07b22a0e85c4f95916a66a6f603adbfd5f152fa2dcaf19603fb95e0dafcc099c

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/05/2024, 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe
Size

132KB
MD5

621cfb12233c7432f6881347bded5a57
SHA1

ab871369a1d336031620c6938d87a9ef69ee03ba
SHA256

07b22a0e85c4f95916a66a6f603adbfd5f152fa2dcaf19603fb95e0dafcc099c
SHA512

c5e365b035ca4dbfe98b2d483dd398c247e688155ca272fcd8271ead64cd23a1a7a928172d8c258c8f48290d9097050defaf873bde60570d5465ab341045266d
SSDEEP

3072:+D4beJt/UAKF4ba3Hwi573QVx78b4Mt2rXH4Mzm:+D4+t/Uia3H153KK2EMS

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2416	J6WP.exe

Loads dropped DLL 1 IoCs

pid	Process
1876	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe

Modifies file permissions 1 TTPs 6 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2484	icacls.exe
2564	icacls.exe
2492	icacls.exe
2396	icacls.exe
2260	icacls.exe
2688	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\{JU6QO627-JI7J-HD4M-H1EN-HPFG8HZX95YY} = "C:\\ProgramData\\{SEL5T3RM-TBNY-TZWZ-ILT2-JAVVDENCK7IH}\\J6WP.exe"	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\{JU6QO627-JI7J-HD4M-H1EN-HPFG8HZX95YY} = "C:\\ProgramData\\{SEL5T3RM-TBNY-TZWZ-ILT2-JAVVDENCK7IH}\\J6WP.exe"	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2416 set thread context of 2688	2416	J6WP.exe	49

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2132	2688	WerFault.exe	49

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2532	schtasks.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\ProgramData\{SEL5T3RM-TBNY-TZWZ-ILT2-JAVVDENCK7IH}\J6WP.exe:Zone.Identifier	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 2944	1876	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	29
PID 1876 wrote to memory of 2944	1876	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	29
PID 1876 wrote to memory of 2944	1876	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	29
PID 1876 wrote to memory of 2944	1876	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	29
PID 1876 wrote to memory of 2508	1876	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	31
PID 1876 wrote to memory of 2508	1876	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	31
PID 1876 wrote to memory of 2508	1876	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	31
PID 1876 wrote to memory of 2508	1876	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	31
PID 1876 wrote to memory of 2608	1876	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	33
PID 1876 wrote to memory of 2608	1876	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	33
PID 1876 wrote to memory of 2608	1876	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	33
PID 1876 wrote to memory of 2608	1876	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	33
PID 1876 wrote to memory of 2628	1876	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	34
PID 1876 wrote to memory of 2628	1876	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	34
PID 1876 wrote to memory of 2628	1876	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	34
PID 1876 wrote to memory of 2628	1876	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	34
PID 2944 wrote to memory of 2484	2944	cmd.exe	36
PID 2944 wrote to memory of 2484	2944	cmd.exe	36
PID 2944 wrote to memory of 2484	2944	cmd.exe	36
PID 2944 wrote to memory of 2484	2944	cmd.exe	36
PID 1876 wrote to memory of 2360	1876	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	38
PID 1876 wrote to memory of 2360	1876	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	38
PID 1876 wrote to memory of 2360	1876	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	38
PID 1876 wrote to memory of 2360	1876	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	38
PID 1876 wrote to memory of 2904	1876	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	39
PID 1876 wrote to memory of 2904	1876	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	39
PID 1876 wrote to memory of 2904	1876	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	39
PID 1876 wrote to memory of 2904	1876	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	39
PID 2508 wrote to memory of 2564	2508	cmd.exe	41
PID 2508 wrote to memory of 2564	2508	cmd.exe	41
PID 2508 wrote to memory of 2564	2508	cmd.exe	41
PID 2508 wrote to memory of 2564	2508	cmd.exe	41
PID 2628 wrote to memory of 2492	2628	cmd.exe	43
PID 2628 wrote to memory of 2492	2628	cmd.exe	43
PID 2628 wrote to memory of 2492	2628	cmd.exe	43
PID 2628 wrote to memory of 2492	2628	cmd.exe	43
PID 2360 wrote to memory of 2396	2360	cmd.exe	44
PID 2360 wrote to memory of 2396	2360	cmd.exe	44
PID 2360 wrote to memory of 2396	2360	cmd.exe	44
PID 2360 wrote to memory of 2396	2360	cmd.exe	44
PID 2608 wrote to memory of 2260	2608	cmd.exe	45
PID 2608 wrote to memory of 2260	2608	cmd.exe	45
PID 2608 wrote to memory of 2260	2608	cmd.exe	45
PID 2608 wrote to memory of 2260	2608	cmd.exe	45
PID 2904 wrote to memory of 2532	2904	cmd.exe	46
PID 2904 wrote to memory of 2532	2904	cmd.exe	46
PID 2904 wrote to memory of 2532	2904	cmd.exe	46
PID 2904 wrote to memory of 2532	2904	cmd.exe	46
PID 1876 wrote to memory of 2416	1876	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	47
PID 1876 wrote to memory of 2416	1876	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	47
PID 1876 wrote to memory of 2416	1876	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	47
PID 1876 wrote to memory of 2416	1876	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	47
PID 2416 wrote to memory of 2688	2416	J6WP.exe	49
PID 2416 wrote to memory of 2688	2416	J6WP.exe	49
PID 2416 wrote to memory of 2688	2416	J6WP.exe	49
PID 2416 wrote to memory of 2688	2416	J6WP.exe	49
PID 2416 wrote to memory of 2688	2416	J6WP.exe	49
PID 2416 wrote to memory of 2688	2416	J6WP.exe	49
PID 2416 wrote to memory of 2688	2416	J6WP.exe	49
PID 2416 wrote to memory of 2688	2416	J6WP.exe	49
PID 2416 wrote to memory of 2688	2416	J6WP.exe	49
PID 2416 wrote to memory of 2688	2416	J6WP.exe	49
PID 2688 wrote to memory of 2132	2688	icacls.exe	51
PID 2688 wrote to memory of 2132	2688	icacls.exe	51

C:\Users\Admin\AppData\Local\Temp\621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c icacls "C:\ProgramData\{SEL5T3RM-TBNY-TZWZ-ILT2-JAVVDENCK7IH}" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\{SEL5T3RM-TBNY-TZWZ-ILT2-JAVVDENCK7IH}" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:2484
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c icacls "C:\ProgramData\{SEL5T3RM-TBNY-TZWZ-ILT2-JAVVDENCK7IH}" /inheritance:e /deny "SYSTEM:(R,REA,RA,RD)"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\{SEL5T3RM-TBNY-TZWZ-ILT2-JAVVDENCK7IH}" /inheritance:e /deny "SYSTEM:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:2564
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c icacls "C:\ProgramData\{SEL5T3RM-TBNY-TZWZ-ILT2-JAVVDENCK7IH}" /inheritance:e /deny "Administrators:(R,REA,RA,RD)"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\{SEL5T3RM-TBNY-TZWZ-ILT2-JAVVDENCK7IH}" /inheritance:e /deny "Administrators:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:2260
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c icacls "C:\ProgramData\{SEL5T3RM-TBNY-TZWZ-ILT2-JAVVDENCK7IH}" /inheritance:e /deny "Users:(R,REA,RA,RD)"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\{SEL5T3RM-TBNY-TZWZ-ILT2-JAVVDENCK7IH}" /inheritance:e /deny "Users:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:2492
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c icacls "C:\ProgramData\{SEL5T3RM-TBNY-TZWZ-ILT2-JAVVDENCK7IH}" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\{SEL5T3RM-TBNY-TZWZ-ILT2-JAVVDENCK7IH}" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:2396
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /tn {JU6QO627-JI7J-HD4M-H1EN-HPFG8HZX95YY} /tr C:\ProgramData\{SEL5T3RM-TBNY-TZWZ-ILT2-JAVVDENCK7IH}\J6WP.exe /ri 10 /st 00:00 /sc daily /du 9999:59 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn {JU6QO627-JI7J-HD4M-H1EN-HPFG8HZX95YY} /tr C:\ProgramData\{SEL5T3RM-TBNY-TZWZ-ILT2-JAVVDENCK7IH}\J6WP.exe /ri 10 /st 00:00 /sc daily /du 9999:59 /f
    3⤵
    - Creates scheduled task(s)
    PID:2532
- C:\ProgramData\{SEL5T3RM-TBNY-TZWZ-ILT2-JAVVDENCK7IH}\J6WP.exe
  "C:\ProgramData\{SEL5T3RM-TBNY-TZWZ-ILT2-JAVVDENCK7IH}\J6WP.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 864
      4⤵
      Program crash
      PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{SEL5T3RM-TBNY-TZWZ-ILT2-JAVVDENCK7IH}\J6WP.exe

Filesize
132KB

MD5
621cfb12233c7432f6881347bded5a57

SHA1
ab871369a1d336031620c6938d87a9ef69ee03ba

SHA256
07b22a0e85c4f95916a66a6f603adbfd5f152fa2dcaf19603fb95e0dafcc099c

SHA512
c5e365b035ca4dbfe98b2d483dd398c247e688155ca272fcd8271ead64cd23a1a7a928172d8c258c8f48290d9097050defaf873bde60570d5465ab341045266d

Download Submit
C:\Users\Admin\AppData\Roaming\7601.17727.amd64fre.win7sp1_gdr.111118-2330_x86W.dll

Filesize
140B

MD5
13fc442186607d49c043407d154494d1

SHA1
d6b3393fcd61ace72e7d85d6ec5429dfcea3d9af

SHA256
6e51646c19ce755ccde4d96e265224b7f908a2059f0485855d3dbe93dbcaebd1

SHA512
bdce2e678f831c5b2dcba8d6cf2f851dfd91386a31aadda67f6c9d32b1cfada2d40582ab6f1658f5fb4cee8f627f614a62425ab828c7a3fba4d0b628b81a29d5

Download Submit
memory/2688-25-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2688-29-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2688-33-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2688-36-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2688-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2688-31-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2688-27-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2688-37-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2688-39-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads