bd067b235878c5486890effd5884bd7bdcad707edb739808b3edea035bb46b82

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90859d71e4b7902acbae03eed05c1eab_JaffaCakes118.exe
Size

645KB
MD5

90859d71e4b7902acbae03eed05c1eab
SHA1

c1b4e1a186e140dcaef268dc9dc8512b033326c9
SHA256

bd067b235878c5486890effd5884bd7bdcad707edb739808b3edea035bb46b82
SHA512

d37ca711a8a5bc6ade748facc9079dd6ca135c67e1c4d4b942819bffd85a721cb2197aba05b0a42758d9fcc210eb721317e895ce5a773c8876aa093c95867898
SSDEEP

12288:Y1UHYSrQQ/eTuy6bjjl2xSwiue0CCkiHX:Y18rQQEuy6bjjl2xS4e0bke

Score

7^/10

persistence upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2832-179-0x0000000004000000-0x00000000042FD000-memory.dmp	upx

Unexpected DNS network traffic destination 11 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	193.0.14.129
Destination IP	202.12.27.33
Destination IP	128.8.10.90
Destination IP	198.41.0.4
Destination IP	192.33.4.12
Destination IP	128.8.10.90
Destination IP	192.33.4.12
Destination IP	192.5.5.241
Destination IP	192.33.4.12
Destination IP	193.0.14.129
Destination IP	192.36.148.17

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Regedit32 = "C:\\Windows\\system32\\regedit.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\gaszilanfofg = "C:\\Users\\Admin\\gaszilanfofg.exe"	90859d71e4b7902acbae03eed05c1eab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Regedit32 = "C:\\Windows\\system32\\regedit.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Regedit32 = "C:\\Windows\\system32\\regedit.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Regedit32 = "C:\\Windows\\system32\\regedit.exe"	svchost.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1280 set thread context of 2832	1280	90859d71e4b7902acbae03eed05c1eab_JaffaCakes118.exe	30
PID 2832 set thread context of 2256	2832	svchost.exe	31
PID 2832 set thread context of 1104	2832	svchost.exe	32
PID 2832 set thread context of 2148	2832	svchost.exe	33
PID 2832 set thread context of 2156	2832	svchost.exe	34

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1280	90859d71e4b7902acbae03eed05c1eab_JaffaCakes118.exe
2256	svchost.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 2832	1280	90859d71e4b7902acbae03eed05c1eab_JaffaCakes118.exe	30
PID 1280 wrote to memory of 2832	1280	90859d71e4b7902acbae03eed05c1eab_JaffaCakes118.exe	30
PID 1280 wrote to memory of 2832	1280	90859d71e4b7902acbae03eed05c1eab_JaffaCakes118.exe	30
PID 1280 wrote to memory of 2832	1280	90859d71e4b7902acbae03eed05c1eab_JaffaCakes118.exe	30
PID 1280 wrote to memory of 2832	1280	90859d71e4b7902acbae03eed05c1eab_JaffaCakes118.exe	30
PID 1280 wrote to memory of 2832	1280	90859d71e4b7902acbae03eed05c1eab_JaffaCakes118.exe	30
PID 2832 wrote to memory of 2256	2832	svchost.exe	31
PID 2832 wrote to memory of 2256	2832	svchost.exe	31
PID 2832 wrote to memory of 2256	2832	svchost.exe	31
PID 2832 wrote to memory of 2256	2832	svchost.exe	31
PID 2832 wrote to memory of 2256	2832	svchost.exe	31
PID 2832 wrote to memory of 2256	2832	svchost.exe	31
PID 2832 wrote to memory of 2256	2832	svchost.exe	31
PID 2832 wrote to memory of 1104	2832	svchost.exe	32
PID 2832 wrote to memory of 1104	2832	svchost.exe	32
PID 2832 wrote to memory of 1104	2832	svchost.exe	32
PID 2832 wrote to memory of 1104	2832	svchost.exe	32
PID 2832 wrote to memory of 1104	2832	svchost.exe	32
PID 2832 wrote to memory of 1104	2832	svchost.exe	32
PID 2832 wrote to memory of 1104	2832	svchost.exe	32
PID 2832 wrote to memory of 2148	2832	svchost.exe	33
PID 2832 wrote to memory of 2148	2832	svchost.exe	33
PID 2832 wrote to memory of 2148	2832	svchost.exe	33
PID 2832 wrote to memory of 2148	2832	svchost.exe	33
PID 2832 wrote to memory of 2148	2832	svchost.exe	33
PID 2832 wrote to memory of 2148	2832	svchost.exe	33
PID 2832 wrote to memory of 2148	2832	svchost.exe	33
PID 2832 wrote to memory of 2156	2832	svchost.exe	34
PID 2832 wrote to memory of 2156	2832	svchost.exe	34
PID 2832 wrote to memory of 2156	2832	svchost.exe	34
PID 2832 wrote to memory of 2156	2832	svchost.exe	34
PID 2832 wrote to memory of 2156	2832	svchost.exe	34
PID 2832 wrote to memory of 2156	2832	svchost.exe	34
PID 2832 wrote to memory of 2156	2832	svchost.exe	34

