23715a39b7bf75785f3bc0521cfab6e427cb396486b0a1cedd4c9022abab1f3c

Analysis

max time kernel
132s
max time network
144s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
30/05/2024, 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

852ca9b65bd1aef967f8513890f00a24_JaffaCakes118.exe
Size

582KB
MD5

852ca9b65bd1aef967f8513890f00a24
SHA1

ff25d0828624c70363e5d7b00fc8ab037986f6d4
SHA256

23715a39b7bf75785f3bc0521cfab6e427cb396486b0a1cedd4c9022abab1f3c
SHA512

06f3f3258cc6b026a27b56420c5e2d2f7e76a57bfe69aefdea27738291f8aecdef607492ddd4ec859027ed8a2e88bac057358abfb9a26a2a81db8f0707b16f0e
SSDEEP

12288:PlLTBqYuWFcov/H1VQLUXmORdju4RERZMH0c:PlL1qYuWWWoammdjbSPc

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2032	setup.exe

Loads dropped DLL 2 IoCs

pid	Process
1936	852ca9b65bd1aef967f8513890f00a24_JaffaCakes118.exe
1936	852ca9b65bd1aef967f8513890f00a24_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	setup.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2032	setup.exe
2032	setup.exe
2032	setup.exe
2032	setup.exe
2032	setup.exe
2032	setup.exe
2032	setup.exe
2032	setup.exe
2032	setup.exe
2032	setup.exe
2032	setup.exe
2032	setup.exe
2032	setup.exe
2032	setup.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1536	WMIC.exe
Token: SeSecurityPrivilege	1536	WMIC.exe
Token: SeTakeOwnershipPrivilege	1536	WMIC.exe
Token: SeLoadDriverPrivilege	1536	WMIC.exe
Token: SeSystemProfilePrivilege	1536	WMIC.exe
Token: SeSystemtimePrivilege	1536	WMIC.exe
Token: SeProfSingleProcessPrivilege	1536	WMIC.exe
Token: SeIncBasePriorityPrivilege	1536	WMIC.exe
Token: SeCreatePagefilePrivilege	1536	WMIC.exe
Token: SeBackupPrivilege	1536	WMIC.exe
Token: SeRestorePrivilege	1536	WMIC.exe
Token: SeShutdownPrivilege	1536	WMIC.exe
Token: SeDebugPrivilege	1536	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1536	WMIC.exe
Token: SeRemoteShutdownPrivilege	1536	WMIC.exe
Token: SeUndockPrivilege	1536	WMIC.exe
Token: SeManageVolumePrivilege	1536	WMIC.exe
Token: 33	1536	WMIC.exe
Token: 34	1536	WMIC.exe
Token: 35	1536	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1536	WMIC.exe
Token: SeSecurityPrivilege	1536	WMIC.exe
Token: SeTakeOwnershipPrivilege	1536	WMIC.exe
Token: SeLoadDriverPrivilege	1536	WMIC.exe
Token: SeSystemProfilePrivilege	1536	WMIC.exe
Token: SeSystemtimePrivilege	1536	WMIC.exe
Token: SeProfSingleProcessPrivilege	1536	WMIC.exe
Token: SeIncBasePriorityPrivilege	1536	WMIC.exe
Token: SeCreatePagefilePrivilege	1536	WMIC.exe
Token: SeBackupPrivilege	1536	WMIC.exe
Token: SeRestorePrivilege	1536	WMIC.exe
Token: SeShutdownPrivilege	1536	WMIC.exe
Token: SeDebugPrivilege	1536	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1536	WMIC.exe
Token: SeRemoteShutdownPrivilege	1536	WMIC.exe
Token: SeUndockPrivilege	1536	WMIC.exe
Token: SeManageVolumePrivilege	1536	WMIC.exe
Token: 33	1536	WMIC.exe
Token: 34	1536	WMIC.exe
Token: 35	1536	WMIC.exe
Token: SeIncreaseQuotaPrivilege	540	WMIC.exe
Token: SeSecurityPrivilege	540	WMIC.exe
Token: SeTakeOwnershipPrivilege	540	WMIC.exe
Token: SeLoadDriverPrivilege	540	WMIC.exe
Token: SeSystemProfilePrivilege	540	WMIC.exe
Token: SeSystemtimePrivilege	540	WMIC.exe
Token: SeProfSingleProcessPrivilege	540	WMIC.exe
Token: SeIncBasePriorityPrivilege	540	WMIC.exe
Token: SeCreatePagefilePrivilege	540	WMIC.exe
Token: SeBackupPrivilege	540	WMIC.exe
Token: SeRestorePrivilege	540	WMIC.exe
Token: SeShutdownPrivilege	540	WMIC.exe
Token: SeDebugPrivilege	540	WMIC.exe
Token: SeSystemEnvironmentPrivilege	540	WMIC.exe
