9843ceaca2b9173d3a1f9b24ba85180a40884dbf78dd7298b0c57008fa36e33d

Analysis

max time kernel
143s
max time network
147s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
04/06/2024, 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe
Size

748KB
MD5

964be19e477b57d85aceb7648e2c105d
SHA1

6c8ab56853218f28ac11c16b050ad589ea14bafe
SHA256

9843ceaca2b9173d3a1f9b24ba85180a40884dbf78dd7298b0c57008fa36e33d
SHA512

60379f9bf7f4e59f81f95898d1b0c10ea82abd306dbdf4dfef921e873bf4c3d2c4914d498efa16d60c52171a1802099c3c61289a12c64f13ea9457cd807ce4ca
SSDEEP

12288:0EI6h2sJXCB1joFX4HcTHQPviK5qXOlL29huNghWdLzqCTz0MDNhmku02k//m1:0EPXCzoXPQR5qXfDsghWxnTz0eNhFn2c

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Nwsapagent\Parameters\ServiceDll = "C:\\Windows\\SystemFile"	wserver.exe

Deletes itself 1 IoCs

pid	Process
2876	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2896	wserver.exe

Loads dropped DLL 4 IoCs

pid	Process
2072	rundll32.exe
2072	rundll32.exe
2072	rundll32.exe
2072	rundll32.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SystemFile.dll	wserver.exe
File opened for modification	C:\Windows\SystemFile.dll	wserver.exe
File created	C:\Windows\SystemFile	wserver.exe
File opened for modification	C:\Windows\SystemFile	wserver.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\mscfile\shell\open\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\mscfile	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\mscfile\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\mscfile\shell\open	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\wserver.exe"	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\mscfile\shell\open\command	rundll32.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2728	PING.EXE
1816	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2896	wserver.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1728	964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe
1728	964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe
1728	964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe
1728	964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe
1728	964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe
1728	964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe
1728	964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe
1728	964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe
1728	964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe
1728	964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe
1728	964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe
1728	964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe
1728	964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe
1728	964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe
1728	964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe
1728	964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe
1728	964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe
2572	svchost.exe
2600	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2896	wserver.exe
Token: SeDebugPrivilege	2572	svchost.exe
Token: SeDebugPrivilege	2600	svchost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1728	964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe
1728	964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe
2072	rundll32.exe
2072	rundll32.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2072	1728	964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe	28
PID 1728 wrote to memory of 2072	1728	964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe	28
PID 1728 wrote to memory of 2072	1728	964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe	28
PID 1728 wrote to memory of 2072	1728	964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe	28
PID 1728 wrote to memory of 2072	1728	964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe	28
PID 1728 wrote to memory of 2072	1728	964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe	28
PID 1728 wrote to memory of 2072	1728	964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe	28
PID 2072 wrote to memory of 3052	2072	rundll32.exe	29
PID 2072 wrote to memory of 3052	2072	rundll32.exe	29
PID 2072 wrote to memory of 3052	2072	rundll32.exe	29
PID 2072 wrote to memory of 3052	2072	rundll32.exe	29
PID 3052 wrote to memory of 2740	3052	cmd.exe	32
PID 3052 wrote to memory of 2740	3052	cmd.exe	32
PID 3052 wrote to memory of 2740	3052	cmd.exe	32
PID 2740 wrote to memory of 2756	2740	cmd.exe	33
PID 2740 wrote to memory of 2756	2740	cmd.exe	33
PID 2740 wrote to memory of 2756	2740	cmd.exe	33
PID 2756 wrote to memory of 2664	2756	CompMgmtLauncher.exe	34
PID 2756 wrote to memory of 2664	2756	CompMgmtLauncher.exe	34
PID 2756 wrote to memory of 2664	2756	CompMgmtLauncher.exe	34
PID 2664 wrote to memory of 2896	2664	cmd.exe	36
PID 2664 wrote to memory of 2896	2664	cmd.exe	36
PID 2664 wrote to memory of 2896	2664	cmd.exe	36
PID 2664 wrote to memory of 2896	2664	cmd.exe	36
PID 2896 wrote to memory of 2584	2896	wserver.exe	38
PID 2896 wrote to memory of 2584	2896	wserver.exe	38
PID 2896 wrote to memory of 2584	2896	wserver.exe	38
PID 2896 wrote to memory of 2584	2896	wserver.exe	38
PID 2584 wrote to memory of 2728	2584	cmd.exe	39
PID 2584 wrote to memory of 2728	2584	cmd.exe	39
PID 2584 wrote to memory of 2728	2584	cmd.exe	39
PID 2584 wrote to memory of 2728	2584	cmd.exe	39
PID 2572 wrote to memory of 2812	2572	svchost.exe	40
PID 2572 wrote to memory of 2812	2572	svchost.exe	40
PID 2572 wrote to memory of 2812	2572	svchost.exe	40
PID 2572 wrote to memory of 2812	2572	svchost.exe	40
PID 2572 wrote to memory of 2812	2572	svchost.exe	40
PID 2600 wrote to memory of 2260	2600	svchost.exe	42
PID 2600 wrote to memory of 2260	2600	svchost.exe	42
PID 2600 wrote to memory of 2260	2600	svchost.exe	42
PID 2600 wrote to memory of 2260	2600	svchost.exe	42
PID 2600 wrote to memory of 2260	2600	svchost.exe	42
PID 1728 wrote to memory of 2876	1728	964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe	43
PID 1728 wrote to memory of 2876	1728	964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe	43
PID 1728 wrote to memory of 2876	1728	964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe	43
PID 1728 wrote to memory of 2876	1728	964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe	43
PID 2876 wrote to memory of 1816	2876	cmd.exe	45
PID 2876 wrote to memory of 1816	2876	cmd.exe	45
PID 2876 wrote to memory of 1816	2876	cmd.exe	45
PID 2876 wrote to memory of 1816	2876	cmd.exe	45

