5c001554378743d897dc2987a7a6f8eec46dc3cb43026bde45c9ec993d5abaf3

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
28-05-2024 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7df71f3d8957f89a3d243ac8f8dd1650_JaffaCakes118.exe
Size

2.2MB
MD5

7df71f3d8957f89a3d243ac8f8dd1650
SHA1

d72801262a9b7308f09c4bb4760c5a87369a006e
SHA256

5c001554378743d897dc2987a7a6f8eec46dc3cb43026bde45c9ec993d5abaf3
SHA512

e2a47be218e096dfdc07f038c0beeb39a39053c61dfae698f48314b45c3f7bef5cec01e44f7bbad1ef286a1ce81d1243eed6aae90a9c9652650cea17cece1b20
SSDEEP

24576:h1OYdaOAqU2Uzf5IilCfBJy5WS4DBXEZc78KU88Sshrczcz:h1Os2qBI5IilCfW6v0hr04

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2292	dKwKtTSrfEttQ0S.exe
2736	dKwKtTSrfEttQ0S.exe

Loads dropped DLL 4 IoCs

pid	Process
1848	7df71f3d8957f89a3d243ac8f8dd1650_JaffaCakes118.exe
2292	dKwKtTSrfEttQ0S.exe
2292	dKwKtTSrfEttQ0S.exe
2736	dKwKtTSrfEttQ0S.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\SystemFileAssociations\.aHTML	dKwKtTSrfEttQ0S.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\__aHTML\shell\Edit\command\ = "Notepad.exe"	dKwKtTSrfEttQ0S.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\__aHTML\shell\Edit\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ZKLYAY.tmp\\dKwKtTSrfEttQ0S.exe\" target \".\\\" bits downExt"	dKwKtTSrfEttQ0S.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.aHTML\OpenWithProgids\__aHTML	dKwKtTSrfEttQ0S.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\SystemFileAssociations	dKwKtTSrfEttQ0S.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.aHTML\OpenWithProgids	dKwKtTSrfEttQ0S.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\SystemFileAssociations\.aHTML\shell\Edit\command	dKwKtTSrfEttQ0S.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\SystemFileAssociations\.aHTML\shell\Edit\ddeexec	dKwKtTSrfEttQ0S.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\SystemFileAssociations\.aHTML\shell\Edit\command\ = "Notepad.exe"	dKwKtTSrfEttQ0S.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\__aHTML\shell\Edit	dKwKtTSrfEttQ0S.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\__aHTML\shell\Edit\command	dKwKtTSrfEttQ0S.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.aHTML	dKwKtTSrfEttQ0S.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.aHTML\ = "__aHTML"	dKwKtTSrfEttQ0S.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\__aHTML	dKwKtTSrfEttQ0S.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\__aHTML\shell	dKwKtTSrfEttQ0S.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\__aHTML\shell\Edit\ddeexec	dKwKtTSrfEttQ0S.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\SystemFileAssociations\.aHTML\shell\Edit\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ZKLYAY.tmp\\dKwKtTSrfEttQ0S.exe\" target \".\\\" bits downExt"	dKwKtTSrfEttQ0S.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\SystemFileAssociations\.aHTML\shell	dKwKtTSrfEttQ0S.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\SystemFileAssociations\.aHTML\shell\Edit	dKwKtTSrfEttQ0S.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2736	dKwKtTSrfEttQ0S.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	dKwKtTSrfEttQ0S.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 2292	1848	7df71f3d8957f89a3d243ac8f8dd1650_JaffaCakes118.exe	28
PID 1848 wrote to memory of 2292	1848	7df71f3d8957f89a3d243ac8f8dd1650_JaffaCakes118.exe	28
PID 1848 wrote to memory of 2292	1848	7df71f3d8957f89a3d243ac8f8dd1650_JaffaCakes118.exe	28
PID 1848 wrote to memory of 2292	1848	7df71f3d8957f89a3d243ac8f8dd1650_JaffaCakes118.exe	28
PID 2292 wrote to memory of 2736	2292	dKwKtTSrfEttQ0S.exe	29
PID 2292 wrote to memory of 2736	2292	dKwKtTSrfEttQ0S.exe	29
PID 2292 wrote to memory of 2736	2292	dKwKtTSrfEttQ0S.exe	29
PID 2292 wrote to memory of 2736	2292	dKwKtTSrfEttQ0S.exe	29
PID 2736 wrote to memory of 2692	2736	dKwKtTSrfEttQ0S.exe	30
PID 2736 wrote to memory of 2692	2736	dKwKtTSrfEttQ0S.exe	30
PID 2736 wrote to memory of 2692	2736	dKwKtTSrfEttQ0S.exe	30
PID 2736 wrote to memory of 2692	2736	dKwKtTSrfEttQ0S.exe	30
PID 2736 wrote to memory of 2692	2736	dKwKtTSrfEttQ0S.exe	30
PID 2736 wrote to memory of 2692	2736	dKwKtTSrfEttQ0S.exe	30
PID 2736 wrote to memory of 2692	2736	dKwKtTSrfEttQ0S.exe	30

C:\Users\Admin\AppData\Local\Temp\7df71f3d8957f89a3d243ac8f8dd1650_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7df71f3d8957f89a3d243ac8f8dd1650_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Users\Admin\AppData\Local\Temp\7zS197A.tmp\dKwKtTSrfEttQ0S.exe
  .\dKwKtTSrfEttQ0S.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Users\Admin\AppData\Local\Temp\ZKLYAY.tmp\dKwKtTSrfEttQ0S.exe
    "C:\Users\Admin\AppData\Local\Temp\ZKLYAY.tmp\dKwKtTSrfEttQ0S.exe" target ".\" bits downExt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /u /s ".\\VQW4VHX8vgcybg.x64.dll"
      4⤵
      PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS197A.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS197A.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
27173739547c05aa7e7eddd8d0acdb6d

SHA1
7c0701e0c4d42e5546a9c1b6ff60ac54f45d3929

SHA256
d52ce9e2acbcbb218913c0705da84f9432fd94a0080cdda6463421cc5e41d116

SHA512
f260424bb2bed23f9d83ae045df6b4e6dbdbcbb5e408b4e6b5816f11d0d488d9f329f1307e710fe6cda300827cd6d550f903508fac2d85d9bcdff683f9a94fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS197A.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
bdb2338b5edb7129a4ae8fc692148300

SHA1
2db302ab38ed840fff622f662cbb1471ef12c1cd

SHA256
0e43c54785f9c91dcf52b40825dc4d7d252efc82e6bdf23f31b36dc10ff1724b

SHA512
1807a36d38690892996454e8f632820090d4aad69fbfa1623da2c6cea5ab0dbc3f06dc00e9364556516903bf2bcf2612f17aaadbe4a36d153ae0080af46434a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS197A.tmp\[email protected]\install.rdf

Filesize
602B

MD5
c03a0b4964f1e70a9ae0634a6e5e993d

SHA1
4bbd2a030ee3df5c6fa4bbf2d58d0251ccb76ddb

SHA256
efa245b2404e3c92c35dea0aeda6e70dd02002aaafbbb9c6216b746d4448c2cb

SHA512
1bd806704d4237c5b8abb9b09024163e58125c9198bacdef68722a348aa571176d0d9e463464481b756a1be357cca6c126cef288256b0445e28fcbf9db62b7dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS197A.tmp\VQW4VHX8vgcybg.dll

Filesize
863KB

MD5
42206e949a5de9ec248f6ddff55ac0be

SHA1
146671b079b8b632bb9cfefb895185162ac666ec

SHA256
a580921326eb9e12e8cae6c719acc0bf73b0f249011c4912eaaa70d5af4268ca

SHA512
4d3fbe5dadfb783afab397f20c44b55e27e7032fafc814156a381811bd1cfb4982d331761b9126da7ebce6477078a489c0409ce7d185395a3af7c03c04a01e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS197A.tmp\VQW4VHX8vgcybg.tlb

Filesize
5KB

MD5
1ca45b386c7b01e1bd45ef4e291d3f70

SHA1
dcabb955bc45b182231459d7e64cba59592c907e

SHA256
495c35bf29cd1c6e4a736db79e87203b6fd0c1345343dab958e5d9a4b087754c

SHA512
87dc04954e21af239f1cd8a300d7ea34c0de9580598080df8e2e75d347ad0232770b37d648db772f5d854a553f395a1fe9c010071ee76024f64ed819371fe752

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS197A.tmp\VQW4VHX8vgcybg.x64.dll

Filesize
945KB

MD5
950e3acba2d6e927cd2339255f77d2fa

SHA1
d0d85125177de0a84acf4fca2f46694f6eeddba4

SHA256
befc43d6a2bdb78dc1f05c20e08c0e78550ab4467ea6d28466f88a4a1d2360e4

SHA512
3a5eed411f2e4956ef4e69b40ba576ed924cb6aff19f039809622885950c37317f68c46aa4cf041abddfa92b2b8c0f958bc54d0bb04a510bd7152f800c4e293a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS197A.tmp\ajooejafbpnhhhjlmmdkdhinbbakokcd\V81ku5y.js

Filesize
6KB

MD5
079f9c4c80faa9f115365b1a2339cc6c

SHA1
50f515802880d81e5668f2b21a8b613657179ffa

SHA256
4158369ffd87161d231b2be010b3940092b5d12007cbfef34462b1ebba387c0d

SHA512
1d7f2a463729f49338ff9f3e97c856fe2bdfaf0289154ab238c29ed1af2dd2e2c94d281037f0c68db8158019cdef04bb241fc602530d1d9961067b0dc582159b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS197A.tmp\ajooejafbpnhhhjlmmdkdhinbbakokcd\background.html

Filesize
144B

MD5
3664f213200513969bbd8130dd12f26b

SHA1
addb949c333d87a7c240c62285df253c2f72043c

SHA256
26ef83d93cd669b35de50037b5f3254b10756cf094fed72c962eb391b7daf3c4

SHA512
0fb72ee0127b4bd7cc132faf35acd81df2f47f88839d0c2945fc46794b62e93ef0bfc6cab8d784faac8429f6994327e2296ec2084f236f253007620e824acc41

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS197A.tmp\ajooejafbpnhhhjlmmdkdhinbbakokcd\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS197A.tmp\ajooejafbpnhhhjlmmdkdhinbbakokcd\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS197A.tmp\ajooejafbpnhhhjlmmdkdhinbbakokcd\manifest.json

Filesize
502B

MD5
97fa04dcc570b6b088903c23b014ba7b

SHA1
c314962e02123abf115981bdcf57ca89c809bc0d

SHA256
7b1d2b96abb3843e55c193785bc92a09a2295cd38de03a1aba6d5efff2aad6bd

SHA512
beee118b44e3fe40d61f0c7693a864ac702475829a98c8f222f0a05c7f5cfcc819f6da199a7c41d7c19e2b0436c8b11bd8f29d01fec213cf54ea7f4124c7e416

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS197A.tmp\dKwKtTSrfEttQ0S.dat

Filesize
15KB

MD5
e8ab4166c4467891a708a0a5e7b9a436

SHA1
1a1bb57ff45993e5ff27534ce0dd6b6aca0df496

SHA256
bb95ffd35f86ce345240eb9b1295ec2cb59e692ffa461d520e3f7bb78bcaa1ce

SHA512
87c1e584c361ab66913039e804989a5a39184a96da10a48470797d102b047bbbe970a1cf9ef3535714f49b0cd2b5739c0dce5b390ca2cb714d0dd4e37527e4cf

Download Submit
\Users\Admin\AppData\Local\Temp\7zS197A.tmp\dKwKtTSrfEttQ0S.exe

Filesize
218KB

MD5
9f6c52eec607111136cd222b02bf0530

SHA1
57f3815d0942e3b0a9bef621a7b4971f55fc74d7

SHA256
7314c47aa633946386d6d3cd7ac292974b5d457e14b053fa0ebc218d555c34f4

SHA512
6760f5f8b580f50e95a92d6baa096f8fee378047bc5833430503869db22e369ebbedad43c864ef1058a477cf4d1034c88f1f464cde467ccc904192718951ce54

Download Submit