ee59e629a89a818dc0c0d9e4ecf4ce0e54db4f300e9b61853d16a01ffd3dafd4

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/06/2024, 11:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94b432388eb811c034b91b0a0f699377_JaffaCakes118.exe
Size

78KB
MD5

94b432388eb811c034b91b0a0f699377
SHA1

b0e7abe89e2d44d83332e57cd41c413c426f9199
SHA256

ee59e629a89a818dc0c0d9e4ecf4ce0e54db4f300e9b61853d16a01ffd3dafd4
SHA512

f1bb96ce016abdc7c6b6ab2be06bcd3fed193ca5cf150ba5af2099f1e339aca73295503030f55341ffc248f41dc50b66a7b599a94dabf692ab1b49a342198702
SSDEEP

1536:lfsV14ogH9rbK1DowtXN5U3FjAXScUC30SWEk4JgTqkKk6YqwFYtitK2TZ:lkIbdK1DokN5U3FjtQ0SWyJgT5D6wK2

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2676	cmd.exe

Executes dropped EXE 14 IoCs

pid	Process
2652	winIogon.exe
2580	winIogon.exe
2336	Isass.exe
2300	Isass.exe
1660	winamp.exe
1644	winamp.exe
2028	firewall.exe
2488	firewall.exe
808	winIogon.exe
1412	winIogon.exe
1152	firewall.exe
1992	firewall.exe
2968	csrs.exe
788	csrs.exe

Loads dropped DLL 15 IoCs

pid	Process
2728	94b432388eb811c034b91b0a0f699377_JaffaCakes118.exe
2728	94b432388eb811c034b91b0a0f699377_JaffaCakes118.exe
2652	winIogon.exe
2580	winIogon.exe
2580	winIogon.exe
2300	Isass.exe
2300	Isass.exe
1644	winamp.exe
1644	winamp.exe
2488	firewall.exe
2488	firewall.exe
1412	winIogon.exe
1412	winIogon.exe
1992	firewall.exe
1992	firewall.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winamp.exe	Isass.exe
File created	C:\Windows\SysWOW64\oijg.bat	firewall.exe
File opened for modification	C:\Windows\SysWOW64\Isass.exe	winIogon.exe
File opened for modification	C:\Windows\SysWOW64\winIogon.exe	firewall.exe
File created	C:\Windows\SysWOW64\csrs.exe	firewall.exe
File opened for modification	C:\Windows\SysWOW64\csrs.exe	firewall.exe
File created	C:\Windows\SysWOW64\loyf.bat	winIogon.exe
File created	C:\Windows\SysWOW64\Isass.exe	winIogon.exe
File created	C:\Windows\SysWOW64\vcwqme.bat	Isass.exe
File opened for modification	C:\Windows\SysWOW64\firewall.exe	winamp.exe
File created	C:\Windows\SysWOW64\fmnzkhj.bat	winamp.exe
File created	C:\Windows\SysWOW64\firewall.exe	winIogon.exe
File opened for modification	C:\Windows\SysWOW64\firewall.exe	winIogon.exe
File created	C:\Windows\SysWOW64\dzmmfgh.bat	winIogon.exe
File created	C:\Windows\SysWOW64\winIogon.exe	94b432388eb811c034b91b0a0f699377_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winamp.exe	Isass.exe
File created	C:\Windows\SysWOW64\firewall.exe	winamp.exe
File created	C:\Windows\SysWOW64\winIogon.exe	firewall.exe
File created	C:\Windows\SysWOW64\mjpbmi.bat	firewall.exe
File opened for modification	C:\Windows\SysWOW64\winIogon.exe	94b432388eb811c034b91b0a0f699377_JaffaCakes118.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 2856 set thread context of 2728	2856	94b432388eb811c034b91b0a0f699377_JaffaCakes118.exe	28
PID 2652 set thread context of 2580	2652	winIogon.exe	32
PID 2336 set thread context of 2300	2336	Isass.exe	36
PID 1660 set thread context of 1644	1660	winamp.exe	40
PID 2028 set thread context of 2488	2028	firewall.exe	44
PID 808 set thread context of 1412	808	winIogon.exe	48
PID 1152 set thread context of 1992	1152	firewall.exe	52
PID 2968 set thread context of 788	2968	csrs.exe	56

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2728	2856	94b432388eb811c034b91b0a0f699377_JaffaCakes118.exe	28
PID 2856 wrote to memory of 2728	2856	94b432388eb811c034b91b0a0f699377_JaffaCakes118.exe	28
PID 2856 wrote to memory of 2728	2856	94b432388eb811c034b91b0a0f699377_JaffaCakes118.exe	28
PID 2856 wrote to memory of 2728	2856	94b432388eb811c034b91b0a0f699377_JaffaCakes118.exe	28
PID 2856 wrote to memory of 2728	2856	94b432388eb811c034b91b0a0f699377_JaffaCakes118.exe	28
PID 2856 wrote to memory of 2728	2856	94b432388eb811c034b91b0a0f699377_JaffaCakes118.exe	28
PID 2856 wrote to memory of 2728	2856	94b432388eb811c034b91b0a0f699377_JaffaCakes118.exe	28
PID 2856 wrote to memory of 2728	2856	94b432388eb811c034b91b0a0f699377_JaffaCakes118.exe	28
PID 2728 wrote to memory of 2676	2728	94b432388eb811c034b91b0a0f699377_JaffaCakes118.exe	29
PID 2728 wrote to memory of 2676	2728	94b432388eb811c034b91b0a0f699377_JaffaCakes118.exe	29
PID 2728 wrote to memory of 2676	2728	94b432388eb811c034b91b0a0f699377_JaffaCakes118.exe	29
PID 2728 wrote to memory of 2676	2728	94b432388eb811c034b91b0a0f699377_JaffaCakes118.exe	29
PID 2728 wrote to memory of 2652	2728	94b432388eb811c034b91b0a0f699377_JaffaCakes118.exe	31
PID 2728 wrote to memory of 2652	2728	94b432388eb811c034b91b0a0f699377_JaffaCakes118.exe	31
PID 2728 wrote to memory of 2652	2728	94b432388eb811c034b91b0a0f699377_JaffaCakes118.exe	31
PID 2728 wrote to memory of 2652	2728	94b432388eb811c034b91b0a0f699377_JaffaCakes118.exe	31
PID 2652 wrote to memory of 2580	2652	winIogon.exe	32
PID 2652 wrote to memory of 2580	2652	winIogon.exe	32
PID 2652 wrote to memory of 2580	2652	winIogon.exe	32
PID 2652 wrote to memory of 2580	2652	winIogon.exe	32
PID 2652 wrote to memory of 2580	2652	winIogon.exe	32
PID 2652 wrote to memory of 2580	2652	winIogon.exe	32
PID 2652 wrote to memory of 2580	2652	winIogon.exe	32
PID 2652 wrote to memory of 2580	2652	winIogon.exe	32
PID 2580 wrote to memory of 2468	2580	winIogon.exe	33
PID 2580 wrote to memory of 2468	2580	winIogon.exe	33
PID 2580 wrote to memory of 2468	2580	winIogon.exe	33
PID 2580 wrote to memory of 2468	2580	winIogon.exe	33
PID 2580 wrote to memory of 2336	2580	winIogon.exe	35
PID 2580 wrote to memory of 2336	2580	winIogon.exe	35
PID 2580 wrote to memory of 2336	2580	winIogon.exe	35
PID 2580 wrote to memory of 2336	2580	winIogon.exe	35
PID 2336 wrote to memory of 2300	2336	Isass.exe	36
PID 2336 wrote to memory of 2300	2336	Isass.exe	36
PID 2336 wrote to memory of 2300	2336	Isass.exe	36
PID 2336 wrote to memory of 2300	2336	Isass.exe	36
PID 2336 wrote to memory of 2300	2336	Isass.exe	36
PID 2336 wrote to memory of 2300	2336	Isass.exe	36
PID 2336 wrote to memory of 2300	2336	Isass.exe	36
PID 2336 wrote to memory of 2300	2336	Isass.exe	36
PID 2300 wrote to memory of 1460	2300	Isass.exe	37
PID 2300 wrote to memory of 1460	2300	Isass.exe	37
PID 2300 wrote to memory of 1460	2300	Isass.exe	37
PID 2300 wrote to memory of 1460	2300	Isass.exe	37
PID 2300 wrote to memory of 1660	2300	Isass.exe	38
PID 2300 wrote to memory of 1660	2300	Isass.exe	38
PID 2300 wrote to memory of 1660	2300	Isass.exe	38
PID 2300 wrote to memory of 1660	2300	Isass.exe	38
PID 1660 wrote to memory of 1644	1660	winamp.exe	40
PID 1660 wrote to memory of 1644	1660	winamp.exe	40
PID 1660 wrote to memory of 1644	1660	winamp.exe	40
PID 1660 wrote to memory of 1644	1660	winamp.exe	40
PID 1660 wrote to memory of 1644	1660	winamp.exe	40
PID 1660 wrote to memory of 1644	1660	winamp.exe	40
PID 1660 wrote to memory of 1644	1660	winamp.exe	40
PID 1660 wrote to memory of 1644	1660	winamp.exe	40
PID 1644 wrote to memory of 1240	1644	winamp.exe	41
PID 1644 wrote to memory of 1240	1644	winamp.exe	41
PID 1644 wrote to memory of 1240	1644	winamp.exe	41
PID 1644 wrote to memory of 1240	1644	winamp.exe	41
PID 1644 wrote to memory of 2028	1644	winamp.exe	43
PID 1644 wrote to memory of 2028	1644	winamp.exe	43
PID 1644 wrote to memory of 2028	1644	winamp.exe	43
PID 1644 wrote to memory of 2028	1644	winamp.exe	43

C:\Users\Admin\AppData\Local\Temp\94b432388eb811c034b91b0a0f699377_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\94b432388eb811c034b91b0a0f699377_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Local\Temp\94b432388eb811c034b91b0a0f699377_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\94b432388eb811c034b91b0a0f699377_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\ijqy.bat" "
    3⤵
    - Deletes itself
    PID:2676
- - C:\Windows\SysWOW64\winIogon.exe
    C:\Windows\system32\winIogon.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\SysWOW64\winIogon.exe
      "C:\Windows\SysWOW64\winIogon.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\SysWOW64\loyf.bat" "
        5⤵
        
        PID:2468
    - - C:\Windows\SysWOW64\Isass.exe
        
        C:\Windows\system32\Isass.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2336
      - C:\Windows\SysWOW64\Isass.exe
        
        "C:\Windows\SysWOW64\Isass.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\SysWOW64\vcwqme.bat" "
        7⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\winamp.exe
        
        C:\Windows\system32\winamp.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\winamp.exe
        
        "C:\Windows\SysWOW64\winamp.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\SysWOW64\fmnzkhj.bat" "
        9⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\firewall.exe
        
        C:\Windows\system32\firewall.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2028
        
        C:\Windows\SysWOW64\firewall.exe
        
        "C:\Windows\SysWOW64\firewall.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\SysWOW64\oijg.bat" "
        11⤵
        
        PID:684
        
        C:\Windows\SysWOW64\winIogon.exe
        
        C:\Windows\system32\winIogon.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:808
        
        C:\Windows\SysWOW64\winIogon.exe
        
        "C:\Windows\SysWOW64\winIogon.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\SysWOW64\dzmmfgh.bat" "
        13⤵
        
        PID:444
        
        C:\Windows\SysWOW64\firewall.exe
        
        C:\Windows\system32\firewall.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1152
        
        C:\Windows\SysWOW64\firewall.exe
        
        "C:\Windows\SysWOW64\firewall.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\SysWOW64\mjpbmi.bat" "
        15⤵
        
        PID:960
        
        C:\Windows\SysWOW64\csrs.exe
        
        C:\Windows\system32\csrs.exe
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2968
        
        C:\Windows\SysWOW64\csrs.exe
        
        "C:\Windows\SysWOW64\csrs.exe"
        16⤵
        Executes dropped EXE
        
        PID:788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ijqy.bat

Filesize
240B

MD5
507a49e440db1cde503e3f153cdd0256

SHA1
eb5371ad8c316bb5a95c05a5b1f5ccdf1ba036bf

SHA256
d421c20753c08f1482e5c90004dc682424a7f24500868f880fa513a494ea50aa

SHA512
96be7dcf8d5006dbe3c9d7539fcada7901e9c5e0adae385053a5302295ba11a925f319bf5311c6bf028e7754bffe4319607869d053167349c6414ac10b39aeb1

Download Submit
C:\Windows\SysWOW64\dzmmfgh.bat

Filesize
129B

MD5
2559aebc4250943808bc0a16906437f7

SHA1
afe9b600c17fda3426f843bd410e53182fb6c6e4

SHA256
1329c5fc0146f830c29dc261e4f7ce14a7dbd1118c885c1a1c483ae1f452d264

SHA512
651c2fa89fc062fbef8ebdd1126d8b5de64465ac3b9da6dbb8468fa1966fe35c5e55cec2fee73ebbdc88e761d21126a48fb0010443add0ef7ef0def4d614e09b

Download Submit
C:\Windows\SysWOW64\fmnzkhj.bat

Filesize
123B

MD5
d80e2232a970986315732ac35ec622af

SHA1
a58f43692342e7b462af09b923c5486dd59ed0a1

SHA256
7c08718b70e23ed8652335ba385273a087aa68e1995550b11b9b4056276b957e

SHA512
72ee2aa389ec6b9b5a35fb9d9df0c444fa4310c80d1dc5e4742a68efae9591b15911cdd000eb92aacc8f2c7a588872b03b2861ae32cd89eda6983bf7fb5f63bb

Download Submit
C:\Windows\SysWOW64\loyf.bat

Filesize
126B

MD5
d9f47146582ab60ccf8f9e2eb9059fe0

SHA1
30979368c9498b6404582035b6b989516dd084de

SHA256
0d17800eece026a2eb09c0e5f7c0fe132b20ef6daa231bf5a00e97e37971fe83

SHA512
0265cfd499f7d600c472f3766399ebec5ff174bf6ea681ce1d2183c4aa8e41b4941483f551f3620aeb230746554450ce50db0239e9985d716b08a1d384e1f6a8

Download Submit
C:\Windows\SysWOW64\mjpbmi.bat

Filesize
128B

MD5
f194a77d0aeabf8945a7d2c9bfc4897c

SHA1
d4b7bd079f957c89fed5ac7580dcceaa20c599e1

SHA256
f7d4fc13729f4dcf4ebc18142ea0fd1bd7c39ee3ec31a312d9976aac25b0341c

SHA512
71c453775edde80348e5f35e918547ba9a6122a59bff26c3fdc59a914b975b9b84ff98d4c41aad2797e721a154b2e5d878166dce5cd93505928e31bfd4869bd3

Download Submit
C:\Windows\SysWOW64\oijg.bat

Filesize
126B

MD5
fe28c0a90ac2b85206476149ba8acdc8

SHA1
7774d477cee5a53842f503e527ed1fe4cf5d8189

SHA256
98f8e9e88b62ef0ccf7e6f7bfd6c9fdafd7404117917527e9e7634158ef1999f

SHA512
be0dfc08de4140fe8983a21f604bde3f0bf767c26670d80603ae414b8e6e875d12a269888664cece9ee8853b98069b7b4e2768a05a6c1230c21295ba7ecc1b80

Download Submit
C:\Windows\SysWOW64\vcwqme.bat

Filesize
119B

MD5
a23b5e56900ebbf0395c779eb2a150f7

SHA1
71e51e5fffe57e6349c7b437851ef1db37d69999

SHA256
49ba34b61090334a50f01b8a1c63ce1d1b4da3413a9104109036f99cd81151aa

SHA512
656de4d1b02b41cf29f9c3577c1ce285fb40b16a16b9ae4c6d80c9903d44374d60cffee7aac2f38490620547bf69fa9735551ff419051cd4abf8cdbc547da386

Download Submit
\Windows\SysWOW64\winIogon.exe

Filesize
78KB

MD5
94b432388eb811c034b91b0a0f699377

SHA1
b0e7abe89e2d44d83332e57cd41c413c426f9199

SHA256
ee59e629a89a818dc0c0d9e4ecf4ce0e54db4f300e9b61853d16a01ffd3dafd4

SHA512
f1bb96ce016abdc7c6b6ab2be06bcd3fed193ca5cf150ba5af2099f1e339aca73295503030f55341ffc248f41dc50b66a7b599a94dabf692ab1b49a342198702

Download Submit
memory/788-261-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1412-209-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1644-139-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1992-244-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2300-105-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2488-174-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2580-69-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2580-48-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2728-31-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2728-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2728-2-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2728-4-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2728-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2728-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2728-8-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download