090de0a0acd0682b288b59c93c6df6779d8b08252bfc6ccb0bfa65508ad8134e

Analysis

max time kernel
126s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01/05/2024, 10:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0b8808288e010d9d5b54642b6700d2b8_JaffaCakes118.exe
Size

787KB
MD5

0b8808288e010d9d5b54642b6700d2b8
SHA1

82932ce920fd43c82d3f740bb7d6eb36638feff3
SHA256

090de0a0acd0682b288b59c93c6df6779d8b08252bfc6ccb0bfa65508ad8134e
SHA512

5d607c5182ebae22206f4f4fa4fdddeff7354ff127901b031425e2cf11054ef3a621fa6d8127b7761ed93ad873f009060be83658ea723d9e28282328d983cc29
SSDEEP

12288:XwGcjj1ND7peCfG6aYT7WMA/wKIDjI0Aro69kGJDPIyGqpexF5ea29lrFz:xy1hkN+A/90wosfJcyRI8dvr

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1792	SpoolColorLV.exe
1268	SpoolColorLV.exe
456	SpoolColorLV.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogOfficeDat = "C:\\Users\\Admin\\AppData\\Roaming\\LocalOffice\\SpoolColorLV.exe"	0b8808288e010d9d5b54642b6700d2b8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\LogOfficeDat = "C:\\Users\\Admin\\AppData\\Roaming\\LocalOffice\\SpoolColorLV.exe"	0b8808288e010d9d5b54642b6700d2b8_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2316 set thread context of 2568	2316	0b8808288e010d9d5b54642b6700d2b8_JaffaCakes118.exe	28
PID 1792 set thread context of 1268	1792	SpoolColorLV.exe	37

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	0b8808288e010d9d5b54642b6700d2b8_JaffaCakes118.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	0b8808288e010d9d5b54642b6700d2b8_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	0b8808288e010d9d5b54642b6700d2b8_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	0b8808288e010d9d5b54642b6700d2b8_JaffaCakes118.exe
Token: SeDebugPrivilege	1792	SpoolColorLV.exe
Token: SeDebugPrivilege	456	SpoolColorLV.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2568	0b8808288e010d9d5b54642b6700d2b8_JaffaCakes118.exe
2568	0b8808288e010d9d5b54642b6700d2b8_JaffaCakes118.exe
2568	0b8808288e010d9d5b54642b6700d2b8_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2568	2316	0b8808288e010d9d5b54642b6700d2b8_JaffaCakes118.exe	28
PID 2316 wrote to memory of 2568	2316	0b8808288e010d9d5b54642b6700d2b8_JaffaCakes118.exe	28
PID 2316 wrote to memory of 2568	2316	0b8808288e010d9d5b54642b6700d2b8_JaffaCakes118.exe	28
PID 2316 wrote to memory of 2568	2316	0b8808288e010d9d5b54642b6700d2b8_JaffaCakes118.exe	28
PID 2316 wrote to memory of 2568	2316	0b8808288e010d9d5b54642b6700d2b8_JaffaCakes118.exe	28
PID 2316 wrote to memory of 2568	2316	0b8808288e010d9d5b54642b6700d2b8_JaffaCakes118.exe	28
PID 2316 wrote to memory of 2568	2316	0b8808288e010d9d5b54642b6700d2b8_JaffaCakes118.exe	28
PID 2316 wrote to memory of 2568	2316	0b8808288e010d9d5b54642b6700d2b8_JaffaCakes118.exe	28
PID 2316 wrote to memory of 2568	2316	0b8808288e010d9d5b54642b6700d2b8_JaffaCakes118.exe	28
PID 2568 wrote to memory of 2832	2568	0b8808288e010d9d5b54642b6700d2b8_JaffaCakes118.exe	31
PID 2568 wrote to memory of 2832	2568	0b8808288e010d9d5b54642b6700d2b8_JaffaCakes118.exe	31
PID 2568 wrote to memory of 2832	2568	0b8808288e010d9d5b54642b6700d2b8_JaffaCakes118.exe	31
PID 2568 wrote to memory of 2832	2568	0b8808288e010d9d5b54642b6700d2b8_JaffaCakes118.exe	31
PID 2932 wrote to memory of 1792	2932	taskeng.exe	36
PID 2932 wrote to memory of 1792	2932	taskeng.exe	36
PID 2932 wrote to memory of 1792	2932	taskeng.exe	36
PID 2932 wrote to memory of 1792	2932	taskeng.exe	36
PID 1792 wrote to memory of 1268	1792	SpoolColorLV.exe	37
PID 1792 wrote to memory of 1268	1792	SpoolColorLV.exe	37
PID 1792 wrote to memory of 1268	1792	SpoolColorLV.exe	37
PID 1792 wrote to memory of 1268	1792	SpoolColorLV.exe	37
PID 1792 wrote to memory of 1268	1792	SpoolColorLV.exe	37
PID 1792 wrote to memory of 1268	1792	SpoolColorLV.exe	37
PID 1792 wrote to memory of 1268	1792	SpoolColorLV.exe	37
PID 1792 wrote to memory of 1268	1792	SpoolColorLV.exe	37
PID 1792 wrote to memory of 1268	1792	SpoolColorLV.exe	37
PID 2932 wrote to memory of 456	2932	taskeng.exe	38
PID 2932 wrote to memory of 456	2932	taskeng.exe	38
PID 2932 wrote to memory of 456	2932	taskeng.exe	38
PID 2932 wrote to memory of 456	2932	taskeng.exe	38

C:\Users\Admin\AppData\Local\Temp\0b8808288e010d9d5b54642b6700d2b8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0b8808288e010d9d5b54642b6700d2b8_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Local\Temp\0b8808288e010d9d5b54642b6700d2b8_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0b8808288e010d9d5b54642b6700d2b8_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn \LogOfficeDat /f
    3⤵
    PID:2832

C:\Windows\system32\taskeng.exe
taskeng.exe {8AD46CEA-1FF0-4FB1-9C2E-16EF5C9760B2} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Roaming\LocalOffice\SpoolColorLV.exe
  C:\Users\Admin\AppData\Roaming\LocalOffice\SpoolColorLV.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Users\Admin\AppData\Roaming\LocalOffice\SpoolColorLV.exe
    "C:\Users\Admin\AppData\Roaming\LocalOffice\SpoolColorLV.exe"
    3⤵
    - Executes dropped EXE
    PID:1268
- C:\Users\Admin\AppData\Roaming\LocalOffice\SpoolColorLV.exe
  C:\Users\Admin\AppData\Roaming\LocalOffice\SpoolColorLV.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\LocalOffice\SpoolColorLV.exe

Filesize
787KB

MD5
0b8808288e010d9d5b54642b6700d2b8

SHA1
82932ce920fd43c82d3f740bb7d6eb36638feff3

SHA256
090de0a0acd0682b288b59c93c6df6779d8b08252bfc6ccb0bfa65508ad8134e

SHA512
5d607c5182ebae22206f4f4fa4fdddeff7354ff127901b031425e2cf11054ef3a621fa6d8127b7761ed93ad873f009060be83658ea723d9e28282328d983cc29

Download Submit
memory/456-55-0x00000000000C0000-0x000000000018E000-memory.dmp

Filesize
824KB

Download
memory/1268-49-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1792-40-0x0000000000F80000-0x000000000104E000-memory.dmp

Filesize
824KB

Download
memory/2316-21-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/2316-0-0x00000000009F0000-0x0000000000ABE000-memory.dmp

Filesize
824KB

Download
memory/2316-1-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/2316-2-0x0000000000530000-0x000000000059C000-memory.dmp

Filesize
432KB

Download
memory/2316-5-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/2316-3-0x0000000004B60000-0x0000000004BA0000-memory.dmp

Filesize
256KB

Download
memory/2316-4-0x0000000000370000-0x000000000038C000-memory.dmp

Filesize
112KB

Download
memory/2568-10-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2568-18-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2568-37-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2568-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2568-16-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2568-8-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2568-6-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads