16e99733056af25e681f4b80bd22d211d3ca13d46da3dcd5057e8f0abbd5d7de

Analysis

max time kernel
140s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
11/05/2024, 15:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe
Size

1009KB
MD5

35403ba7db7ea0c986ee1fe8b83e9828
SHA1

408e9bcd5b5482cb56b34262aa7630b820d52013
SHA256

16e99733056af25e681f4b80bd22d211d3ca13d46da3dcd5057e8f0abbd5d7de
SHA512

d21f92719104ab1504b70d5de3a0f92c1387f95723d97dcb3aadafb8df4b5d1f39e4bcc5cdeaed74f4deeeff338ff4bb7c88e121cb2fd576770d28a57732be6a
SSDEEP

12288:exQyHcoCUyZtwAvAs4wTCyrPT0yq0VezaOvoJpaz/g/J/vVoS:oHfty/wAvN7lry0VeH8az/g/J/No

Score

10^/10

evasion execution

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\acpiec.sys	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\pcidump.sys	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe

Loads dropped DLL 6 IoCs

pid	Process
3068	rundll32.exe
3068	rundll32.exe
3068	rundll32.exe
3068	rundll32.exe
1520	WerFault.exe
1520	WerFault.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\a18467stva41a.dll	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\def26500aab6334ccd.dll	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2064	sc.exe
2316	sc.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1520	3068	WerFault.exe	43
2756	1960	WerFault.exe	27

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2536	ipconfig.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
2528	taskkill.exe
2900	taskkill.exe
1184	taskkill.exe
2988	taskkill.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe
1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe
1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe
3068	rundll32.exe
3068	rundll32.exe
3068	rundll32.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
480	Process not Found
480	Process not Found

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2988	taskkill.exe
Token: SeDebugPrivilege	2528	taskkill.exe
Token: SeDebugPrivilege	2900	taskkill.exe
Token: SeDebugPrivilege	1184	taskkill.exe
Token: SeDebugPrivilege	3068	rundll32.exe
Token: SeDebugPrivilege	3068	rundll32.exe
Token: SeDebugPrivilege	3068	rundll32.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2064	1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe	28
PID 1960 wrote to memory of 2064	1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe	28
PID 1960 wrote to memory of 2064	1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe	28
PID 1960 wrote to memory of 2064	1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe	28
PID 1960 wrote to memory of 2316	1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe	29
PID 1960 wrote to memory of 2316	1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe	29
PID 1960 wrote to memory of 2316	1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe	29
PID 1960 wrote to memory of 2316	1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe	29
PID 1960 wrote to memory of 1184	1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe	30
PID 1960 wrote to memory of 1184	1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe	30
PID 1960 wrote to memory of 1184	1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe	30
PID 1960 wrote to memory of 1184	1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe	30
PID 1960 wrote to memory of 2528	1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe	31
PID 1960 wrote to memory of 2528	1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe	31
PID 1960 wrote to memory of 2528	1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe	31
PID 1960 wrote to memory of 2528	1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe	31
PID 1960 wrote to memory of 2900	1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe	33
PID 1960 wrote to memory of 2900	1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe	33
PID 1960 wrote to memory of 2900	1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe	33
PID 1960 wrote to memory of 2900	1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe	33
PID 1960 wrote to memory of 2988	1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe	34
PID 1960 wrote to memory of 2988	1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe	34
PID 1960 wrote to memory of 2988	1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe	34
PID 1960 wrote to memory of 2988	1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe	34
PID 1960 wrote to memory of 2688	1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe	37
PID 1960 wrote to memory of 2688	1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe	37
PID 1960 wrote to memory of 2688	1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe	37
PID 1960 wrote to memory of 2688	1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe	37
PID 1960 wrote to memory of 3068	1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe	43
PID 1960 wrote to memory of 3068	1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe	43
PID 1960 wrote to memory of 3068	1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe	43
PID 1960 wrote to memory of 3068	1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe	43
PID 1960 wrote to memory of 3068	1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe	43
PID 1960 wrote to memory of 3068	1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe	43
PID 1960 wrote to memory of 3068	1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe	43
PID 3068 wrote to memory of 1520	3068	rundll32.exe	44
PID 3068 wrote to memory of 1520	3068	rundll32.exe	44
PID 3068 wrote to memory of 1520	3068	rundll32.exe	44
PID 3068 wrote to memory of 1520	3068	rundll32.exe	44
PID 1960 wrote to memory of 2756	1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe	46
PID 1960 wrote to memory of 2756	1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe	46
PID 1960 wrote to memory of 2756	1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe	46
PID 1960 wrote to memory of 2756	1960	35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe	46

C:\Users\Admin\AppData\Local\Temp\35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\35403ba7db7ea0c986ee1fe8b83e9828_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\sc.exe
  sc config ekrn start= disabled
  2⤵
  - Launches sc.exe
  PID:2064
- C:\Windows\SysWOW64\sc.exe
  sc config rsravmon start= disabled
  2⤵
  - Launches sc.exe
  PID:2316
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im ekrn.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1184
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im egui.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2528
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im 360sd.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2900
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im 360sd_se.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2988
- C:\Windows\SysWOW64\cacls.exe
  cacls C:\Users\Admin\AppData\Local\Temp\ /e /p everyone:f cacls "C:\Windows" /e /p everyone:f
  2⤵
  PID:2688
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\system32\a18467stva41a.dll, droqp
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 320
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1520
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /all
  2⤵
  - Gathers network information
  PID:2536
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 296
  2⤵
  - Program crash
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\a18467stva41a.dll

Filesize
18KB

MD5
cf6055f7ab2feaec8983e16b8455d7bf

SHA1
49f091431cb22a6ffbd0db378f5952eeec5b7575

SHA256
d37142c8bdf9a835170c058155cea99d30ca6b48d048d6ff5e458297c993bb6f

SHA512
9cc71bb29cf6915301b101355e4d15bc85420ea4247249fee6b2c7a4a30e995b5e4b929f23e7e874a8f77326c65615474fcd346a612e9b8371247b0e3f75b10a

Download Submit
memory/1960-13-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download