616efc1d1d4a4b50f275dc1de7ea8c17d2d9206038996bd3c23aba87c28f617e

Analysis

max time kernel
86s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02/05/2024, 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe
Size

2.5MB
MD5

0e2d67a033efc098dcdafe159cbd1954
SHA1

0b962240091c3037e25db68e92768bd1119f9c66
SHA256

616efc1d1d4a4b50f275dc1de7ea8c17d2d9206038996bd3c23aba87c28f617e
SHA512

f5dddf1a60096d9f59d0cff146bc11b2509329869ba7fda2604e6c492df3113a6e29703adcb3fe73ff52e1a743d6040df37c2dee9edfbc73a40b066e2929430f
SSDEEP

49152:y8Zbn98Zbn98Zbn98ZbnYn/4MnYYJ2ZhqSGLHkJEMFHUDkYOMwwnMb4PmyV:1wIDQnYOXwnS4rV

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 9 IoCs

pid	Process
3112	478.#.exe
3544	188.#.exe
2652	238.#.exe
3396	346.#.exe
2740	311.#.exe
5544	830.#.exe
1628	755.#.exe
5536	890.#.exe
2460	782.#.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	478.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	188.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	346.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	755.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	890.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	782.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	238.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	311.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	830.#.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ca\	188.#.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\	478.#.exe
File opened for modification	C:\Program Files\Java\jre8\	346.#.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\	755.#.exe
File opened for modification	C:\Program Files\Common Files\System\	0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\7.0.16\	478.#.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\	188.#.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\	311.#.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe$	188.#.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe$	0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr\	238.#.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\	478.#.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\	346.#.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\	346.#.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\TextConv\en-US\	311.#.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\da-DK\	238.#.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\	0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\	0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\	311.#.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\	188.#.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\	188.#.exe
File opened for modification	C:\Program Files\dotnet\host\	346.#.exe
File opened for modification	C:\Program Files\Common Files\System\ado\	830.#.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\images\cursors\	238.#.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\	0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Triedit\	238.#.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\	188.#.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\	311.#.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\	188.#.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	478.#.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\el-GR\	346.#.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\	346.#.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\	238.#.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\	188.#.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\	188.#.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\javafx\	311.#.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\	238.#.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\	0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\	188.#.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\	188.#.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\	0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Extensions\	311.#.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\	830.#.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\	0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\cmm\	478.#.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	346.#.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\	311.#.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\	0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\	478.#.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\	238.#.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	188.#.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\	830.#.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\	311.#.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\	755.#.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	311.#.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\	346.#.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\	188.#.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\8.0.2\	0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\	478.#.exe

NTFS ADS 10 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	238.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	346.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	830.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	890.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	478.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	188.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	311.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	755.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	782.#.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3512	0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe
3112	478.#.exe
3544	188.#.exe
2652	238.#.exe
3396	346.#.exe
2740	311.#.exe
5544	830.#.exe
1628	755.#.exe
5536	890.#.exe
2460	782.#.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 3512 wrote to memory of 3112	3512	0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe	86
PID 3512 wrote to memory of 3112	3512	0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe	86
PID 3512 wrote to memory of 3112	3512	0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe	86
PID 3112 wrote to memory of 3544	3112	478.#.exe	87
PID 3112 wrote to memory of 3544	3112	478.#.exe	87
PID 3112 wrote to memory of 3544	3112	478.#.exe	87
PID 3544 wrote to memory of 2652	3544	188.#.exe	88
PID 3544 wrote to memory of 2652	3544	188.#.exe	88
PID 3544 wrote to memory of 2652	3544	188.#.exe	88
PID 2652 wrote to memory of 3396	2652	238.#.exe	89
PID 2652 wrote to memory of 3396	2652	238.#.exe	89
PID 2652 wrote to memory of 3396	2652	238.#.exe	89
PID 3396 wrote to memory of 2740	3396	346.#.exe	90
PID 3396 wrote to memory of 2740	3396	346.#.exe	90
PID 3396 wrote to memory of 2740	3396	346.#.exe	90
PID 2740 wrote to memory of 5544	2740	311.#.exe	93
PID 2740 wrote to memory of 5544	2740	311.#.exe	93
PID 2740 wrote to memory of 5544	2740	311.#.exe	93
PID 5544 wrote to memory of 1628	5544	830.#.exe	95
PID 5544 wrote to memory of 1628	5544	830.#.exe	95
PID 5544 wrote to memory of 1628	5544	830.#.exe	95
PID 1628 wrote to memory of 5536	1628	755.#.exe	96
PID 1628 wrote to memory of 5536	1628	755.#.exe	96
PID 1628 wrote to memory of 5536	1628	755.#.exe	96
PID 5536 wrote to memory of 2460	5536	890.#.exe	97
PID 5536 wrote to memory of 2460	5536	890.#.exe	97
PID 5536 wrote to memory of 2460	5536	890.#.exe	97

C:\Users\Admin\AppData\Local\Temp\0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3512
- C:\Users\Admin\AppData\Local\Temp\478.#.exe
  C:\Users\Admin\AppData\Local\Temp\478.#.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - NTFS ADS
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3112
- - C:\Users\Admin\AppData\Local\Temp\188.#.exe
    C:\Users\Admin\AppData\Local\Temp\188.#.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - NTFS ADS
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3544
  - - C:\Users\Admin\AppData\Local\Temp\238.#.exe
      C:\Users\Admin\AppData\Local\Temp\238.#.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      NTFS ADS
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Users\Admin\AppData\Local\Temp\346.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\346.#.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3396
      - C:\Users\Admin\AppData\Local\Temp\311.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\311.#.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\830.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\830.#.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5544
        
        C:\Users\Admin\AppData\Local\Temp\755.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\755.#.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\890.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\890.#.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5536
        
        C:\Users\Admin\AppData\Local\Temp\782.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\782.#.exe
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\60.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\60.#.exe
        11⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\76.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\76.#.exe
        12⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\784.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\784.#.exe
        13⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\260.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\260.#.exe
        14⤵
        
        PID:5504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.6MB

MD5
25247dfed133d270a9b33b881794f753

SHA1
b34a775a94291139d5d6b9b3c2888183e4cdda35

SHA256
673abab05e0cd787b43a4068607a472cd214c05a4dea5dd34f2386589674a5f5

SHA512
b0dc740d7d70a8b8bc1797b6a9eb24e5950dabd1f52a5284a0497e4410df8578dbf3be11de28a7e3113a057c29f28d8b1e659453508b322b3cf038de0651f0cb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe$

Filesize
2.9MB

MD5
27d123c3706e08a91b21f384ce989ac0

SHA1
1dc68a2da337c12249747a7ff1d8ecee4e5d506c

SHA256
379aa9c65b41f611101326bd6327ae34d212c037ea146a3c8bc3a63a22201c28

SHA512
5f2f92b67b5b6b8cb9d8b5fe0914079ab7af5342380176fd084a8ba6c60b02d29d4d6c0e0283175cea218855c491fa627565b374b81aae09f7306729cb620cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\478.#.exe

Filesize
2.5MB

MD5
0e2d67a033efc098dcdafe159cbd1954

SHA1
0b962240091c3037e25db68e92768bd1119f9c66

SHA256
616efc1d1d4a4b50f275dc1de7ea8c17d2d9206038996bd3c23aba87c28f617e

SHA512
f5dddf1a60096d9f59d0cff146bc11b2509329869ba7fda2604e6c492df3113a6e29703adcb3fe73ff52e1a743d6040df37c2dee9edfbc73a40b066e2929430f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads