5878146740e08f9e44bda44e69217568214bd101c514c63e876302d31c20209a

Analysis

max time kernel
127s
max time network
49s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2024, 14:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe
Size

356KB
MD5

0c0bd343cfb9cc71e7dd1325e8410c53
SHA1

d8dc95c38d71a1b4fba163a014ad9465c0eff587
SHA256

5878146740e08f9e44bda44e69217568214bd101c514c63e876302d31c20209a
SHA512

4eaddf11a4904b60809ef64420cef357e1ddebe529e2ee7aeaf8d4725ce8f21645223fdd9a105dc2442aae6da2b955fdaf7b53759640e9ee8d4be5b1021f94d0
SSDEEP

6144:BZ0FkvPi5sZ2Dzwcnj67Q6SSfxEmJCG16SSfxEmJ:4FGPi5Bz6c6lfr96lfr

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3096	CCTV.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	CCTV.exe
File created	C:\autorun.inf	CCTV.exe
File opened for modification	F:\autorun.inf	CCTV.exe
File created	F:\autorun.inf	CCTV.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	CCTV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe	CCTV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	CCTV.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	CCTV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE	CCTV.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\MicrosoftEdgeUpdateOnDemand.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	CCTV.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	CCTV.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	CCTV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99140\javaw.exe	CCTV.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	CCTV.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\wordpad.exe	CCTV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE	CCTV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE	CCTV.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\MicrosoftEdgeUpdateSetup.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpconfig.exe	CCTV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Integrator.exe	CCTV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	CCTV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE	CCTV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE	CCTV.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnscfg.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	CCTV.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	CCTV.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	CCTV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe	CCTV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE	CCTV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\misc.exe	CCTV.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\MicrosoftEdgeUpdateCore.exe	CCTV.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	CCTV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE	CCTV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\visicon.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	CCTV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	CCTV.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	CCTV.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\CCTV.exe	0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe
File opened for modification	C:\Windows\CCTV.exe	0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe
File opened for modification	C:\Windows\CCTV.exe	CCTV.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4692	0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe
3096	CCTV.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 4564	4692	0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe	83
PID 4692 wrote to memory of 4564	4692	0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe	83
PID 4692 wrote to memory of 4564	4692	0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe	83
PID 4692 wrote to memory of 3096	4692	0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe	85
PID 4692 wrote to memory of 3096	4692	0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe	85
PID 4692 wrote to memory of 3096	4692	0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118kill.bat
  2⤵
  PID:4564
- C:\Windows\CCTV.exe
  C:\Windows\CCTV.exe
  2⤵
  - Executes dropped EXE
  - Drops autorun.inf file
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:3096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
900KB

MD5
80b4385a190e097666c587b9332392a9

SHA1
4edd4e16ce3ae64396af501ce80619c557047b6a

SHA256
9b974e43cc297680fa78ae9eadba9014ab0f1b8a617e759a4735c9ccf2213a3f

SHA512
77ecc64f3e5fb1ff2c1c51e7203a7aa5996c762e5e14439a81191008fe84e78ff60180777727366c6f3cc4a85be4cc3e3cbf394e87d0b9564925e87ae9bd3cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118kill.bat

Filesize
216B

MD5
ee6b3f4fa78ec0beec057271b2898042

SHA1
128a2a6a8b9da590d4d25c67488bbd412f8d8428

SHA256
5b1b29fb17c068e47723f4906fd2ebd43c21e6cc0edd1fd65589b7bf3c592ba8

SHA512
ec473d6227b7ad64b3c05d05126cd29a1ac3ffe523e65a115f7953244244343da3b503c8b2820bdf6b8c0a07d4649700cf30c5089f6d7dff6cf420016f2b36da

Download Submit
C:\Windows\CCTV.exe

Filesize
356KB

MD5
0c0bd343cfb9cc71e7dd1325e8410c53

SHA1
d8dc95c38d71a1b4fba163a014ad9465c0eff587

SHA256
5878146740e08f9e44bda44e69217568214bd101c514c63e876302d31c20209a

SHA512
4eaddf11a4904b60809ef64420cef357e1ddebe529e2ee7aeaf8d4725ce8f21645223fdd9a105dc2442aae6da2b955fdaf7b53759640e9ee8d4be5b1021f94d0

Download Submit
memory/4692-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads