8df05e255ce1317db4abb9d84c00917f23d3d0ef9ca0bde0cd05e1d7d50efed6

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
05-06-2024 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97577a3f1c7b783ada4b7dbbd5d7fedd_JaffaCakes118.exe
Size

2.0MB
MD5

97577a3f1c7b783ada4b7dbbd5d7fedd
SHA1

e1538e10460721c1655c3006f6d8c1918209dd3c
SHA256

8df05e255ce1317db4abb9d84c00917f23d3d0ef9ca0bde0cd05e1d7d50efed6
SHA512

1cb3d2a1728bf5fe1c67a0b0f3543f39a2f45beb041f130e02b535a69c5320600480f64f19b3041ca61c3ab114588c27272cbe8ad7ce72bfc5fbe8d3bc5d4b26
SSDEEP

24576:/IHaacDv8+WnR0C1NGA3u6pcpcTKIQNZLa4W5QJM7asObDSZ1XKuviJzbS9PkYc6:6aNzWRNJypLWeQ5Z1XVJk/Krxnd

Score

7^/10

persistence

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RiamgIro.exe

Executes dropped EXE 1 IoCs

pid	Process
2724	RiamgIro.exe

Loads dropped DLL 12 IoCs

pid	Process
2576	97577a3f1c7b783ada4b7dbbd5d7fedd_JaffaCakes118.exe
2576	97577a3f1c7b783ada4b7dbbd5d7fedd_JaffaCakes118.exe
2576	97577a3f1c7b783ada4b7dbbd5d7fedd_JaffaCakes118.exe
2576	97577a3f1c7b783ada4b7dbbd5d7fedd_JaffaCakes118.exe
2724	RiamgIro.exe
2724	RiamgIro.exe
2724	RiamgIro.exe
2724	RiamgIro.exe
2724	RiamgIro.exe
2724	RiamgIro.exe
2724	RiamgIro.exe
1504	ipconfig.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cmdrun = "cmd.exe /C ipconfig /flushdns"	RiamgIro.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\dnsapi.dll	RiamgIro.exe
File opened for modification	C:\Windows\SysWOW64\dnsapi.dll	RiamgIro.exe
File opened for modification	C:\Windows\system32\cemn\bogw\usu.dat	RiamgIro.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	RiamgIro.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	RiamgIro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	RiamgIro.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1720	ipconfig.exe
1504	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2724	RiamgIro.exe
Token: SeTakeOwnershipPrivilege	2724	RiamgIro.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 1720	2576	97577a3f1c7b783ada4b7dbbd5d7fedd_JaffaCakes118.exe	28
PID 2576 wrote to memory of 1720	2576	97577a3f1c7b783ada4b7dbbd5d7fedd_JaffaCakes118.exe	28
PID 2576 wrote to memory of 1720	2576	97577a3f1c7b783ada4b7dbbd5d7fedd_JaffaCakes118.exe	28
PID 2576 wrote to memory of 1720	2576	97577a3f1c7b783ada4b7dbbd5d7fedd_JaffaCakes118.exe	28
PID 2576 wrote to memory of 2724	2576	97577a3f1c7b783ada4b7dbbd5d7fedd_JaffaCakes118.exe	30
PID 2576 wrote to memory of 2724	2576	97577a3f1c7b783ada4b7dbbd5d7fedd_JaffaCakes118.exe	30
PID 2576 wrote to memory of 2724	2576	97577a3f1c7b783ada4b7dbbd5d7fedd_JaffaCakes118.exe	30
PID 2576 wrote to memory of 2724	2576	97577a3f1c7b783ada4b7dbbd5d7fedd_JaffaCakes118.exe	30
PID 2724 wrote to memory of 1504	2724	RiamgIro.exe	32
PID 2724 wrote to memory of 1504	2724	RiamgIro.exe	32
PID 2724 wrote to memory of 1504	2724	RiamgIro.exe	32
PID 2724 wrote to memory of 1504	2724	RiamgIro.exe	32