C:\Users\Admin\AppData\Local\Temp\964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\NetWork\dat.dll" IncrementPageCount [303]
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\system32\cmd.exe /c C:\Windows\system32\CompMgmtLauncher.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\system32\CompMgmtLauncher.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\system32\CompMgmtLauncher.exe
        
        C:\Windows\system32\CompMgmtLauncher.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2756
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\wserver.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\wserver.exe
        
        C:\Users\Admin\AppData\Local\Temp\wserver.exe
        7⤵
        Sets DLL path for service in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\writeservice.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        9⤵
        Runs ping.exe
        
        PID:2728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\delself.bat"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1816

C:\Windows\system32\ctfmon.exe
ctfmon.exe
1⤵
PID:2408

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\SysWOW64\svchost.exe Nwsapagent 2572
  2⤵
  PID:2812

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\SysWOW64\svchost.exe Nwsapagent 2600
  2⤵
  PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\NetWork\dat.dll

Filesize
212KB

MD5
fff3c03e6c455eaba70ec816a4439b95

SHA1
e102a2ff536d2df93ec9c507e52c04bba773b550

SHA256
9969fc3043ed2917b76b6dbae36bd2e0846b90e9d93df4fc4f490fdf153da435

SHA512
c07edbc760e769dc0dc6adcd83f2b9b7fa3e845286f19dfbfe8bb8df56bbdbc8b4e5f0e794834d3ecfcf37ea7de8011f86d9153dfec6603f2fa4fc0d5c1414d9

Download Submit
C:\ProgramData\NetWork\key.dat

Filesize
261KB

MD5
ae755e20cd3a6f2721096736c5c3aed5

SHA1
53ab54c2c3ea3d6921fa2bf5fde69255dc41fbed

SHA256
1687af091d38108eeed634c0539b9639c6128aed9588a370f51a957bee534f39

SHA512
73b68961457b2525a4703ea8486f37d4beabdb4f85c65971cfa953e0a3dd36724811a12a933b291b34f11a5d8b4cb11d4af3747e2506c345ab81bcae3fb8f810

Download Submit
C:\ProgramData\resmon.res

Filesize
2KB

MD5
12547deaeccf3c2089669889787a3fe8

SHA1
7ad71ad103d41f596c934c8b7be39561a9f908d9

SHA256
e935dd62556538f08b020d5b2246702f08fd08880a99704466b9a852c23d073a

SHA512
a0c416efe352fc704491ea2d82334155b1b79449857baf72edfb8e7a36730b571c17e38f4ac9815a413b2add2dcdcc58ebfe9aa0df51cc18b28c07b93e1f2f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\delself.bat

Filesize
299B

MD5
13aaf8bf3813fac2b81c80abf3302911

SHA1
fd8f5360af4ca87da0f09558b9c09b04adcf6141

SHA256
5ec581b64d2091415e6e3a6e0bb846e634a7f83918a965ef129dfb97bf210e9f

SHA512
dab8bd87a22cb4397c0196d05a97783fc7b442faa5d485dbdce0d02f6496a2f3e1147897019f5cfc185f8c0a413a667508ddc6cc02863c65800bf3a201ab6e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\writeservice.bat

Filesize
226B

MD5
aff6285257f73b114174b04102c04735

SHA1
9e4a561dd7c8b8161a2720e375fc99ab02fc1b9b

SHA256
0ce4e59a2763ae7a92bd0e13d8716bf550085f0ac9f4cec0702a9c0ce30c03a3

SHA512
0c612f4cebcc0c319dc46e31111a78bde9a6a8d6700c6066bec679f8fa1cc813d819b8dc26de7a1f7f6a3407c73999814798c12c2e3507d9350686eeea48fada

Download Submit
C:\Users\Admin\AppData\Local\Temp\wserver.exe

Filesize
36KB

MD5
18ea3d4c9639a696b96e49f53af2b161

SHA1
5c1d4af865b4d514340d6a2dbb42523a142ab5d8

SHA256
690f5bd392269d80061e8e90a9aedac4f9bb2e898db4211b76a6e27a1ed95462

SHA512
fd6d79a533cb3fe255053e962fac882864be708b19b1c8922652e2bef4eda01ef209220ab06503adbbca047b833fb50ffac8fb66e490ce93e42d34cb9e51a892

Download Submit
\??\c:\windows\systemfile.DLL

Filesize
56KB

MD5
89de9c0ce214d2e437e2ce6d266ab100

SHA1
cebabb80844c823df4539f4db29d7bca27e1f50a

SHA256
7bd1016b5f3a5004166de5cf7f1846024684979de413417d83321c931c1b5929

SHA512
ed8ad8bb8b4e065fb890acf0dadaa494a2f03b8c76dca17c15141cfa9129fdd63b5f3e099195c806ef37c1f55ff5b8b82728c44b165bc06bdc270e3fdba8eeed

Download Submit
memory/1728-2-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1728-1-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2072-17-0x00000000003D0000-0x0000000000412000-memory.dmp

Filesize
264KB

Download
memory/2260-42-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download
memory/2572-34-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/2600-51-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/2812-32-0x0000000000080000-0x0000000000096000-memory.dmp

Filesize
88KB

Download
memory/2812-36-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download