0635f08fefd0ad89a9bc9693796a794bae35a1836f324887e8edfc7175ef5a64

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 06:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6da0204ca0a786529e6f95dfffc5f57c_JaffaCakes118.exe
Size

2.2MB
MD5

6da0204ca0a786529e6f95dfffc5f57c
SHA1

9162a96696b8aff1a092bdd0b037da6a27948a2c
SHA256

0635f08fefd0ad89a9bc9693796a794bae35a1836f324887e8edfc7175ef5a64
SHA512

81491b4c0903b5be3969d70c480e9714d15eb074de35bd2fe019ffccdf1475f77e0b1310acd127902382420b9201686a8dbc631646b1a302a9b4e485e8e4e249
SSDEEP

24576:h1OYdaOLqU2Uzf5UilCfBJyQWS9oLDBXEZc78KU88SlhrVzcH:h1OsRqBI5UilCfxmnvthrRA

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2152	YZVzB9CtyFwPjls.exe
2116	YZVzB9CtyFwPjls.exe

Loads dropped DLL 4 IoCs

pid	Process
2224	6da0204ca0a786529e6f95dfffc5f57c_JaffaCakes118.exe
2152	YZVzB9CtyFwPjls.exe
2152	YZVzB9CtyFwPjls.exe
2116	YZVzB9CtyFwPjls.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\__aHTML	YZVzB9CtyFwPjls.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\__aHTML\shell\Edit	YZVzB9CtyFwPjls.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\__aHTML\shell\Edit\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\SKPNMW.tmp\\YZVzB9CtyFwPjls.exe\" target \".\\\" bits downExt"	YZVzB9CtyFwPjls.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.aHTML\OpenWithProgids	YZVzB9CtyFwPjls.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\SystemFileAssociations\.aHTML\shell\Edit	YZVzB9CtyFwPjls.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\SystemFileAssociations\.aHTML\shell\Edit\ddeexec	YZVzB9CtyFwPjls.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\SystemFileAssociations\.aHTML\shell\Edit\command\ = "Notepad.exe"	YZVzB9CtyFwPjls.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\__aHTML\shell\Edit\ddeexec	YZVzB9CtyFwPjls.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\SystemFileAssociations\.aHTML\shell\Edit\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\SKPNMW.tmp\\YZVzB9CtyFwPjls.exe\" target \".\\\" bits downExt"	YZVzB9CtyFwPjls.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\SystemFileAssociations\.aHTML	YZVzB9CtyFwPjls.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\SystemFileAssociations\.aHTML\shell	YZVzB9CtyFwPjls.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\__aHTML\shell\Edit\command	YZVzB9CtyFwPjls.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\__aHTML\shell\Edit\command\ = "Notepad.exe"	YZVzB9CtyFwPjls.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.aHTML\ = "__aHTML"	YZVzB9CtyFwPjls.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\SystemFileAssociations	YZVzB9CtyFwPjls.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\SystemFileAssociations\.aHTML\shell\Edit\command	YZVzB9CtyFwPjls.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\__aHTML\shell	YZVzB9CtyFwPjls.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.aHTML	YZVzB9CtyFwPjls.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.aHTML\OpenWithProgids\__aHTML	YZVzB9CtyFwPjls.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2116	YZVzB9CtyFwPjls.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2116	YZVzB9CtyFwPjls.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2152	2224	6da0204ca0a786529e6f95dfffc5f57c_JaffaCakes118.exe	28
PID 2224 wrote to memory of 2152	2224	6da0204ca0a786529e6f95dfffc5f57c_JaffaCakes118.exe	28
PID 2224 wrote to memory of 2152	2224	6da0204ca0a786529e6f95dfffc5f57c_JaffaCakes118.exe	28
PID 2224 wrote to memory of 2152	2224	6da0204ca0a786529e6f95dfffc5f57c_JaffaCakes118.exe	28
PID 2152 wrote to memory of 2116	2152	YZVzB9CtyFwPjls.exe	29
PID 2152 wrote to memory of 2116	2152	YZVzB9CtyFwPjls.exe	29
PID 2152 wrote to memory of 2116	2152	YZVzB9CtyFwPjls.exe	29
PID 2152 wrote to memory of 2116	2152	YZVzB9CtyFwPjls.exe	29
PID 2116 wrote to memory of 2448	2116	YZVzB9CtyFwPjls.exe	30
PID 2116 wrote to memory of 2448	2116	YZVzB9CtyFwPjls.exe	30
PID 2116 wrote to memory of 2448	2116	YZVzB9CtyFwPjls.exe	30
PID 2116 wrote to memory of 2448	2116	YZVzB9CtyFwPjls.exe	30
PID 2116 wrote to memory of 2448	2116	YZVzB9CtyFwPjls.exe	30
PID 2116 wrote to memory of 2448	2116	YZVzB9CtyFwPjls.exe	30
PID 2116 wrote to memory of 2448	2116	YZVzB9CtyFwPjls.exe	30