C:\Users\Admin\AppData\Local\Temp\90859d71e4b7902acbae03eed05c1eab_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\90859d71e4b7902acbae03eed05c1eab_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:2256
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    - Adds Run key to start application
    PID:1104
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    - Adds Run key to start application
    PID:2148
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    - Adds Run key to start application
    PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2248906074-2862704502-246302768-1000\c5d8393293ce2ba62f117b2c2d55bc3e_01c44f94-ed50-49f5-a690-d8e8ea9b0bf2

Filesize
1KB

MD5
f8fa9b2663fd1d99c430b33713c61f60

SHA1
448d56b79a38d5e508d735c883cdf553ffa822ce

SHA256
e2588fd3374d5861cac48d1d67cfe0ddbee5b28635db77c151d7006352874dba

SHA512
ca2bc97668f5e61f21acc5b430a731e795608170307d3401107fe3c088c7e3d359d1bbe06e3485c465f0198476fc77a795fbbca5e55592e3bf6f5257dd0c1568

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2248906074-2862704502-246302768-1000\c5d8393293ce2ba62f117b2c2d55bc3e_01c44f94-ed50-49f5-a690-d8e8ea9b0bf2

Filesize
1KB

MD5
5a181bba3699fdc675b56225e76371fe

SHA1
5278e4a7bf4f5c55ed9c77427a1b22713a6858a8

SHA256
239a22b7bbdb09d03912c0c570af3e0f92e9d2d01389d200947e1624e63fa1a8

SHA512
457ae0a083b9fd1a5d15f329e20f560ada5cbbcbfbc87d53290af41a78103a8e77cc24aba8e2d153daf13fdb025ab6ca5f9c12e93274787876a88a6e07d9b9b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2248906074-2862704502-246302768-1000\c5d8393293ce2ba62f117b2c2d55bc3e_01c44f94-ed50-49f5-a690-d8e8ea9b0bf2

Filesize
62B

MD5
60806f4f110a6f85831390dafbb98385

SHA1
9e27b0bad5f13310a1db8a0c155b3ad7c6b6e446

SHA256
219d1a0d4109122414a4ef1b17d392652e94e7492b490ec6ff33ef553d125a4d

SHA512
b56bf9de49451eded9debd004a8fd187e6af54a87ef8a1647b6d2f169fc8ef45fd5c6b118f46a4f587bb7f05a170d10cef80211a22d90612a7b6792d7494b6f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\15I7BIZ5.txt

Filesize
219B

MD5
66be4b2d4b5c4f75d0c9067d479e3545

SHA1
ff9a7fdb1777e115d9998d5bcd45da7bcaef84dc

SHA256
11b6c44752b3a21146b89fbe6fa769b916839b31da200043b8d80926a098e539

SHA512
51b7173fe96b09a76eb8003707177fe30084e4b657e0b1495d50eada0aa5bd7d2214b94f9d73440aed16d528e195bbe0ec312b473c689a56f87e47c49aa25cc9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\42WT4POZ.txt

Filesize
213B

MD5
3ae170b22ae912cae422e8d378c2a412

SHA1
85523e5fda34d730da7eab557374dc244f0cb1fc

SHA256
4d5f283d96c872aa51b6033cfaf3aeaa9ba4a71a99f0cd82cf010e2fc5840a0b

SHA512
acfb1f6417ab3d6b06511d47f8631a1fe7292dd0052dd17b27b67e0d67d01789ca7ef6db2cd25ad1744d5019b1703f8c4861289d3dcac094aac69f5058bae864

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4XXS2J4Z.txt

Filesize
219B

MD5
c8ad1a95c559e9b22d26f37a18b95543

SHA1
1aa58685774e82056dc6016459e319a6e9f52954

SHA256
392fe3dffd78eb984d1373170305b33d633f20c5f8daa216966e5810f9116b87

SHA512
bf9fafed00fd057f5a8f3880935c5730b2e805e749410f25e487de915363ea5a72e36f199f67d5249778a776ed48e5189a67e8b45b56415a46813ec9dd4eea53

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9ALL0N5E.txt

Filesize
218B

MD5
ec4a1ece57e51ad2caf5c55319221262

SHA1
726a9f6f22067bc1bae9130833b16f3909e0757b

SHA256
977f9694dffce9a2e2893f87f5d5dca6e8f13e52f430365d4e0e12c29838b407

SHA512
c96e9aad79a1985a95e649ab5a45fe020914b1140a6c004f5a6dc9e8e5696730de8b89ec0aba94a99d55ab438eb8cf1c983e5566487f1ddcb56768637430101f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\I8NXDX31.txt

Filesize
218B

MD5
22fc3c1636edc96ccb4de58a8808deb1

SHA1
627b14f6c77f63158df06e20ecbc5049b0249b61

SHA256
f6793dda3c718e40569561e44a0f4ed299f287144df015e1f7e574cd7f59e3c3

SHA512
4c859c019bee8d26b04fb337dbf3b7e14a2bfcf0bd772e33bf51092f09c782e57d9888f58aaa0a50c8f164655cb85889b686a2a351675d3268d68a5930bf4bb8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\NC26A4SL.txt

Filesize
113B

MD5
1d5b4f3c4a3b689922c39c10985a3c64

SHA1
06d06e9b208f69ab010997f79a260c1dcadb664c

SHA256
a2e100fb4f396f4126aa197f7edde54a0a259eaf142491d48c34dbb858366d0f

SHA512
355617e655c6bef3556694f02d1b6530cbd5cb0a0f7ff64f49d2dec427e58e568466003ff4ef92cc318b550202184c3637d17a572cc7992dd6c451d5b00bc714

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\STYSA756.txt

Filesize
112B

MD5
9d2a8558ce18c0b0eb460d9900a2d224

SHA1
5d6bc3ba52dd8e604fc287923f5e8ab387b67988

SHA256
8b761888a974ea5f06cb871848add6a89e5a44ada61a16f9575e696dd07de6e4

SHA512
d7f3b0c020cd1cf5038c614f8dd23fc30607bea8c9cae7f0f295eae76d36feb418f74ca857a9f75a16cf2953e5964333197db31c5557e143c1e168552ce4345e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WDB28EJC.txt

Filesize
137B

MD5
2559bbb3434ed1841703fd0eed4b1600

SHA1
25c6a4deba7f11d9091a3c26e95ec4fef3925717

SHA256
dcaab9656059494fbca025df192ea6e7f04ad1cfcf7816c774a995e6b877280a

SHA512
9be9c25ae70f8ab1d3636708e31638977c190549e29d264dea39685774eedf21b9f2444afa332aa717996e210823af01e5b2773881645da157b12952c60c675f

Download Submit
memory/1104-360-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/1104-215-0x0000000004000000-0x0000000004007000-memory.dmp

Filesize
28KB

Download
memory/1104-286-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/1104-185-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/1104-211-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/1104-192-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1104-212-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/1280-310-0x0000000000430000-0x00000000004E8000-memory.dmp

Filesize
736KB

Download
memory/1280-0-0x0000000000430000-0x00000000004E8000-memory.dmp

Filesize
736KB

Download
memory/1280-3-0x0000000000430000-0x00000000004E8000-memory.dmp

Filesize
736KB

Download
memory/1280-2-0x0000000000461000-0x0000000000464000-memory.dmp

Filesize
12KB

Download
memory/1280-4-0x0000000000430000-0x00000000004E8000-memory.dmp

Filesize
736KB

Download
memory/2256-174-0x0000000013140000-0x000000001472F000-memory.dmp

Filesize
21.9MB

Download
memory/2256-186-0x0000000013140000-0x000000001472F000-memory.dmp

Filesize
21.9MB

Download
memory/2256-180-0x0000000004000000-0x0000000004007000-memory.dmp

Filesize
28KB

Download
memory/2256-178-0x0000000013140000-0x000000001472F000-memory.dmp

Filesize
21.9MB

Download
memory/2256-287-0x0000000004000000-0x0000000004007000-memory.dmp

Filesize
28KB

Download
memory/2256-240-0x0000000013140000-0x000000001472F000-memory.dmp

Filesize
21.9MB

Download
memory/2256-189-0x0000000004000000-0x0000000004007000-memory.dmp

Filesize
28KB

Download
memory/2256-182-0x0000000004000000-0x0000000004007000-memory.dmp

Filesize
28KB

Download
memory/2256-345-0x0000000013140000-0x000000001472F000-memory.dmp

Filesize
21.9MB

Download
memory/2832-172-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2832-169-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2832-170-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2832-175-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2832-179-0x0000000004000000-0x00000000042FD000-memory.dmp

Filesize
3.0MB

Download