4d6569c2f7bf724bbbcf815bfb92ba0d6b5c817d1650cfc0a2e9634db3bd14e9

Analysis

max time kernel
117s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
14/06/2024, 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7d39878eb441e90307893a5e459cba6_JaffaCakes118.exe
Size

2.2MB
MD5

a7d39878eb441e90307893a5e459cba6
SHA1

66ba2b76becf86cef71a3a5750dc079440bc9779
SHA256

4d6569c2f7bf724bbbcf815bfb92ba0d6b5c817d1650cfc0a2e9634db3bd14e9
SHA512

52b3f9b472b45a0515597923b26338facfd2f64cf1dc63a7c329d4c85c58df72bc3a9807065be76fb23cdee54be20d6d79e26f9c739a6484e55489950c0e219f
SSDEEP

24576:h1OYdaOkqU2Uzf5TilCfBJyAWSODBXEZc78KU88SXhrrWzcN:h1OsKqBI5TilCfJIvfhrSo

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1592	1TwXli6DlRNJrA2.exe
2532	1TwXli6DlRNJrA2.exe

Loads dropped DLL 4 IoCs

pid	Process
2392	a7d39878eb441e90307893a5e459cba6_JaffaCakes118.exe
1592	1TwXli6DlRNJrA2.exe
1592	1TwXli6DlRNJrA2.exe
2532	1TwXli6DlRNJrA2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\SystemFileAssociations\.aHTML\shell	1TwXli6DlRNJrA2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\SystemFileAssociations\.aHTML\shell\Edit\command\ = "Notepad.exe"	1TwXli6DlRNJrA2.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\__aHTML	1TwXli6DlRNJrA2.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\SystemFileAssociations\.aHTML\shell\Edit\ddeexec	1TwXli6DlRNJrA2.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\__aHTML\shell\Edit	1TwXli6DlRNJrA2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\SystemFileAssociations\.aHTML\shell\Edit\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RCAKNZ.tmp\\1TwXli6DlRNJrA2.exe\" target \".\\\" bits downExt"	1TwXli6DlRNJrA2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\__aHTML\shell\Edit\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RCAKNZ.tmp\\1TwXli6DlRNJrA2.exe\" target \".\\\" bits downExt"	1TwXli6DlRNJrA2.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\SystemFileAssociations	1TwXli6DlRNJrA2.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\SystemFileAssociations\.aHTML	1TwXli6DlRNJrA2.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\SystemFileAssociations\.aHTML\shell\Edit	1TwXli6DlRNJrA2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.aHTML\OpenWithProgids\__aHTML	1TwXli6DlRNJrA2.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\SystemFileAssociations\.aHTML\shell\Edit\command	1TwXli6DlRNJrA2.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\__aHTML\shell\Edit\command	1TwXli6DlRNJrA2.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\__aHTML\shell\Edit\ddeexec	1TwXli6DlRNJrA2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\__aHTML\shell\Edit\command\ = "Notepad.exe"	1TwXli6DlRNJrA2.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.aHTML	1TwXli6DlRNJrA2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.aHTML\ = "__aHTML"	1TwXli6DlRNJrA2.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.aHTML\OpenWithProgids	1TwXli6DlRNJrA2.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\__aHTML\shell	1TwXli6DlRNJrA2.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2532	1TwXli6DlRNJrA2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2532	1TwXli6DlRNJrA2.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 1592	2392	a7d39878eb441e90307893a5e459cba6_JaffaCakes118.exe	28
PID 2392 wrote to memory of 1592	2392	a7d39878eb441e90307893a5e459cba6_JaffaCakes118.exe	28
PID 2392 wrote to memory of 1592	2392	a7d39878eb441e90307893a5e459cba6_JaffaCakes118.exe	28
PID 2392 wrote to memory of 1592	2392	a7d39878eb441e90307893a5e459cba6_JaffaCakes118.exe	28
PID 1592 wrote to memory of 2532	1592	1TwXli6DlRNJrA2.exe	29
PID 1592 wrote to memory of 2532	1592	1TwXli6DlRNJrA2.exe	29
PID 1592 wrote to memory of 2532	1592	1TwXli6DlRNJrA2.exe	29
PID 1592 wrote to memory of 2532	1592	1TwXli6DlRNJrA2.exe	29
PID 2532 wrote to memory of 2548	2532	1TwXli6DlRNJrA2.exe	30
PID 2532 wrote to memory of 2548	2532	1TwXli6DlRNJrA2.exe	30
PID 2532 wrote to memory of 2548	2532	1TwXli6DlRNJrA2.exe	30
PID 2532 wrote to memory of 2548	2532	1TwXli6DlRNJrA2.exe	30
PID 2532 wrote to memory of 2548	2532	1TwXli6DlRNJrA2.exe	30
PID 2532 wrote to memory of 2548	2532	1TwXli6DlRNJrA2.exe	30
PID 2532 wrote to memory of 2548	2532	1TwXli6DlRNJrA2.exe	30

C:\Users\Admin\AppData\Local\Temp\a7d39878eb441e90307893a5e459cba6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a7d39878eb441e90307893a5e459cba6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Local\Temp\7zS6D63.tmp\1TwXli6DlRNJrA2.exe
  .\1TwXli6DlRNJrA2.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Users\Admin\AppData\Local\Temp\RCAKNZ.tmp\1TwXli6DlRNJrA2.exe
    "C:\Users\Admin\AppData\Local\Temp\RCAKNZ.tmp\1TwXli6DlRNJrA2.exe" target ".\" bits downExt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /u /s ".\\Nh8Jj2KWoBG4Bg.x64.dll"
      4⤵
      PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS6D63.tmp\1TwXli6DlRNJrA2.dat

Filesize
15KB

MD5
705eb60c980f5b2b400ed7a61b797791

SHA1
41710e3a5c6935ac5faf645e14252def27ba7385

SHA256
7f2c1d111a384556ad2cce5fca0bd9177cdcb6b7cc9dea1ba6efddeb3fb5e553

SHA512
004b60ffd4e1441cb3511afa2a6f5c7d9110d0dd474cbe725b68cc88842456fa5e1ba14656d96f6dd28e555a13cc07f392c201a98a191506b8f8f2e052da02bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6D63.tmp\Nh8Jj2KWoBG4Bg.dll

Filesize
863KB

MD5
440b206626a1c62c8bafe816fbe17453

SHA1
c08963702e4678be7fc0f1bbc3b2b8f4c0e65599

SHA256
7b08170197951130ae82e41682a5767934bcc20941d2b5c68245fa7848709fbc

SHA512
1d5737f768902e2481070b11ce3c07489f964b990d25d668ca6ab1dfb57d325aa6f66680a0b15bfa09e2b127f159480fa6e7d6f435d129a79a8e8db7ce9436e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6D63.tmp\Nh8Jj2KWoBG4Bg.tlb

Filesize
5KB

MD5
1ca45b386c7b01e1bd45ef4e291d3f70

SHA1
dcabb955bc45b182231459d7e64cba59592c907e

SHA256
495c35bf29cd1c6e4a736db79e87203b6fd0c1345343dab958e5d9a4b087754c

SHA512
87dc04954e21af239f1cd8a300d7ea34c0de9580598080df8e2e75d347ad0232770b37d648db772f5d854a553f395a1fe9c010071ee76024f64ed819371fe752

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6D63.tmp\Nh8Jj2KWoBG4Bg.x64.dll

Filesize
945KB

MD5
bb4edcd0d1dbea879ceaf63dbbc497ff

SHA1
4769e78a4388ece7574a8957854af2b5471f7b87

SHA256
7fbd461cbe2e3cf3109bff8331e6aa612bde6a4424c1035dcdde57babff32a97

SHA512
cbfe8c360c5d710bcd3a238456f5e76e29ad0600c16fe11ce27d6e3eb4ccf33d4d47986b0d79f4e0b8554f7046756e6a313f3babf0f72e13d97527ae0900c41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6D63.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6D63.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
701d800cda954bfce6e81a2422a2b61a

SHA1
b6775604deb79f4249929d02f83f8b646db8ee94

SHA256
a26bf1acdd0144855cce6bcf5b25a91739b4c2339bfa35088c4d4ec51b610dd7

SHA512
df3bcc4ab3ead21770701b34c930d5ffa8e6463efe184393082840e1e052a3573a6c004d0a4aeec807f1cff49fe7b73b497446be3ae2f75ea19b5c97268fc47c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6D63.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
6a41337fbab39a2e3948b658e35bc895

SHA1
e2dfca535c0c2cd04d27229e6b31d19551afc11e

SHA256
06949935b21faa65756518c3a34f31edafbf08388c9e5f6f5b9463c6bf6cb7ae

SHA512
66665eeb61a034eea83d0a86a712c2a2eadb2f10a8bd802c84f4c0ff12a4cfb3adfe19ad8bdc30cfbd7cd95c22888bbf942fe8a4b3a1eff46e4a095299ad6c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6D63.tmp\[email protected]\install.rdf

Filesize
598B

MD5
e3fc886066603692fcb62525ecbd848a

SHA1
541e563736d9014fcd9294a1b133ba94132f0744

SHA256
4de82898bc2b196e3e76ad3c29b7ba6ddda55c45c3d0349a7d6877cbe4678bc7

SHA512
fcf63986d4c89f870e68b81e332bc325a39e8a005c233c5b65d959ea406133a46a455744502a6fd51bda3f1772bac106863d57e7eb5d206a6a927e8eb2d57d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6D63.tmp\emhmggbpjgbjhebnnmbanffidjefhpij\background.html

Filesize
146B

MD5
bd970a24cae8aeb124cc28b44642cdfe

SHA1
86dbde91655bb90a4ddb1ca4e1206bcb3b7a2d2f

SHA256
61269972465799e7f7065257bdede81380cfd5c653e785a3ddc151ae6d46459d

SHA512
07e9a1a9766d49dad8400fd9ce6055d1b0182b8cc99fe54929c57ae3084b88fa82717c5ca3d416df8fdf50fd6c35593c0425fc68e979176af470ae2eb2ac87de

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6D63.tmp\emhmggbpjgbjhebnnmbanffidjefhpij\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6D63.tmp\emhmggbpjgbjhebnnmbanffidjefhpij\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6D63.tmp\emhmggbpjgbjhebnnmbanffidjefhpij\manifest.json

Filesize
503B

MD5
947c255007d07989c8cb8adbe68aeb5d

SHA1
e5963c167a2d1743d877e3e4fa427157d46938c4

SHA256
46aceaf1713d8b6d9a7f0884dc41cbc0d67d5bba69f25bde680277c9b4f8a009

SHA512
d44dfcf55a359bf0ea513d6405e9caa2234234f69aa87d80c0fea8d5f291b021993f187034ca7264541e61e2b7e23fef56251c54ba2363cdbaeaf1340119d63d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6D63.tmp\emhmggbpjgbjhebnnmbanffidjefhpij\oVTVDTPsL.js

Filesize
6KB

MD5
4d4092bb0ca76a5996b558f85a1a1815

SHA1
f863eed051fa4ccd66633edf6a32ca6ecd723d09

SHA256
30bdfcf66960970fa33befbbfb2141ae551a899c336316cb927821208a1d9c87

SHA512
c751c609310f9e20677ebd171dde6933d229d2c30533b4f1b73eb1ed22a7185a3420c13474794f9d644ddc355c822bd73214afe9a664bf0c7f29a4f05158c8f3

Download Submit
\Users\Admin\AppData\Local\Temp\7zS6D63.tmp\1TwXli6DlRNJrA2.exe

Filesize
218KB

MD5
9f6c52eec607111136cd222b02bf0530

SHA1
57f3815d0942e3b0a9bef621a7b4971f55fc74d7

SHA256
7314c47aa633946386d6d3cd7ac292974b5d457e14b053fa0ebc218d555c34f4

SHA512
6760f5f8b580f50e95a92d6baa096f8fee378047bc5833430503869db22e369ebbedad43c864ef1058a477cf4d1034c88f1f464cde467ccc904192718951ce54

Download Submit