b9df272c2e6a4c4c0f09b61eb770648403c8f736ee513e0e8910a19f5bbad5f8

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

315d8dc501e042bd528ece9a79447606_JaffaCakes118.exe
Size

227KB
MD5

315d8dc501e042bd528ece9a79447606
SHA1

a6e6b4adf6e7e43765ddad00d42db315bbfc2d49
SHA256

b9df272c2e6a4c4c0f09b61eb770648403c8f736ee513e0e8910a19f5bbad5f8
SHA512

1f1f433c3f1c0bfe3b037cf7382224d1fc6ee75d5c89d5e7fe3aa3745121147165457dd7bc52242c5e1f792cf77d9b03bbef01a21a57beda9bb3cb77d3896131
SSDEEP

6144:GsaocyLC0S8EKwcqLBpU3nofCqUajOBjypw:GtobzrEKZW9p6Vgw

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2404	install.exe
2244	inst.exe

Loads dropped DLL 3 IoCs

pid	Process
328	315d8dc501e042bd528ece9a79447606_JaffaCakes118.exe
328	315d8dc501e042bd528ece9a79447606_JaffaCakes118.exe
328	315d8dc501e042bd528ece9a79447606_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb57485053000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	install.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2244	inst.exe
2244	inst.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 328 wrote to memory of 2404	328	315d8dc501e042bd528ece9a79447606_JaffaCakes118.exe	28
PID 328 wrote to memory of 2404	328	315d8dc501e042bd528ece9a79447606_JaffaCakes118.exe	28
PID 328 wrote to memory of 2404	328	315d8dc501e042bd528ece9a79447606_JaffaCakes118.exe	28
PID 328 wrote to memory of 2404	328	315d8dc501e042bd528ece9a79447606_JaffaCakes118.exe	28
PID 2404 wrote to memory of 2244	2404	install.exe	30
PID 2404 wrote to memory of 2244	2404	install.exe	30
PID 2404 wrote to memory of 2244	2404	install.exe	30
PID 2404 wrote to memory of 2244	2404	install.exe	30
PID 2404 wrote to memory of 2244	2404	install.exe	30
PID 2404 wrote to memory of 2244	2404	install.exe	30
PID 2404 wrote to memory of 2244	2404	install.exe	30

C:\Users\Admin\AppData\Local\Temp\315d8dc501e042bd528ece9a79447606_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\315d8dc501e042bd528ece9a79447606_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:328
- C:\Users\Admin\AppData\Local\Temp\nsd256D.tmp\install.exe
  C:\Users\Admin\AppData\Local\Temp\nsd256D.tmp\install.exe inst.exe /e5108185 /u4fe0cf9f-1fe4-4abb-905a-57915bc06f2f /aAtomixMP3 /dT201305101914
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Users\Admin\AppData\Local\Temp\nsd256D.tmp\inst.exe
    "C:\Users\Admin\AppData\Local\Temp\nsd256D.tmp\inst.exe" /e5108185 /u4fe0cf9f-1fe4-4abb-905a-57915bc06f2f /aAtomixMP3 /dT201305101914
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1F39B5CFACECFDE48DB25BCA2231FAC6_F0E2901B5CB9DFCB03318B8D06C40A30

Filesize
1KB

MD5
f7f6c43cbd2fe2990b6a2188f79d4807

SHA1
a5ed1028322e383d7b668705140486d52800d1e5

SHA256
1508fd6f7d6fde592f3f92636f04ccca8ee398da3f2718d1009d939cbf42a4aa

SHA512
51b0ce1ec2a2d3039b461a1790da8da72fcd2a584193e2b0b49b6dac3b38f97df19cc4fd3ea96e5533bfad5340c39952c8d5dfb6ff48a2163cd188c8dd02cb40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EDCF682921FE94F4A02A43CD1A28E6B

Filesize
604B

MD5
5a1ab1871c1dd0bbe715482943c74be6

SHA1
da4ce17e39abb581883120980f00a91cb029127c

SHA256
5fab31aa7540eaebb07d0315e540564b06d612b4b4eb3f2a645fd86a59e6b37c

SHA512
88d80e7ffc33aadb7e28363aad82f51e78bc09ef3ef193a7acb867c825bf633b04bb623796e699262c2f1b40f339bc5277b5520f17d87b2d1f6724288330545d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1F39B5CFACECFDE48DB25BCA2231FAC6_F0E2901B5CB9DFCB03318B8D06C40A30

Filesize
412B

MD5
135e13a3645f2448cdf6a08394ac126a

SHA1
3129811db3f12c61f981b2a48f9ef01e41205199

SHA256
ad60c73f2fd36ae7ef1c8acc78e35d6a60c8793cad03d7c6aa26acd0da655b01

SHA512
23d231571f44b8bcc2d7a489cede393a63004add235e1972a6b1a8b5d8ace2e3859ef8be2ccf0d2d7e445ae249cb5cfbcfc51dab4066733f92ae874f4cb0c932

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EDCF682921FE94F4A02A43CD1A28E6B

Filesize
188B

MD5
a05e19efb471adc8582ae7f255d4fd86

SHA1
613a6ef310b528b1a257a1f50c1bd0efa2a42a98

SHA256
50ed78c91c026849da33d5b2acbf663a47eb0fe56905cb50a26a4f6f0dc4c4fe

SHA512
d91c611ad124b5ce7816dceb29eff18ba77c62cd50277803de84112704c3137e45ac0db1e3bcf4a30d4991fd0ee0b6637db1d6cab4d8a882f57bda68d4831deb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
36ed2fef25c9dc3c85df309e1e5ab349

SHA1
e5bc6b8058f923495e574bcc0e5688a3865ccdc6

SHA256
8ab3138535ef19ceed520b4f79073493a63ebea4d08a4435ff160589191e91d9

SHA512
a98e7bd3b9e82d645305419dda82531b1868eaca2f161d586444d79fbb7464b271644d6ee1dfc8ee03c811cf97d74670d82e3a836b61b377a59ea2323752bd1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9

Filesize
404B

MD5
b783d8476d5a4f11219455a1fa400c2a

SHA1
b4c77f0439c28af32a0162b889e3683f7424a451

SHA256
3f3d63cf8761aa4e9c9b4c6f1adb06d056aa6e264439f011ec714423aafdac20

SHA512
90adc129e9e49ddf9a10a6a0599c4d6f094d75335c0d4441c41d3cb9b6b8404b31ea4d12a31becd73a95e3b61c4f0855982e512867a5217699fb604cc48fb45a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2811.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd256D.tmp\inst.exe

Filesize
237KB

MD5
5fa2364c5a43d98727116b4708ea52c0

SHA1
ca31227a7696a99b09d2d667d330cbde1b8ee413

SHA256
de858f5ae730377475a3cc19512c16bac83565349da99b8c3edc5da4c567e2d3

SHA512
b54211e550140d9249e03b1bdd7b0aa9bcd8d8ae6c2d40339d1283ecede3c7b9ac4ad92d9cc185306f592045d63d61a263986057f80b1856f1ccf08c7501696c

Download Submit
\Users\Admin\AppData\Local\Temp\nsd256D.tmp\install.exe

Filesize
173KB

MD5
2e6b916342ce1c8916ed73cd052c05f8

SHA1
dc7cc05b9f016eaa582e7f459f071f4b9e24ba33

SHA256
3d4585ba554410428b9d1fcbd35ba22093f295516d47964f3ad5c5f72f21613b

SHA512
4915b315893cce26a7b3246f8a994c1ede4f4c26bf6f1b0d1aeaa40254b9152f79451720d6de3b8c30cbd5dffe58e8cd034a6cbf3ef524b8c9597e2654f650bd

Download Submit
\Users\Admin\AppData\Local\Temp\nsd256D.tmp\nsExec.dll

Filesize
8KB

MD5
249ae678f0dac4c625c6de6aca53823a

SHA1
6ac2b9e90e8445fed4c45c5dbf2d0227cd3b5201

SHA256
7298024a36310b7c4c112be87b61b62a0b1be493e2d5252a19e5e976daf674ce

SHA512
66e4081a40f3191bf28b810cf8411cb3c8c3e3ec5943e18d6672414fb5e7b4364f862cba44c9115c599ac90890ef02a773e254e7c979e930946bc52b0693aad7

Download Submit
memory/328-102-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2404-83-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp

Filesize
9.6MB

Download
memory/2404-22-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp

Filesize
9.6MB

Download
memory/2404-14-0x000007FEF5A1E000-0x000007FEF5A1F000-memory.dmp

Filesize
4KB

Download
memory/2404-77-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp

Filesize
9.6MB

Download
memory/2404-75-0x0000000001ED0000-0x0000000001EF8000-memory.dmp

Filesize
160KB

Download