Token: SeRemoteShutdownPrivilege	540	WMIC.exe
Token: SeUndockPrivilege	540	WMIC.exe
Token: SeManageVolumePrivilege	540	WMIC.exe
Token: 33	540	WMIC.exe
Token: 34	540	WMIC.exe
Token: 35	540	WMIC.exe
Token: SeIncreaseQuotaPrivilege	540	WMIC.exe
Token: SeSecurityPrivilege	540	WMIC.exe
Token: SeTakeOwnershipPrivilege	540	WMIC.exe
Token: SeLoadDriverPrivilege	540	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2032	setup.exe
2032	setup.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2032	1936	852ca9b65bd1aef967f8513890f00a24_JaffaCakes118.exe	28
PID 1936 wrote to memory of 2032	1936	852ca9b65bd1aef967f8513890f00a24_JaffaCakes118.exe	28
PID 1936 wrote to memory of 2032	1936	852ca9b65bd1aef967f8513890f00a24_JaffaCakes118.exe	28
PID 1936 wrote to memory of 2032	1936	852ca9b65bd1aef967f8513890f00a24_JaffaCakes118.exe	28
PID 1936 wrote to memory of 2032	1936	852ca9b65bd1aef967f8513890f00a24_JaffaCakes118.exe	28
PID 1936 wrote to memory of 2032	1936	852ca9b65bd1aef967f8513890f00a24_JaffaCakes118.exe	28
PID 1936 wrote to memory of 2032	1936	852ca9b65bd1aef967f8513890f00a24_JaffaCakes118.exe	28
PID 2032 wrote to memory of 2928	2032	setup.exe	32
PID 2032 wrote to memory of 2928	2032	setup.exe	32
PID 2032 wrote to memory of 2928	2032	setup.exe	32
PID 2032 wrote to memory of 2928	2032	setup.exe	32
PID 2928 wrote to memory of 1536	2928	cmd.exe	34
PID 2928 wrote to memory of 1536	2928	cmd.exe	34
PID 2928 wrote to memory of 1536	2928	cmd.exe	34
PID 2928 wrote to memory of 1536	2928	cmd.exe	34
PID 2032 wrote to memory of 296	2032	setup.exe	36
PID 2032 wrote to memory of 296	2032	setup.exe	36
PID 2032 wrote to memory of 296	2032	setup.exe	36
PID 2032 wrote to memory of 296	2032	setup.exe	36
PID 296 wrote to memory of 540	296	cmd.exe	38
PID 296 wrote to memory of 540	296	cmd.exe	38
PID 296 wrote to memory of 540	296	cmd.exe	38
PID 296 wrote to memory of 540	296	cmd.exe	38
PID 2032 wrote to memory of 1540	2032	setup.exe	39
PID 2032 wrote to memory of 1540	2032	setup.exe	39
PID 2032 wrote to memory of 1540	2032	setup.exe	39
PID 2032 wrote to memory of 1540	2032	setup.exe	39
PID 1540 wrote to memory of 1340	1540	cmd.exe	41
PID 1540 wrote to memory of 1340	1540	cmd.exe	41
PID 1540 wrote to memory of 1340	1540	cmd.exe	41
PID 1540 wrote to memory of 1340	1540	cmd.exe	41
PID 2032 wrote to memory of 1056	2032	setup.exe	43
PID 2032 wrote to memory of 1056	2032	setup.exe	43
PID 2032 wrote to memory of 1056	2032	setup.exe	43
PID 2032 wrote to memory of 1056	2032	setup.exe	43
PID 1056 wrote to memory of 1884	1056	cmd.exe	45
PID 1056 wrote to memory of 1884	1056	cmd.exe	45
PID 1056 wrote to memory of 1884	1056	cmd.exe	45
PID 1056 wrote to memory of 1884	1056	cmd.exe	45
PID 2032 wrote to memory of 1856	2032	setup.exe	46
PID 2032 wrote to memory of 1856	2032	setup.exe	46
PID 2032 wrote to memory of 1856	2032	setup.exe	46
PID 2032 wrote to memory of 1856	2032	setup.exe	46
PID 1856 wrote to memory of 348	1856	cmd.exe	48
PID 1856 wrote to memory of 348	1856	cmd.exe	48
PID 1856 wrote to memory of 348	1856	cmd.exe	48
PID 1856 wrote to memory of 348	1856	cmd.exe	48
PID 2032 wrote to memory of 300	2032	setup.exe	49
PID 2032 wrote to memory of 300	2032	setup.exe	49
PID 2032 wrote to memory of 300	2032	setup.exe	49
PID 2032 wrote to memory of 300	2032	setup.exe	49
PID 300 wrote to memory of 1400	300	cmd.exe	51
PID 300 wrote to memory of 1400	300	cmd.exe	51
PID 300 wrote to memory of 1400	300	cmd.exe	51
PID 300 wrote to memory of 1400	300	cmd.exe	51

C:\Users\Admin\AppData\Local\Temp\852ca9b65bd1aef967f8513890f00a24_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\852ca9b65bd1aef967f8513890f00a24_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Users\Admin\AppData\Local\Temp\nst1F65.tmp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\nst1F65.tmp\setup.exe" /S
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c WMIC path win32_process WHERE Processid=1936 get Commandline
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC path win32_process WHERE Processid=1936 get Commandline
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1536
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c WMIC path win32_process WHERE Processid=1064 get Commandline
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:296
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC path win32_process WHERE Processid=1064 get Commandline
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:540
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c WMIC path win32_process WHERE Processid=1028 get Commandline
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC path win32_process WHERE Processid=1028 get Commandline
      4⤵
      PID:1340
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c WMIC path win32_process WHERE Processid=1936 get Commandline
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1056
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC path win32_process WHERE Processid=1936 get Commandline
      4⤵
      PID:1884
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c WMIC path win32_process WHERE Processid=1064 get Commandline
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1856
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC path win32_process WHERE Processid=1064 get Commandline
      4⤵
      PID:348
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c WMIC path win32_process WHERE Processid=1028 get Commandline
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:300
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC path win32_process WHERE Processid=1028 get Commandline
      4⤵
      PID:1400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nst1F65.tmp\D1958.dll

Filesize
14KB

MD5
904beebec2790ee2ca0c90fc448ac7e0

SHA1
40fabf1eb0a3b7168351c4514c5288216cb1566d

SHA256
f730d9385bf72eac5d579bcf1f7e4330f1d239ca1054d4ead48e9e363d9f4222

SHA512
8bdbbaaf73e396cf9fd9866b3e824b7e70c59a2bdefdb3236387e60d0e645d011265fe79fb193f6c0d6abe2e9c01260720c71cd8f068fcc4624760511c54efaa

Download Submit
\Users\Admin\AppData\Local\Temp\nst1F65.tmp\setup.exe

Filesize
529KB

MD5
3de775d4bc8dca7b407a6a077dee2d5f

SHA1
f4de188f7b52e68cb5f47fe542ad195d242c5bdd

SHA256
b70c82103d2cc7d72747846bde741f1810e0daf6f618ebf265dd02ebbf54d9e7

SHA512
7324d58f78a710ff5c35831b78ed106c8a4a8598f3dfb19271aa1f3232397529b4f077d042c5d5a0e513a89a34c2c4839eb6c652df654e66399c82003a6b7494

Download Submit