796bff83e04e17a9ead726b60e4278393ea12417918cf66afd449deec5a5adfc

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 02:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2cd8f6cfad216974ef9c317877bf1deb_JaffaCakes118.exe
Size

20.0MB
MD5

2cd8f6cfad216974ef9c317877bf1deb
SHA1

7a2a51007c45ca4031bfcaaa23551cdc44198eb5
SHA256

796bff83e04e17a9ead726b60e4278393ea12417918cf66afd449deec5a5adfc
SHA512

c6385826e1ef37d312e4e876362e459c6b5bef6774ea7a5bac0943b245bbfca6ad7839d3eb5631e89d2a7b33773c92bf282a0cde2fcbcfa6fcf4847f6c01e4b2
SSDEEP

393216:ZBBiTJWN99Zc5YvTZPFMxTJyCmssifMJNxM+Xrh8o5xJwIuBtG:ZBcu+5YvlMTJUeKflh8s0tG

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2204	Setup.exe
1860	Setup64.EXE
1284	Process not Found

Loads dropped DLL 3 IoCs

pid	Process
1244	2cd8f6cfad216974ef9c317877bf1deb_JaffaCakes118.exe
2204	Setup.exe
1860	Setup64.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	Setup64.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	1860	Setup64.EXE
Token: SeRestorePrivilege	1860	Setup64.EXE
Token: SeRestorePrivilege	1860	Setup64.EXE
Token: SeRestorePrivilege	1860	Setup64.EXE
Token: SeRestorePrivilege	1860	Setup64.EXE
Token: SeRestorePrivilege	1860	Setup64.EXE
Token: SeRestorePrivilege	1860	Setup64.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2204	Setup.exe
2204	Setup.exe
1860	Setup64.EXE
1860	Setup64.EXE
1860	Setup64.EXE
1860	Setup64.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2204	1244	2cd8f6cfad216974ef9c317877bf1deb_JaffaCakes118.exe	28
PID 1244 wrote to memory of 2204	1244	2cd8f6cfad216974ef9c317877bf1deb_JaffaCakes118.exe	28
PID 1244 wrote to memory of 2204	1244	2cd8f6cfad216974ef9c317877bf1deb_JaffaCakes118.exe	28
PID 1244 wrote to memory of 2204	1244	2cd8f6cfad216974ef9c317877bf1deb_JaffaCakes118.exe	28
PID 1244 wrote to memory of 2204	1244	2cd8f6cfad216974ef9c317877bf1deb_JaffaCakes118.exe	28
PID 1244 wrote to memory of 2204	1244	2cd8f6cfad216974ef9c317877bf1deb_JaffaCakes118.exe	28
PID 1244 wrote to memory of 2204	1244	2cd8f6cfad216974ef9c317877bf1deb_JaffaCakes118.exe	28
PID 2204 wrote to memory of 1860	2204	Setup.exe	29
PID 2204 wrote to memory of 1860	2204	Setup.exe	29
PID 2204 wrote to memory of 1860	2204	Setup.exe	29
PID 2204 wrote to memory of 1860	2204	Setup.exe	29

C:\Users\Admin\AppData\Local\Temp\2cd8f6cfad216974ef9c317877bf1deb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2cd8f6cfad216974ef9c317877bf1deb_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\mp490swin104ea24\DrvSetup\Setup.exe
  .\mp490swin104ea24\DrvSetup\Setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\mp490swin104ea24\DrvSetup\Setup64.EXE
    C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\mp490swin104ea24\DrvSetup\Setup64.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\STR2720.tmp

Filesize
12KB

MD5
29dd53ad008e2b116231b0a63fa595ea

SHA1
88550ffedffc0402e1101c3739b7d916d2cc92dd

SHA256
11d034917bbe181007f6aa28715e8030dba9b9e3c3dfa05aeaa5461140b6edb9

SHA512
4187c879054f182ed57950c142bc90d91f8eb12252af3b4ebbecb50f560df2cc9033b00f1dc10441cee9caad1216b9ca43bcc35c9421501441e33ab388bf0076

Download Submit
C:\Users\Admin\AppData\Local\Temp\STR2733.tmp

Filesize
2KB

MD5
63b296be46e89380a949151f22271508

SHA1
fd4aad3b196228e2baa63c74452f1539a6f6d6ec

SHA256
74efee9a89f1d5ae01c55cc7f4f149901379afcb9d59f2238ee709405ca5aa9d

SHA512
9a7698f60bd28f36398e566d74d73fef104fbf8fb218d5ebdf4a9804f30bdc737a2e9432e18914382f5f7e1e5334fbd034657d617d1439ff837de7f34991849e

Download Submit
C:\Users\Admin\AppData\Local\Temp\STR27C4.tmp

Filesize
25KB

MD5
26375706862db07e0fdd08c75589e90b

SHA1
b24cf0a501b47140f018f162ce9702efe8fbd42b

SHA256
891230bec7a4522df758cafa7c82b27e3afd90acb6ef4907e1a3778e0d8e8daf

SHA512
edb3e27afd22b025775f61e2218cad8e9ffaed82136f25c9511082c1c8b2b0da59d39929c9f8137e2b1d643f26e278950a1ca609435aadfb0fcdaa43cfeaed2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\STR287A.tmp

Filesize
20KB

MD5
5022ec4ee3e6697af99322b76adedac5

SHA1
3c38238b575fac3ab276d0a552ce07ee3de33686

SHA256
a43da8642f63b963447d599b116833acef8b9795f0f6bad4f1d5787bb831dded

SHA512
f2ca65a1347f8a24d1cac6af22bb11b5a26bbb497a4495705f948645f338e0e2cba5df091e90b4f64db17eff53572fcffef0acae4fcb4a9f0e9bae74fd00bbee

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\mp490swin104ea24\Driver\MP490P6.cat

Filesize
91KB

MD5
5ba4a278db918e0913d8f1f36d8f7497

SHA1
ef2e55b479faba9b6e82ab0f673648096c22d659

SHA256
e67758cd470b64ba57ea0ad04adcf80250847c7d9c21af092ee7917552bdc896

SHA512
d68d7322a79e7f7f581daf8bd4483889662d45a4f43c1718dde73705b1e94f0a22b166b89482f0bb99a19fb1eac0d7278d2b506ae7f0a6ed3b6d6bcc6751de28

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\mp490swin104ea24\Driver\MP490Sb.cat

Filesize
37KB

MD5
cb924f0efdcc39c95492c554a3fe4ca4

SHA1
19600b5b806aed92871272e87216d8aaa5dbf343

SHA256
367ed92938cf9bc7a5c95ca9b36b61d1b04139b4c07acaf7e821f8f6f72f975f

SHA512
526078aecc604ebd459b03aac3e0b78bda92a0fbaaa77a97ed825be06a3fd313a66800653f6bc237e3823a6f606572d47584f0651b93638fd826196c5fb9bf96

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\mp490swin104ea24\DrvSetup\RES\EULA\AS_English.txt

Filesize
9KB

MD5
c46e5d16beb19bbe033fc02a56f31246

SHA1
cc789c3115fbf48bca8c25f816da8e545bb15b63

SHA256
090721288d9595a3ad22a8329eea3c6033c522a40f85ef9db1eff0cadfa6e9b5

SHA512
22d8e7f6e93b0bc598323baaead3097930fa84276b37c483a8a3d4fae0d7ea57098cd184ae87494c53a9a9611675377e824027d989dd86c9f05ddf5144aff03b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\mp490swin104ea24\DrvSetup\RES\EULA\English.txt

Filesize
10KB

MD5
ae805b52c86ed27129977520f43312ae

SHA1
70ccf1d1b18fefdba7ba67ae83e3450090566300

SHA256
cfa3329e1a590c1edb60920885ccb656f0bed3457ca534432924b2d99b8ae697

SHA512
d3752ac20b2c5f94058c07dffaf13c2791f56a49bc89693bc94337510c58e79a5429f0fffc2fc7f27a7bfe193d5ddfdf901fcfc1c3706d4657cf01a6898e7597

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\mp490swin104ea24\DrvSetup\RES\STRING\IJInstUS.ini

Filesize
1KB

MD5
e7334fd10eb58db9dcd238406e3d22cf

SHA1
68bd2b444d44ac813d9d455a89d73455cd2cf4c3

SHA256
e14b13e75e05e98c24bb932aa5601a85cea71865b60f80563b6a1915daddce1b

SHA512
fe32078a306f3347411aa90e0a8d25c81e1a7ca4ec53031ce17c2f1a53eddc0b89b2862fa4fb3117365cb9619bd531cb9f1af075a36e845d73a0b6d4c8f7fea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\mp490swin104ea24\DrvSetup\Setup.exe

Filesize
750KB

MD5
07a8b42f73467f8a063587454da84b6a

SHA1
299c2da47f8f38d37849b0c07d6d486f9ea0c79a

SHA256
9a60292894cad0959eb034d7835d30553a94ad266b0f57927b9d8cce28784680

SHA512
6beaf29a74b78ccaa49a8faa7f8ab20de8a9e4d6be3ed15e2ab03b7fda7f7ed4a6611bca0f3809c14aab410e5b40d973b6c2a1fd7137492509c8888aa68aa3a3

Download Submit
\Users\Admin\AppData\Local\Temp\WZSE0.TMP\mp490swin104ea24\DrvSetup\RES\DLL\IJInstUS.dll

Filesize
90KB

MD5
a0d2182a4effbb74d139515e63b87970

SHA1
fc2795fc324d7388946a324d7d2ac4c2373858e7

SHA256
28eea19831e4c256fc607cb837c6aa72d0d197bdfa7cfc24bd998a894057c45f

SHA512
54f1c741fb336ce2eb5d7811785c7bd22bfda0ed667280c3ff6b9fa74abe03b283fc834abd2c201891c6dffbd15bd59fd1f0780d0d743ba5c78ecbec5ca0ed79

Download Submit
\Users\Admin\AppData\Local\Temp\WZSE0.TMP\mp490swin104ea24\DrvSetup\Setup64.exe

Filesize
1.0MB

MD5
fc6c564d091d3a23e66455747c34272f

SHA1
864edc999e69334a69b8ef3f5c1842634dec3b67

SHA256
acd78476ebd8c8ea345f45b2950b0a197b147a2feaa7b8b3e4eab76301ad6004

SHA512
8cd0366eac7d2da11e648c566e5cbacf1d500f58741a9e1f626e1a4b0fe9a528fefd1033f4f06159043dda4d00bebbbbd5e9d90dd2aa10bcca688128e5b82d36

Download Submit