C:\Users\Admin\AppData\Local\Temp\6da0204ca0a786529e6f95dfffc5f57c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6da0204ca0a786529e6f95dfffc5f57c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\7zS170A.tmp\YZVzB9CtyFwPjls.exe
  .\YZVzB9CtyFwPjls.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Users\Admin\AppData\Local\Temp\SKPNMW.tmp\YZVzB9CtyFwPjls.exe
    "C:\Users\Admin\AppData\Local\Temp\SKPNMW.tmp\YZVzB9CtyFwPjls.exe" target ".\" bits downExt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /u /s ".\\bxIBhLqOI4TvAB.x64.dll"
      4⤵
      PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS170A.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS170A.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
866fe9e125db960903e888f564ad08b2

SHA1
21a8cb5d9009d19a883b45f39d103dbc57083138

SHA256
35cef1c49aef93bf6b59fc5a8b84d230d41578669c90020d0a6c16366fd85280

SHA512
4d01c3139783e42c49df98e222a3f941eed7739634e4cc83129f81645c463c7b3f10bf1516c1e58f7760eae4cb0b559d4d550fcb2f74b68c16c72ae231f3a27d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS170A.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
1bd31b7e42d6260e1b433e7c55d11eec

SHA1
4471049c4f34c10a05f213292f1b0f061e8f16d0

SHA256
0f8a35f53b54dc9f3da8f9362cb87e509a4c58608945e8733fd7929154dce637

SHA512
73b0fda19e710af505304ff6517a6b7acfa78fe686ec9274c1becea57bc1ca6a2b52862792e6579d41f9c820a864b3ac8ddea861858227f55fa220b206965bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS170A.tmp\[email protected]\install.rdf

Filesize
601B

MD5
3a489792ab202a66c990b10c8fb5e20b

SHA1
515d637659147a61b4af1e450ad3ab853d012e06

SHA256
520c51c8085e4d9abc4ee560f819e53c12d22dcc72932f09c92026753813abcd

SHA512
617c8327373cdf41ae04072c97292bbdcb447a2e13802797e311691ed8398c51dd310b719eb715599f9cc1f823b35702870d0e166e3e93001650951f2a6d89e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS170A.tmp\YZVzB9CtyFwPjls.dat

Filesize
14KB

MD5
2c99481a5d05c0b07937159c9986e97c

SHA1
c3fa65cdb2710a35986b65c9605c89fcf8b7ec83

SHA256
bba40b53eb6c51ecf0b3b0da21344fe63af4bace2745d718ed333e824ff0b01c

SHA512
4795dda00d0305b0dfa9238fce601a3978cbf8f494d7b736c76ebf74cb743785ff0555ebd80e9ccfc52f432d6c95725aad7c3ca407809981a34f219697c5fd2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS170A.tmp\bxIBhLqOI4TvAB.dll

Filesize
863KB

MD5
705f6c4b2fe9b6a403610245ea58764b

SHA1
e57cf23e93dc734234bc46e0eded4deb42025e12

SHA256
dfdbe57f7c994ed8616e023730352abc3579de10c043332b4a5c723088d80540

SHA512
d6e416943cb8cd628eaa42a9cf2fa8a68ffd981b10cddeb183f21997f98b6e8ad92400ced0ffed2d99cb47120a3817cc72cda3d41c6f962a2a3fedb586af2660

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS170A.tmp\bxIBhLqOI4TvAB.tlb

Filesize
5KB

MD5
1ca45b386c7b01e1bd45ef4e291d3f70

SHA1
dcabb955bc45b182231459d7e64cba59592c907e

SHA256
495c35bf29cd1c6e4a736db79e87203b6fd0c1345343dab958e5d9a4b087754c

SHA512
87dc04954e21af239f1cd8a300d7ea34c0de9580598080df8e2e75d347ad0232770b37d648db772f5d854a553f395a1fe9c010071ee76024f64ed819371fe752

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS170A.tmp\bxIBhLqOI4TvAB.x64.dll

Filesize
945KB

MD5
c1182c589e6c93327b28c960b12ff2ae

SHA1
1f819a6f3105e439e8dc296612a79ef490dbdc40

SHA256
5ab1a14ddb618b370a16d48ab2a3253b06eb2c3ac3a5b031c09a234bb5c54e99

SHA512
d537f15b45c1708cfd258da6a7230616130289e71b08aa11ed06c598b4ce0139193cee220192438bcac78701d0881f9d0783d450916639977f1b702ea759b954

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS170A.tmp\cncamajhgiohmbnconngedgiioiondkp\background.html

Filesize
145B

MD5
5c9398c482ca6b9f7df8cae55d95df5a

SHA1
626ce9caf909adbea7edcd0e6723bd5fa43a125a

SHA256
1f5976c4c69f73c71585ef8cb1e9a84219a253c628ea2147244ea456d1708953

SHA512
b5af409e98b4409154e6504149508ac98bc94b43a97416d67c258feeb8060335042b80e23e359415efb3c764391ddbc0bab74f007232f81dacb615a031016a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS170A.tmp\cncamajhgiohmbnconngedgiioiondkp\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS170A.tmp\cncamajhgiohmbnconngedgiioiondkp\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS170A.tmp\cncamajhgiohmbnconngedgiioiondkp\manifest.json

Filesize
502B

MD5
130dc29dbcf068c398454b4110a440cd

SHA1
885530712bbcacce4523f29bc88251c771c5450e

SHA256
7fda7da73310c96d1dd09c35bd4159cd58d6725545a4b95929acf6b3dd30f476

SHA512
f9f238dd36b3f28fadbc1b8bfe505930a4fac1b8c428e363245e664f1722e1a1e041a308c3802ab9effd8752a0bb066de61b273b2de00daf9547f6f48b2a20be

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS170A.tmp\cncamajhgiohmbnconngedgiioiondkp\qtGzvB7P.js

Filesize
6KB

MD5
56f3ae6667bac0af225b8695c1399271

SHA1
bb413d8328ecc6abfb5a46c1f595f63095443c4d

SHA256
7f1ea09501177de35c9f40b8ded357926a3b473c7d9c3aab6fd830e2eb4761d6

SHA512
39149530b3e033c0b3e4aeae0e9ed9709e5b75a62840cad3d30a39d1981d4f8abc8721e959da1601d5122a2388918d0862cbf9905491ca7674e806202eda958a

Download Submit
\Users\Admin\AppData\Local\Temp\7zS170A.tmp\YZVzB9CtyFwPjls.exe

Filesize
218KB

MD5
9f6c52eec607111136cd222b02bf0530

SHA1
57f3815d0942e3b0a9bef621a7b4971f55fc74d7

SHA256
7314c47aa633946386d6d3cd7ac292974b5d457e14b053fa0ebc218d555c34f4

SHA512
6760f5f8b580f50e95a92d6baa096f8fee378047bc5833430503869db22e369ebbedad43c864ef1058a477cf4d1034c88f1f464cde467ccc904192718951ce54

Download Submit