150a5039

SHA1
d373440a1f2fd8581861d7b7090085c5484b6087

SHA256
ba5ef58a17d91c7f8f39d2da9e841a162c806269e6f2bb4b689a8e9b1d0a9a80

SHA512
f48718440741fbcd80cf5b764c20629f82a527e260cb31297d40cdce22e7c3ceaac69077dc54a87767a7eac2bc826fb8f9743273049d52b0891819a089808ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsldrl6660\sfiles\skin.ini

Filesize
1KB

MD5
393a22419b84a1219194cd6542a23c93

SHA1
f480bbfb8009844782366a3dec2ad23266dc48bc

SHA256
c46fe077a9206c75b2a6068dd6929c09df9bc616adb3caf7f1443a90f0276468

SHA512
beadbda583bf63e31a247ddcea59d7033f6cfd385e6d6bf3fc3884855ddf4b04d05f1d739f36a19319263951605bdfc00a4cc11380d978ffe2b28d4c3d35bee4

Download Submit
\Program Files\Common Files\svchost.exe

Filesize
1.0MB

MD5
fb2042a727ec8e80cd04f3f112dee1a0

SHA1
df54b67a319953895c0adc04a32ed18fdb43defc

SHA256
7df70b2b9b90e359fed38d7a92896c946a63d6ec070d2e8f4c8a2e74e778c60e

SHA512
81e89e90c0cadea4bfc41757ccff8fb33d541c469dfeeaa46ba25fd365e76ad9c8b1c1337038762ec2713a8b9bb9ab536afd9b172e1ed043efd726ff88ff492b

Download Submit
\Users\Admin\AppData\Local\Temp\OZZY.EXE

Filesize
329KB

MD5
665b5f233ddc5c71745c989d6034797a

SHA1
b37a12a134dca5ca4bdba8d36fcbd2a1ff8ec505

SHA256
442cdb8c24d3c36cfb1073f05f2bd3b7bb9a51496402d68e4b299a92f1e8a694

SHA512
19b17f5f6ba0ab5798339622e4746f024ce091a82eb913ac442317bca12fa1a2147f25687dcbb50abb238150a2bb6669f9dde0e5fef7a3d092867bb83f78b8ae

Download Submit
\Users\Admin\AppData\Local\Temp\tsldrl6660\setup.exe

Filesize
304KB

MD5
189215491584865c6984c767c40f7186

SHA1
c659cd35db22770dcb8aa6e82de6aee5e9fc7d7c

SHA256
721d270ef8004468413e2c87baa70b45ff8d9d4bf86c209ce32be99d7877a85b

SHA512
e9316888d5c6b9db4996de0e38e70e99059632457acd7efda663bb24b40497865288b298dbcaa7acb80837248455a72a4c3150b6d2a3a8c3abebf28da67afe9d

Download Submit
memory/2296-859-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2296-865-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2296-872-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2296-871-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2296-860-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2296-861-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2296-862-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2296-863-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2296-864-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2296-852-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2296-866-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2296-867-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2296-868-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2296-869-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2296-870-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2864-0-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2864-851-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads