5878146740e08f9e44bda44e69217568214bd101c514c63e876302d31c20209a

Analysis

max time kernel
126s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01/05/2024, 14:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe
Size

356KB
MD5

0c0bd343cfb9cc71e7dd1325e8410c53
SHA1

d8dc95c38d71a1b4fba163a014ad9465c0eff587
SHA256

5878146740e08f9e44bda44e69217568214bd101c514c63e876302d31c20209a
SHA512

4eaddf11a4904b60809ef64420cef357e1ddebe529e2ee7aeaf8d4725ce8f21645223fdd9a105dc2442aae6da2b955fdaf7b53759640e9ee8d4be5b1021f94d0
SSDEEP

6144:BZ0FkvPi5sZ2Dzwcnj67Q6SSfxEmJCG16SSfxEmJ:4FGPi5Bz6c6lfr96lfr

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2164	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1956	CCTV.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\autorun.inf	CCTV.exe
File created	F:\autorun.inf	CCTV.exe
File opened for modification	C:\autorun.inf	CCTV.exe
File created	C:\autorun.inf	CCTV.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE	CCTV.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	CCTV.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	CCTV.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe	CCTV.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	CCTV.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\wordpad.exe	CCTV.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	CCTV.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{7AE638D3-C69D-42D5-9B63-3C52AA32D796}\chrome_installer.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	CCTV.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpconfig.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	CCTV.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE	CCTV.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpenc.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE	CCTV.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\misc.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	CCTV.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	CCTV.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	CCTV.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	CCTV.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnscfg.exe	CCTV.exe
File opened for modification	C:\Program Files\Windows Media Player\WMPSideShowGadget.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	CCTV.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	CCTV.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	CCTV.exe
File opened for modification	C:\Program Files\Windows Media Player\setup_wm.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpconfig.exe	CCTV.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\CCTV.exe	0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe
File opened for modification	C:\Windows\CCTV.exe	0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe
File opened for modification	C:\Windows\CCTV.exe	CCTV.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
756	0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe
1956	CCTV.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 2164	756	0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe	28
PID 756 wrote to memory of 2164	756	0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe	28
PID 756 wrote to memory of 2164	756	0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe	28
PID 756 wrote to memory of 2164	756	0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe	28
PID 756 wrote to memory of 1956	756	0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe	30
PID 756 wrote to memory of 1956	756	0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe	30
PID 756 wrote to memory of 1956	756	0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe	30
PID 756 wrote to memory of 1956	756	0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118kill.bat
  2⤵
  - Deletes itself
  PID:2164
- C:\Windows\CCTV.exe
  C:\Windows\CCTV.exe
  2⤵
  - Executes dropped EXE
  - Drops autorun.inf file
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118kill.bat

Filesize
216B

MD5
ee6b3f4fa78ec0beec057271b2898042

SHA1
128a2a6a8b9da590d4d25c67488bbd412f8d8428

SHA256
5b1b29fb17c068e47723f4906fd2ebd43c21e6cc0edd1fd65589b7bf3c592ba8

SHA512
ec473d6227b7ad64b3c05d05126cd29a1ac3ffe523e65a115f7953244244343da3b503c8b2820bdf6b8c0a07d4649700cf30c5089f6d7dff6cf420016f2b36da

Download Submit
C:\Windows\CCTV.exe

Filesize
356KB

MD5
0c0bd343cfb9cc71e7dd1325e8410c53

SHA1
d8dc95c38d71a1b4fba163a014ad9465c0eff587

SHA256
5878146740e08f9e44bda44e69217568214bd101c514c63e876302d31c20209a

SHA512
4eaddf11a4904b60809ef64420cef357e1ddebe529e2ee7aeaf8d4725ce8f21645223fdd9a105dc2442aae6da2b955fdaf7b53759640e9ee8d4be5b1021f94d0

Download Submit
memory/756-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads