18bb890d50e9710a88cd4aee0796c71d3fc9d51ec424040cb00558ae8aab5573

Analysis

max time kernel
143s
max time network
117s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
04-05-2024 16:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.exe
Size

1.6MB
MD5

1378623c54577c3c86bc3aa614a0917e
SHA1

cd6e385e98074837f7e9f0c4bf48402429857408
SHA256

18bb890d50e9710a88cd4aee0796c71d3fc9d51ec424040cb00558ae8aab5573
SHA512

7994210e6dfa6698f21e2be4f3202aa1b325b8613e2637b02a47a0c86189a13ae1a3dd577b92060a4838011b37ca2e453729960324e593249d8f9a0c1f0d55f4
SSDEEP

24576:iQi/T0gH3m4C4kOudJDcPXgejld25qbqLlJXkluJoz3KpTsBNkdSnMBTlP0Qjcpz:i9r0gXm4CgAtcPXyq2pJXkkorkSGpfE

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2096	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp
2936	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp
1736	msnetcore.exe

Loads dropped DLL 6 IoCs

pid	Process
2252	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.exe
2096	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp
2096	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp
2664	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.exe
2936	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp
2936	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	msnetcore.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft.NET\v2.0.507279\msbuild.exe	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Microsoft.NET\v2.0.507279\msnet.exe	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Microsoft.NET\v2.0.507279\msnetcore.exe	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Microsoft.NET\v2.0.507279\is-VG6B1.tmp	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Microsoft.NET\v2.0.507279\is-SVVEI.tmp	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Microsoft.NET\v2.0.507279\is-UIG6E.tmp	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Microsoft.NET\v2.0.507279\is-AFBT6.tmp	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
2632	taskkill.exe
2652	taskkill.exe

Modifies data under HKEY_USERS 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	msnetcore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0139000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msnetcore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	msnetcore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-04-05-8a-ad-59\WpadDecision = "0"	msnetcore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msnetcore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CB0183C-95C5-4820-ACBB-59B75CBBC8BC}	msnetcore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CB0183C-95C5-4820-ACBB-59B75CBBC8BC}\WpadNetworkName = "Network 3"	msnetcore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	msnetcore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-04-05-8a-ad-59	msnetcore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-04-05-8a-ad-59\WpadDecisionTime = c06785f03c9eda01	msnetcore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	msnetcore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	msnetcore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	msnetcore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CB0183C-95C5-4820-ACBB-59B75CBBC8BC}\WpadDecision = "0"	msnetcore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-04-05-8a-ad-59\WpadDecisionTime = 0043f5fb3c9eda01	msnetcore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msnetcore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	msnetcore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CB0183C-95C5-4820-ACBB-59B75CBBC8BC}\WpadDecisionTime = c06785f03c9eda01	msnetcore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CB0183C-95C5-4820-ACBB-59B75CBBC8BC}\be-04-05-8a-ad-59	msnetcore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	msnetcore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-04-05-8a-ad-59\WpadDetectedUrl	msnetcore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	msnetcore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-04-05-8a-ad-59\WpadDecisionReason = "1"	msnetcore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	msnetcore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CB0183C-95C5-4820-ACBB-59B75CBBC8BC}\WpadDecisionReason = "1"	msnetcore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0139000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msnetcore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	msnetcore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CB0183C-95C5-4820-ACBB-59B75CBBC8BC}\WpadDecisionTime = 0043f5fb3c9eda01	msnetcore.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2936	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp
2936	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp
1736	msnetcore.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2632	taskkill.exe
Token: SeDebugPrivilege	2652	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2936	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2096	2252	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.exe	28
PID 2252 wrote to memory of 2096	2252	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.exe	28
PID 2252 wrote to memory of 2096	2252	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.exe	28
PID 2252 wrote to memory of 2096	2252	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.exe	28
PID 2252 wrote to memory of 2096	2252	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.exe	28
PID 2252 wrote to memory of 2096	2252	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.exe	28
PID 2252 wrote to memory of 2096	2252	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.exe	28
PID 2096 wrote to memory of 2664	2096	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp	29
PID 2096 wrote to memory of 2664	2096	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp	29
PID 2096 wrote to memory of 2664	2096	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp	29
PID 2096 wrote to memory of 2664	2096	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp	29
PID 2096 wrote to memory of 2664	2096	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp	29
PID 2096 wrote to memory of 2664	2096	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp	29
PID 2096 wrote to memory of 2664	2096	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp	29
PID 2096 wrote to memory of 2632	2096	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp	30
PID 2096 wrote to memory of 2632	2096	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp	30
PID 2096 wrote to memory of 2632	2096	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp	30
PID 2096 wrote to memory of 2632	2096	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp	30
PID 2664 wrote to memory of 2936	2664	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.exe	32
PID 2664 wrote to memory of 2936	2664	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.exe	32
PID 2664 wrote to memory of 2936	2664	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.exe	32
PID 2664 wrote to memory of 2936	2664	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.exe	32
PID 2664 wrote to memory of 2936	2664	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.exe	32
PID 2664 wrote to memory of 2936	2664	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.exe	32
PID 2664 wrote to memory of 2936	2664	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.exe	32
PID 2936 wrote to memory of 2652	2936	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp	33
PID 2936 wrote to memory of 2652	2936	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp	33
PID 2936 wrote to memory of 2652	2936	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp	33
PID 2936 wrote to memory of 2652	2936	1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp	33

