4584282c886f57b2577b19a83d842f7d48595ad91487669e3906ae2601f7f4f2

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 00:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

01732b6e6b7ebe6efed4369ea4aa8fb0_JaffaCakes118.exe
Size

206KB
MD5

01732b6e6b7ebe6efed4369ea4aa8fb0
SHA1

262e971df34b999f17843a537532fcc275beb163
SHA256

4584282c886f57b2577b19a83d842f7d48595ad91487669e3906ae2601f7f4f2
SHA512

837c9e2ab0041b6f3b616b4984f5a6229e67b0d127e72dee5b762ee21282d72ff3260fb94532bbd894fed6341febde1ea2d18b373ae3526f82476b91d945b170
SSDEEP

3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unX:zvEN2U+T6i5LirrllHy4HUcMQY6u

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2296	explorer.exe
2612	spoolsv.exe
2748	svchost.exe
2652	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
2108	01732b6e6b7ebe6efed4369ea4aa8fb0_JaffaCakes118.exe
2108	01732b6e6b7ebe6efed4369ea4aa8fb0_JaffaCakes118.exe
2296	explorer.exe
2296	explorer.exe
2612	spoolsv.exe
2612	spoolsv.exe
2748	svchost.exe
2748	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	01732b6e6b7ebe6efed4369ea4aa8fb0_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2108	01732b6e6b7ebe6efed4369ea4aa8fb0_JaffaCakes118.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2748	svchost.exe
2748	svchost.exe
2296	explorer.exe
2748	svchost.exe
2296	explorer.exe
2748	svchost.exe
2296	explorer.exe
2748	svchost.exe
2296	explorer.exe
2748	svchost.exe
2296	explorer.exe
2748	svchost.exe
2296	explorer.exe
2748	svchost.exe
2296	explorer.exe
2748	svchost.exe
2296	explorer.exe
2748	svchost.exe
2296	explorer.exe
2748	svchost.exe
2296	explorer.exe
2748	svchost.exe
2296	explorer.exe
2748	svchost.exe
2296	explorer.exe
2748	svchost.exe
2296	explorer.exe
2748	svchost.exe
2296	explorer.exe
2748	svchost.exe
2296	explorer.exe
2748	svchost.exe
2296	explorer.exe
2748	svchost.exe
2296	explorer.exe
2748	svchost.exe
2296	explorer.exe
2748	svchost.exe
2296	explorer.exe
2748	svchost.exe
2296	explorer.exe
2748	svchost.exe
2296	explorer.exe
2748	svchost.exe
2296	explorer.exe
2748	svchost.exe
2296	explorer.exe
2748	svchost.exe
2296	explorer.exe
2748	svchost.exe
2296	explorer.exe
2748	svchost.exe
2296	explorer.exe
2748	svchost.exe
2296	explorer.exe
2748	svchost.exe
2296	explorer.exe
2748	svchost.exe
2296	explorer.exe
2748	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2296	explorer.exe
2748	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2108	01732b6e6b7ebe6efed4369ea4aa8fb0_JaffaCakes118.exe
2108	01732b6e6b7ebe6efed4369ea4aa8fb0_JaffaCakes118.exe
2296	explorer.exe
2296	explorer.exe
2612	spoolsv.exe
2612	spoolsv.exe
2748	svchost.exe
2748	svchost.exe
2652	spoolsv.exe
2652	spoolsv.exe
2296	explorer.exe
2296	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2296	2108	01732b6e6b7ebe6efed4369ea4aa8fb0_JaffaCakes118.exe	28
PID 2108 wrote to memory of 2296	2108	01732b6e6b7ebe6efed4369ea4aa8fb0_JaffaCakes118.exe	28
PID 2108 wrote to memory of 2296	2108	01732b6e6b7ebe6efed4369ea4aa8fb0_JaffaCakes118.exe	28
PID 2108 wrote to memory of 2296	2108	01732b6e6b7ebe6efed4369ea4aa8fb0_JaffaCakes118.exe	28
PID 2296 wrote to memory of 2612	2296	explorer.exe	29
PID 2296 wrote to memory of 2612	2296	explorer.exe	29
PID 2296 wrote to memory of 2612	2296	explorer.exe	29
PID 2296 wrote to memory of 2612	2296	explorer.exe	29
PID 2612 wrote to memory of 2748	2612	spoolsv.exe	30
PID 2612 wrote to memory of 2748	2612	spoolsv.exe	30
PID 2612 wrote to memory of 2748	2612	spoolsv.exe	30
PID 2612 wrote to memory of 2748	2612	spoolsv.exe	30
PID 2748 wrote to memory of 2652	2748	svchost.exe	31
PID 2748 wrote to memory of 2652	2748	svchost.exe	31
PID 2748 wrote to memory of 2652	2748	svchost.exe	31
PID 2748 wrote to memory of 2652	2748	svchost.exe	31
PID 2748 wrote to memory of 2548	2748	svchost.exe	32
PID 2748 wrote to memory of 2548	2748	svchost.exe	32
PID 2748 wrote to memory of 2548	2748	svchost.exe	32
PID 2748 wrote to memory of 2548	2748	svchost.exe	32
PID 2748 wrote to memory of 2816	2748	svchost.exe	36
PID 2748 wrote to memory of 2816	2748	svchost.exe	36
PID 2748 wrote to memory of 2816	2748	svchost.exe	36
PID 2748 wrote to memory of 2816	2748	svchost.exe	36
PID 2748 wrote to memory of 2024	2748	svchost.exe	38
PID 2748 wrote to memory of 2024	2748	svchost.exe	38
PID 2748 wrote to memory of 2024	2748	svchost.exe	38
PID 2748 wrote to memory of 2024	2748	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\01732b6e6b7ebe6efed4369ea4aa8fb0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01732b6e6b7ebe6efed4369ea4aa8fb0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2108
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2296
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2748
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2652
    - - C:\Windows\SysWOW64\at.exe
        
        at 00:35 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2548
    - - C:\Windows\SysWOW64\at.exe
        
        at 00:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2816
    - - C:\Windows\SysWOW64\at.exe
        
        at 00:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
3d861ac0b8072228f64e66b157562bfd

SHA1
7fdd4140a3b66c69f5d25c0465721f4dbe566bf6

SHA256
2b6b611a5dd626367adff179acba3c0acc2e94d8d142d75bbc1b41e61a879dab

SHA512
b81465c40314e8e7057e0a7edd0dc5139180e64345674ceb8dbd8c49c7ac98c3b04c1a50152be28033352f9189b4e675ce8a26cb561e2c17d38a3b27988ddcec

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
15c92b4c0056b5730197431a9d7ae6a5

SHA1
75f1997e3d4afef7b412ac6d0b214f4584d72c02

SHA256
b2c05b49cf0f702e121c0173f68f44265135054de3330a85a8bd81ddaa5b1a24

SHA512
5b077e68c5aeb5d9c3764338f35e8a08a891b1d83e2f2f549619af21f1644bb7fce4a2c41aafe05e5e375f192f431de9b5c1b5191ed6bf6ddbfe80a58d012183

Download Submit
\Windows\system\spoolsv.exe

Filesize
207KB

MD5
8abd0f59f2e8316a3078b2310c1fe31d

SHA1
9b136a128079cc9ca768218cd671303363f97f51

SHA256
5e42550394d96982f69f96cab0fa6af8a2721eb93989b83a2175400b81399394

SHA512
dd57f27c393bdcc04054873b76163099e9b29968bde3b653854ab0efd513e58cdb8074be5e54bbe46cfba7c85e59343a0e12d05e4fcc78868a88876da2d8df63

Download Submit
\Windows\system\svchost.exe

Filesize
206KB

MD5
e5412f1022e49cfe7baea744cdbdc24e

SHA1
e6e040515312cb69d81c05aa67a07f47e93e0433

SHA256
46e4bc29f848d1e6db955f4296f191ad98b6d6ec1259bea23bd152263accc4ab

SHA512
df9a214935893339d67cccfc3d0d2c57fe5f32c65e4494fe981f9500034686b39971c0cf6fc21ab80246231306678d73658195b1bf20e878d5cefd9dcaa4276f

Download Submit