ee2994270b42614eb65db99369dbe610a5ddaba06322b56c15280d1d5ec76019

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
29/04/2024, 02:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

06956d4e1404512c1b2fbfaaa6d208aa_JaffaCakes118.exe
Size

1.7MB
MD5

06956d4e1404512c1b2fbfaaa6d208aa
SHA1

7d6ec7f2a07e087ad24895244ae840414d90cb75
SHA256

ee2994270b42614eb65db99369dbe610a5ddaba06322b56c15280d1d5ec76019
SHA512

c00a3fdfa966c5ae739cf8259473606464dc07b30db5ed40feb3ea85c07c2923085183851cd24986d14cacb489ea80f62b18cd8b7850bf2c3171f3a8bef18181
SSDEEP

49152:+23ZMjkAni5NJ44lClN5OVwlwikOZ+L9bgwWdUB8wI5:+8Mni5NJ46ClN5bkO7UB8f5

Score

7^/10

persistence

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	orion.exe

Executes dropped EXE 1 IoCs

pid	Process
2560	orion.exe

Loads dropped DLL 9 IoCs

pid	Process
2364	06956d4e1404512c1b2fbfaaa6d208aa_JaffaCakes118.exe
2364	06956d4e1404512c1b2fbfaaa6d208aa_JaffaCakes118.exe
2364	06956d4e1404512c1b2fbfaaa6d208aa_JaffaCakes118.exe
2560	orion.exe
2560	orion.exe
2560	orion.exe
2560	orion.exe
2560	orion.exe
2560	orion.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cmdrun = "cmd.exe /C ipconfig /flushdns"	orion.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dnsapi.dll	orion.exe
File opened for modification	C:\Windows\system32\lish\cafk\dup.dat	orion.exe
File opened for modification	C:\Windows\System32\dnsapi.dll	orion.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	orion.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	orion.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	orion.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F53E693DDABF57A88A9B12B608B09B26C0608B74	orion.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F53E693DDABF57A88A9B12B608B09B26C0608B74\Blob = 030000000100000014000000f53e693ddabf57a88a9b12b608b09b26c0608b7420000000010000003d0400003082043930820321a003020102020900b522f9b72eb992f5300d06092a864886f70d01010b05003070311730150603550403130e516f736d61626a205a69746d7579311c301a060355040a13134a6f6b74616974204675637075696c71204b69310b3009060355040613025255311530130603550408130c5568796362616d6665696375311330110603550407130a5675777a69686365796e301e170d3135303732393134343934395a170d3235303732363134343934395a3070311730150603550403130e516f736d61626a205a69746d7579311c301a060355040a13134a6f6b74616974204675637075696c71204b69310b3009060355040613025255311530130603550408130c5568796362616d6665696375311330110603550407130a5675777a69686365796e30820122300d06092a864886f70d01010105000382010f003082010a0282010100ca4b086fec8b6077eb80342e9e89684c82c69e0b2fa0270b498ddf79792f807eb4a37b678ab76723220fe5d4d731cc4d844d864f209138476de844dc01fb6bd053db536b0ab7b0966dd11ffb9ef68e0c46f42a138d4e19c262d1c445853cad35d7fb344df3ba5b8ca4eb165eb86a4ca42f9f348f52c6c2644b52e65c510b8b604f9ae33fdbcee9b505aedce5db2feae46b8145bf850fa075b78eaf9f2997a06527d4cb9d5b3e08c44e5da3a862d06deae1c17787113fcbac928bef96cac1174db4b2ae627ed62251527c3915ff618c45d34903ec088c105bd357ade281328794091369bcc3ac6b73b27645c175a55ac04636d5da6e9d48c1cace8fbc4e43f8df0203010001a381d53081d2301d0603551d0e04160414f9f7f8a7e3702dc6f19e540571c8f142dffffefe3081a20603551d2304819a3081978014f9f7f8a7e3702dc6f19e540571c8f142dffffefea174a4723070311730150603550403130e516f736d61626a205a69746d7579311c301a060355040a13134a6f6b74616974204675637075696c71204b69310b3009060355040613025255311530130603550408130c5568796362616d6665696375311330110603550407130a5675777a69686365796e820900b522f9b72eb992f5300c0603551d13040530030101ff300d06092a864886f70d01010b05000382010100865c953854b2d42898f7b5024866d830a138c98ca04f95aa6650301346e1dcd5fc26a579c83e451227d28a2b6ad5edcea01cb56e4a8518fa433eee470c5d727282c04ea71731e210d47d76f6425307dfd665008cc1754ea6aa681fc82150ec8f2eb39d96dd2e592aaa1cf4aff59834b58f63632c5f5c2e5508945c2102de73befd3c5cd891547236dbc9700182298df31be15033a70c689800d10a24930932e4db2844f9914400626da05c6769f883a0de29f0b87d83b9494da0425911b090e5f879192d7f9ae91c46e0a7e0b6ce5092e1ac833681c1b1ac451b17e4d70a241aac3c34936f64e6a70163f9be4e484a79766dec4da6bd2c61b701c9b11f2e8445	orion.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D830B6B8939ACB4928401060203BB648456BB4F8	orion.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D830B6B8939ACB4928401060203BB648456BB4F8\Blob = 030000000100000014000000d830b6b8939acb4928401060203bb648456bb4f8200000000100000037040000308204333082031ba003020102020900e734ac7fe2d2a7b7300d06092a864886f70d01010b0500306e311630140603550403130d4572656e766f62204162616e64311c301a060355040a13135875646c2053696f61777379726a2041777564310b3009060355040613025553311530130603550408130c4d61736e6f70676f6566676f31123010060355040713095769766e657275696c301e170d3135303733303039323134305a170d3235303732373039323134305a306e311630140603550403130d4572656e766f62204162616e64311c301a060355040a13135875646c2053696f61777379726a2041777564310b3009060355040613025553311530130603550408130c4d61736e6f70676f6566676f31123010060355040713095769766e657275696c30820122300d06092a864886f70d01010105000382010f003082010a0282010100bb993d717e4db3b3c1afae8c665c80400249446a1823d7ceedad385169b93f48f116011f13bb16b705d580389c05c01822a2236871ff3b8b8799c7293cbf71472d4a2178b5630ac3fd4943d3ec90059dc6e94c33a3e338e7900d9d4e2d2be8cecdf4c31149f4c761c3322a328d87c7a63b348c75d11343c5a320173d5db54c261b03c6625e93cc7ae52fdfd9314bd892df03a59df3e0dfd8164575e1874de6277e0f8d7997f23a3d034f0e02e6897abdebcf8e1423daac8efaf238f6c6f4b239fabed016269485bf6ad87234d4df6287b9d1e4a3a56c1c97ed79c926b1b26f8fa29ebc6b4cd39c5ed204a1e4c729d244e9bd97d9c6b0707fdb2698b00e34669b0203010001a381d33081d0301d0603551d0e0416041447a3215ee2af8aaaf7517bbd52253f948678dcf93081a00603551d23048198308195801447a3215ee2af8aaaf7517bbd52253f948678dcf9a172a470306e311630140603550403130d4572656e766f62204162616e64311c301a060355040a13135875646c2053696f61777379726a2041777564310b3009060355040613025553311530130603550408130c4d61736e6f70676f6566676f31123010060355040713095769766e657275696c820900e734ac7fe2d2a7b7300c0603551d13040530030101ff300d06092a864886f70d01010b050003820101009251eb5e3e7f73799f538a758dadb759de5595864fe208bee7b9f04d3d44f041c582753925b84875ba0141ceead9745d606286e5e0d6ac8cdfe2d942edadc671897be611298a2cf670c02999c65efb10d1d35a9b5e994a9b353193afa4ea6d15c9dcc8686ab18db5cb5cac3eb1d8f371f30e49fe6c23f2bd4b7f2efed190990944785beedf3bebe190031b32eba669921844aa228c7121d3f4dd46a5601a8419f44ce7812c928b9eda1bc978fd698b8c4ffd335e72d803c45b70599d3324bc46216e06f5b4d27d18195c3edcf0f302934c71eae7274a6a45412a5c7c16d335aeda7931d26ea22d9dc5a163245fdef16118fe3865e52bc5e3ce46d160fb296ae3	orion.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A7BD54B233B5B2F70AF86F5BD1A0C0A772A59FC6	orion.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A7BD54B233B5B2F70AF86F5BD1A0C0A772A59FC6\Blob = 030000000100000014000000a7bd54b233b5b2f70af86f5bd1a0c0a772a59fc6200000000100000028040000308204243082030ca00302010202090099e03027519fbe3c300d06092a864886f70d01010b05003069311330110603550403130a4a7577204c616f6e63653121301f060355040a13184c757377656c77205861726d6f6d7a6f64746f69204e6967310b300906035504061302434e3111300f060355040813084265666c6f616674310f300d060355040713064d7563776569301e170d3135303830393130323733335a170d3235303830363130323733335a3069311330110603550403130a4a7577204c616f6e63653121301f060355040a13184c757377656c77205861726d6f6d7a6f64746f69204e6967310b300906035504061302434e3111300f060355040813084265666c6f616674310f300d060355040713064d756377656930820122300d06092a864886f70d01010105000382010f003082010a02820101009ce93dbe9d339562eb762248d1342083156f73335fa1d64c16df1c9bf1566e55ea28cafeada885f862a152cc2ea1c526bff9782c1f925cd1d160cf4699de03766a83f697e707f6bf4a5a348fa13cf83825ca29cfd01cccbf9c9732a68383e7c7aac08e5a443cbe84a9c6a944e6ed93c5557d21c9564099b83ba15d6767b60605286a83a8a49310f99ede9e3e36465bb4ab4655ab642a06a50a80bf40d4807931ae2657f86d374ab2c2aeca2033e2d8de23ed6d8b786c16bffcf3816d80e68ae8231f9141d417e33d478f35f304fedfa33044589a418b9e678eebdfffbbec5ebd744de53e38d37d0ffc91ec474b8d6976c7fd0ad66e02a1c9279793c4ed5dded50203010001a381ce3081cb301d0603551d0e041604148b28b362de18f6f48228f98c02bacdfdfd3d595330819b0603551d2304819330819080148b28b362de18f6f48228f98c02bacdfdfd3d5953a16da46b3069311330110603550403130a4a7577204c616f6e63653121301f060355040a13184c757377656c77205861726d6f6d7a6f64746f69204e6967310b300906035504061302434e3111300f060355040813084265666c6f616674310f300d060355040713064d756377656982090099e03027519fbe3c300c0603551d13040530030101ff300d06092a864886f70d01010b050003820101001ee038133cb95e578467c8dfc3175eca3b46d9f3793a8984a13739b40a3c01af874ab03740d45dbdd2cdcd5a941a99fbbdcb10e761c3a68f8dbf55d9838589b448a4b2b530c4b831a2a1cbbee760e57ac02bb5135cf3ed2e400b5eddd0039d6df153467a3a6a494249926bf96d9f46811e5e08629828c87735df91e0254423e49e857d277ca04b69bbbcd90e050060dfb82cae38c40d560ef7738860403c78009d10303171de8c88cec0959d60320fe65573b9c853b4215624e9711cd41a89f39f64be5f6262ef66dd7acb51b032e0afe337f6890817645b11c7ae43e438321ddc29b92890d16a74a5e4ca91ad6ef7faf62a26387e74d2e7b2067877fe674fa3	orion.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2560	orion.exe
2560	orion.exe
2560	orion.exe
2560	orion.exe
2560	orion.exe
2560	orion.exe
2560	orion.exe
2560	orion.exe
2560	orion.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2560	orion.exe
Token: SeTakeOwnershipPrivilege	2560	orion.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2560	2364	06956d4e1404512c1b2fbfaaa6d208aa_JaffaCakes118.exe	28
PID 2364 wrote to memory of 2560	2364	06956d4e1404512c1b2fbfaaa6d208aa_JaffaCakes118.exe	28
PID 2364 wrote to memory of 2560	2364	06956d4e1404512c1b2fbfaaa6d208aa_JaffaCakes118.exe	28
PID 2364 wrote to memory of 2560	2364	06956d4e1404512c1b2fbfaaa6d208aa_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\06956d4e1404512c1b2fbfaaa6d208aa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\06956d4e1404512c1b2fbfaaa6d208aa_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Tempfolder\ortmp\orion.exe
  "C:\Users\Admin\AppData\Local\Tempfolder\ortmp\orion.exe"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Enumerates system info in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Tempfolder\ortmp\libnspr4.dll

Filesize
288KB

MD5
74485152d7f2c06fe413f48c7da4ff33

SHA1
a07c30fedc80e5f4c2cc0be5202d64f51b015b44

SHA256
3c019cb209ba4f01015ffbb628d988735d2c5d9805abd7dd4dab441ea82eb688

SHA512
43b3b3bd5d5f3afd845cc79d68e942836f95f708eac96cd84d09b774d8f92f772b2353a273185b6be336603b5b283a486756e95ff26bb1ecd4fe84667cbe6f52

Download Submit
C:\Users\Admin\AppData\Local\Tempfolder\ortmp\libplc4.dll

Filesize
47KB

MD5
08bacf2967fd8ea468c69f6e8d31b914

SHA1
eec97e847be6303013e468979b861ff74d4279ed

SHA256
2f143cac2efdc21b98620338c6f0404dfce812ee5741960ff68671ed0b0f3a9a

SHA512
2550e9481d2604b9c62b97ede184af4a8b2db1333b6707e01bc67b3699f72b0b764a238c86801d4457007e31977a181007f67c300f7c47899d4a771d05c2e97a

Download Submit
C:\Users\Admin\AppData\Local\Tempfolder\ortmp\libplds4.dll

Filesize
45KB

MD5
56c1c79274ef5728b1f50986a5a8f22e

SHA1
32f67170194ce27736e564b5328dbab6c4be33b3

SHA256
8720171993fc29c517a8124b8235c2c5d71b0ae4c236685ba202088326d780de

SHA512
6198edad58ffbb9109c827de704a6d67be44300e7bf11d5af427e568388a9a746ce58e6c09babd65f6cf7dbec9520be6c9d92c7a4724c0892e044c38a9e2ce3a

Download Submit
C:\Users\Admin\AppData\Local\Tempfolder\ortmp\nss3.dll

Filesize
834KB

MD5
9721a913f9a997a62c532d72ed3e7b8d

SHA1
2e1f33ec48938eab775f6775e4de93150b39b46d

SHA256
4515d073983b96bd48d2601fb22646d72aa56aec163cb172e6d06dd55b8a9e80

SHA512
7363b2192a3b0b5f946c14983b197315632907790871dd795b2d995d8cf924d9d3ad7af2c3b465b70f5bb110ba8aaef1412d2cc33bedaeca8c64e2a523678ad7

Download Submit
C:\Users\Admin\AppData\Local\Tempfolder\ortmp\nssutil3.dll

Filesize
132KB

MD5
08b59a1793e8cd6fb085271650f8b5d0

SHA1
3182956535052ab496bc92f59167a7e114752b1e

SHA256
f0c14914986be4dc13a72fbe509db10a4c24c55e545471d1e4dde2c1d4ca03a1

SHA512
e2526879a4904f9e96b5f9422a088bfc4811f5ed3567fd0ad4021c10e6b796df10c61734cf59a2b2b36151fb1451660283284f97d7ff95eb3b78d6340f1cd136

Download Submit
C:\Users\Admin\AppData\Local\Tempfolder\ortmp\smime3.dll

Filesize
129KB

MD5
88f553be556ae62c59b3a3fbea81987e

SHA1
166abd59cdf04380b939c3d216b514cbe09735f8

SHA256
741bf85f9011be7f57df51a409b9b43b45bed0329d14cedc05d0f84e60c66006

SHA512
d27e0ea06245782960bcffd41f9afbd9a7fe3bbb43f15eddbfa083568b21cc6dd15c86686fb597a0bf05d2bb4e76332eb7f28aba82e6a3695423f1458fb924c4

Download Submit
\Users\Admin\AppData\Local\Temp\nstAFB.tmp\StdUtils.dll

Filesize
14KB

MD5
21010df9bc37daffcc0b5ae190381d85

SHA1
a8ba022aafc1233894db29e40e569dfc8b280eb9

SHA256
0ebd62de633fa108cf18139be6778fa560680f9f8a755e41c6ab544ab8db5c16

SHA512
95d3dbba6eac144260d5fcc7fcd5fb3afcb59ae62bd2eafc5a1d2190e9b44f8e125290d62fef82ad8799d0072997c57b2fa8a643aba554d0a82bbd3f8eb1403e

Download Submit
\Users\Admin\AppData\Local\Temp\nstAFB.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Tempfolder\ortmp\orion.exe

Filesize
1.1MB

MD5
be84f2d7a82cafeaa173428f0370a46b

SHA1
d1775cd2bf9da213b013d4b6eabd0e8764a35c0e

SHA256
51b3f447940a700e264e0eb0ac4a90e137421a958928bb1ce709534d59990699

SHA512
79ce4c7769d1d22fe36b65baad8dc9523e47511a808a5bdcb1620f8c66cacb05f9ecc3a83fdc6a6a859f3402b00705bb0ffae25b4fdd3de6c1abee2eda734575

Download Submit