C:\Users\Admin\AppData\Local\Temp\1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\Temp\is-F97RV.tmp\1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-F97RV.tmp\1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp" /SL5="$400F8,1431047,56832,C:\Users\Admin\AppData\Local\Temp\1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Users\Admin\AppData\Local\Temp\1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.exe" /VERYSILENT /SP-
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Users\Admin\AppData\Local\Temp\is-5E39I.tmp\1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-5E39I.tmp\1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp" /SL5="$20196,1431047,56832,C:\Users\Admin\AppData\Local\Temp\1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.exe" /VERYSILENT /SP-
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2936
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im msbuild.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im msbuild.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2632

C:\Program Files (x86)\Microsoft.NET\v2.0.507279\msnetcore.exe
"C:\Program Files (x86)\Microsoft.NET\v2.0.507279\msnetcore.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft.NET\v2.0.507279\corecfg.ini

Filesize
259B

MD5
f42aa406ed306b8d00ed512de90068ae

SHA1
364bee70880dbee1c070c25f95037a4882fcf08d

SHA256
195fe5db844cdf13e7ee1e4bae3b0cec6a2b24659b482c42af76cbde59eb8b33

SHA512
6ddd5a43e55348290a47dceeacc8821ceef1791c1af6a709f338663f8693b312acd8ceecf0b1b55d2c861d34860777d1728f49381a9a75333904e6f8a87ce012

Download Submit
C:\Program Files (x86)\Microsoft.NET\v2.0.507279\msnetcore.exe

Filesize
3.3MB

MD5
fd3fa916884a91bf26c86101900854f6

SHA1
124a4242eb33c30146598411f1fa62b3f7c9c05b

SHA256
a9c3a00a801e5d3abaaed4c1adf21ea38803f80bc9575651f821323b54372968

SHA512
16e46f382f0ae1aff3d6aad04bc464eba261baa29d0b1f0ca0a3c290f23e239cf82485bbc3bcf0baa32b595478ea3fded18532653b3d08bc1e04adb6c28c475c

Download Submit
\Users\Admin\AppData\Local\Temp\is-8PB2C.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-F97RV.tmp\1378623c54577c3c86bc3aa614a0917e_JaffaCakes118.tmp

Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
memory/1736-85-0x0000000000400000-0x0000000000762000-memory.dmp

Filesize
3.4MB

Download
memory/1736-138-0x0000000000400000-0x0000000000762000-memory.dmp

Filesize
3.4MB

Download
memory/1736-135-0x0000000000400000-0x0000000000762000-memory.dmp

Filesize
3.4MB

Download
memory/1736-122-0x0000000000400000-0x0000000000762000-memory.dmp

Filesize
3.4MB

Download
memory/1736-48-0x0000000000400000-0x0000000000762000-memory.dmp

Filesize
3.4MB

Download
memory/1736-98-0x0000000000400000-0x0000000000762000-memory.dmp

Filesize
3.4MB

Download
memory/2096-25-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2096-10-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2252-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2252-3-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2252-27-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2664-15-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2664-47-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2936-45-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download