C:\Users\Admin\AppData\Local\Temp\97577a3f1c7b783ada4b7dbbd5d7fedd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\97577a3f1c7b783ada4b7dbbd5d7fedd_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig.exe /renew
  2⤵
  - Gathers network information
  PID:1720
- C:\Users\Admin\AppData\Local\Tempfolder\DomriuAdoej\RiamgIro.exe
  "C:\Users\Admin\AppData\Local\Tempfolder\DomriuAdoej\RiamgIro.exe" spa="C:\Users\Admin\AppData\Roaming\PiittePol\Fawbud.exe"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\system32\ipconfig.exe
    ipconfig.exe /renew
    3⤵
    - Loads dropped DLL
    - Gathers network information
    PID:1504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Tempfolder\DomriuAdoej\RictiFahr.dat

Filesize
1.2MB

MD5
0f87c22338c7718fca86c53d0f8fe8ed

SHA1
fb69c7de8e02cf061b45b0cf837329e898faafd3

SHA256
ff74229d301743e7db6699e2ee6a82f4e2ced48272254dc0eab01eb69f97f289

SHA512
8abcb08f00002bbaa271407e648a00af596bcff3fda19fc41ec178fe9a2223356108a91b37da85e4cf71702e531ee4572da003dc6e6160c7c0c65a65a978bf1a

Download Submit
C:\Users\Admin\AppData\Local\Tempfolder\DomriuAdoej\libnspr4.dll

Filesize
288KB

MD5
74485152d7f2c06fe413f48c7da4ff33

SHA1
a07c30fedc80e5f4c2cc0be5202d64f51b015b44

SHA256
3c019cb209ba4f01015ffbb628d988735d2c5d9805abd7dd4dab441ea82eb688

SHA512
43b3b3bd5d5f3afd845cc79d68e942836f95f708eac96cd84d09b774d8f92f772b2353a273185b6be336603b5b283a486756e95ff26bb1ecd4fe84667cbe6f52

Download Submit
C:\Users\Admin\AppData\Local\Tempfolder\DomriuAdoej\libplds4.dll

Filesize
45KB

MD5
56c1c79274ef5728b1f50986a5a8f22e

SHA1
32f67170194ce27736e564b5328dbab6c4be33b3

SHA256
8720171993fc29c517a8124b8235c2c5d71b0ae4c236685ba202088326d780de

SHA512
6198edad58ffbb9109c827de704a6d67be44300e7bf11d5af427e568388a9a746ce58e6c09babd65f6cf7dbec9520be6c9d92c7a4724c0892e044c38a9e2ce3a

Download Submit
C:\Users\Admin\AppData\Local\Tempfolder\DomriuAdoej\nss3.dll

Filesize
834KB

MD5
9721a913f9a997a62c532d72ed3e7b8d

SHA1
2e1f33ec48938eab775f6775e4de93150b39b46d

SHA256
4515d073983b96bd48d2601fb22646d72aa56aec163cb172e6d06dd55b8a9e80

SHA512
7363b2192a3b0b5f946c14983b197315632907790871dd795b2d995d8cf924d9d3ad7af2c3b465b70f5bb110ba8aaef1412d2cc33bedaeca8c64e2a523678ad7

Download Submit
C:\Windows\SysWOW64\dnsapi.dll

Filesize
264KB

MD5
d19c4e9e81f3691f8099b82bf9045d33

SHA1
d6a597db2544a4cf7db69099d1331d703d9a42f9

SHA256
f58fab4c47fa05cf11c1360418850e932889ee945e18669fb91d7af166db94ca

SHA512
270cdf33ed5e91446ecb55f5e2e75173fd7f083990ee16ee8f1029a4da9d014207d118e347417cea68787991451f96dbcdd6732a97b52e6c46506c5b43b0dfb6

Download Submit
C:\Windows\System32\dnsapi.dll

Filesize
349KB

MD5
caa61e10fe9751b197305b67649a8388

SHA1
ad7880968f45dde92856ffffa4101ca96b44aa4e

SHA256
f418885f26f37ae5d3ecac356f6f6ad1c518cbe178f38d073b720aff9d8e7341

SHA512
6f7d0283f7b9d72c8b746de65cdd0a2dc14edacc8231317f080acb09af53af609a6734cfa51a908b194e4b5337a41b486648db4b6997ee6fff0ec7412b2fe461

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1B5F.tmp\GokKae.dll

Filesize
157KB

MD5
4683ef5c8d0635d32de57422d9481faf

SHA1
8e76c9f2df4acd2345fea0f81c7982fa55617eda

SHA256
115e9443280a097a35e343075518c7303810b147c121881ac8255aa40d62ca24

SHA512
30293873fef4ccf6b8924ba3dcb5d48b5a6fb369e8e5feceece86a91a6c5adfe299757d8f7e7c84e435f9735bc0a6e659dced2b7a719a20a437150d9b6182716

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1B5F.tmp\StdUtils.dll

Filesize
14KB

MD5
21010df9bc37daffcc0b5ae190381d85

SHA1
a8ba022aafc1233894db29e40e569dfc8b280eb9

SHA256
0ebd62de633fa108cf18139be6778fa560680f9f8a755e41c6ab544ab8db5c16

SHA512
95d3dbba6eac144260d5fcc7fcd5fb3afcb59ae62bd2eafc5a1d2190e9b44f8e125290d62fef82ad8799d0072997c57b2fa8a643aba554d0a82bbd3f8eb1403e

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1B5F.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Tempfolder\DomriuAdoej\RiamgIro.exe

Filesize
116KB

MD5
99fb02b5e8c709549b572ca088ef2afc

SHA1
28dd044a1ffed7d4f3005dc5470f71b631d3de43

SHA256
2f44957b1bcb8a6b46a4a4ab0040e417697e0821cea4d400f84f97ff88a7225a

SHA512
8e0bdbd3f404a05ecd2722db9bdd2d7487997a27d20bcbebfbf426434a0caeecb1ab03ae85aeee9fefa5fdef17163e82e96b31726668aad20731af5e69a925b0

Download Submit
\Users\Admin\AppData\Local\Tempfolder\DomriuAdoej\RictiFahr.dat

Filesize
1.2MB

MD5
ffb0ef3bf23f1a30171edc95f1b7b30e

SHA1
a863db9f08ac0ddb04b24ac2b327418fc02c03a1

SHA256
44d2b37b8d0f5631f8cb78d79835024f9e409e2ead05a875705415e78754a1e9

SHA512
e5692ab4de4bd0db0358c52ebcaa7c38e81b8b3ab6defc36f8840e98252a8a1773112f7153e7920b8d9ba1d35be80c16a2a32da462b073e662750e6c4e4d2a7a

Download Submit
\Users\Admin\AppData\Local\Tempfolder\DomriuAdoej\libplc4.dll

Filesize
47KB

MD5
08bacf2967fd8ea468c69f6e8d31b914

SHA1
eec97e847be6303013e468979b861ff74d4279ed

SHA256
2f143cac2efdc21b98620338c6f0404dfce812ee5741960ff68671ed0b0f3a9a

SHA512
2550e9481d2604b9c62b97ede184af4a8b2db1333b6707e01bc67b3699f72b0b764a238c86801d4457007e31977a181007f67c300f7c47899d4a771d05c2e97a

Download Submit
\Users\Admin\AppData\Local\Tempfolder\DomriuAdoej\nssutil3.dll

Filesize
132KB

MD5
08b59a1793e8cd6fb085271650f8b5d0

SHA1
3182956535052ab496bc92f59167a7e114752b1e

SHA256
f0c14914986be4dc13a72fbe509db10a4c24c55e545471d1e4dde2c1d4ca03a1

SHA512
e2526879a4904f9e96b5f9422a088bfc4811f5ed3567fd0ad4021c10e6b796df10c61734cf59a2b2b36151fb1451660283284f97d7ff95eb3b78d6340f1cd136

Download Submit
\Users\Admin\AppData\Local\Tempfolder\DomriuAdoej\smime3.dll

Filesize
129KB

MD5
88f553be556ae62c59b3a3fbea81987e

SHA1
166abd59cdf04380b939c3d216b514cbe09735f8

SHA256
741bf85f9011be7f57df51a409b9b43b45bed0329d14cedc05d0f84e60c66006

SHA512
d27e0ea06245782960bcffd41f9afbd9a7fe3bbb43f15eddbfa083568b21cc6dd15c86686fb597a0bf05d2bb4e76332eb7f28aba82e6a3695423f1458fb924c4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads