9394f8970fceedbac0856b945e8e32b54d373cf7cf584dcf85eb728350ebc3cf

Analysis

max time kernel
142s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08c5ef80503c103afd00d71a5a9bf8be_JaffaCakes118.exe
Size

18KB
MD5

08c5ef80503c103afd00d71a5a9bf8be
SHA1

b26925b6dd411bc6a5ec85a0fc3c64523eb7b904
SHA256

9394f8970fceedbac0856b945e8e32b54d373cf7cf584dcf85eb728350ebc3cf
SHA512

d240323a07b2a95554fc7181e8def78d3e4c1ffcd999f351c29488856cc38ca78ba2a5fe5cfc63c8e6530a93ff8c43248e4e4c38e55681b024f02d44ca243ff0
SSDEEP

384:ymjg7/4V6aZK8pylPwzFStdr5DWj89cuYf5/U4SyZJRwr+QZ1q:JW4tZK84UKx5DWpfGus+Q/q

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2596	cmd.exe

Executes dropped EXE 7 IoCs

pid	Process
3024	NIW.exe
2624	NIW.exe
2884	NIW.exe
2740	NIW.exe
1616	NIW.exe
2324	NIW.exe
268	NIW.exe

Loads dropped DLL 18 IoCs

pid	Process
2240	08c5ef80503c103afd00d71a5a9bf8be_JaffaCakes118.exe
2240	08c5ef80503c103afd00d71a5a9bf8be_JaffaCakes118.exe
3024	NIW.exe
3024	NIW.exe
2624	NIW.exe
2624	NIW.exe
2884	NIW.exe
2884	NIW.exe
2740	NIW.exe
2740	NIW.exe
1616	NIW.exe
1616	NIW.exe
2324	NIW.exe
2324	NIW.exe
1416	WerFault.exe
1416	WerFault.exe
1416	WerFault.exe
1416	WerFault.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\NIW = "C:\\Windows\\system32\\NIW.exe"	NIW.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\NIW = "C:\\Windows\\system32\\NIW.exe"	NIW.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\NIW = "C:\\Windows\\system32\\NIW.exe"	08c5ef80503c103afd00d71a5a9bf8be_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\NIW = "C:\\Windows\\system32\\NIW.exe"	NIW.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\NIW = "C:\\Windows\\system32\\NIW.exe"	NIW.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\NIW = "C:\\Windows\\system32\\NIW.exe"	NIW.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\NIW = "C:\\Windows\\system32\\NIW.exe"	NIW.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\NIW = "C:\\Windows\\system32\\NIW.exe"	NIW.exe

Drops file in System32 directory 25 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\NIW.exe	NIW.exe
File created	C:\Windows\SysWOW64\NIW.exe	NIW.exe
File opened for modification	C:\Windows\SysWOW64\NIW.exe	NIW.exe
File opened for modification	C:\Windows\SysWOW64\NIW.exe	NIW.exe
File opened for modification	C:\Windows\SysWOW64\impai.exe	NIW.exe
File created	C:\Windows\SysWOW64\NIW.exe	08c5ef80503c103afd00d71a5a9bf8be_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NIW.exe	NIW.exe
File opened for modification	C:\Windows\SysWOW64\NIW.exe	NIW.exe
File opened for modification	C:\Windows\SysWOW64\NIW.exe	08c5ef80503c103afd00d71a5a9bf8be_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\impai.exe	08c5ef80503c103afd00d71a5a9bf8be_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NIW.exe	NIW.exe
File created	C:\Windows\SysWOW64\NIW.exe	NIW.exe
File opened for modification	C:\Windows\SysWOW64\NIW.exe	NIW.exe
File opened for modification	C:\Windows\SysWOW64\impai.exe	NIW.exe
File opened for modification	C:\Windows\SysWOW64\NIW.exe	NIW.exe
File opened for modification	C:\Windows\SysWOW64\impai.exe	NIW.exe
File created	C:\Windows\SysWOW64\NIW.exe	NIW.exe
File opened for modification	C:\Windows\SysWOW64\impai.exe	NIW.exe
File opened for modification	C:\Windows\SysWOW64\impai.exe	08c5ef80503c103afd00d71a5a9bf8be_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NIW.exe	NIW.exe
File opened for modification	C:\Windows\SysWOW64\NIW.exe	NIW.exe
File opened for modification	C:\Windows\SysWOW64\impai.exe	NIW.exe
File opened for modification	C:\Windows\SysWOW64\impai.exe	NIW.exe
File opened for modification	C:\Windows\SysWOW64\impai.exe	NIW.exe
File created	C:\Windows\SysWOW64\NIW.exe	NIW.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1416	268	WerFault.exe	65

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	NIW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	NIW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	NIW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\impai.exe \"%1\""	NIW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	NIW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\impai.exe \"%1\""	NIW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\impai.exe \"%1\""	NIW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\impai.exe \"%1\""	NIW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\impai.exe \"%1\""	NIW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	08c5ef80503c103afd00d71a5a9bf8be_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\impai.exe \"%1\""	NIW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\impai.exe \"%1\""	NIW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	NIW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\impai.exe \"%1\""	08c5ef80503c103afd00d71a5a9bf8be_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	NIW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	NIW.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2240	08c5ef80503c103afd00d71a5a9bf8be_JaffaCakes118.exe
2240	08c5ef80503c103afd00d71a5a9bf8be_JaffaCakes118.exe
3024	NIW.exe
3024	NIW.exe
2624	NIW.exe
2624	NIW.exe
2884	NIW.exe
2884	NIW.exe
2740	NIW.exe
2740	NIW.exe
1616	NIW.exe
1616	NIW.exe
2324	NIW.exe
2324	NIW.exe
268	NIW.exe
268	NIW.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 3024	2240	08c5ef80503c103afd00d71a5a9bf8be_JaffaCakes118.exe	28
PID 2240 wrote to memory of 3024	2240	08c5ef80503c103afd00d71a5a9bf8be_JaffaCakes118.exe	28
PID 2240 wrote to memory of 3024	2240	08c5ef80503c103afd00d71a5a9bf8be_JaffaCakes118.exe	28
PID 2240 wrote to memory of 3024	2240	08c5ef80503c103afd00d71a5a9bf8be_JaffaCakes118.exe	28
PID 2240 wrote to memory of 2572	2240	08c5ef80503c103afd00d71a5a9bf8be_JaffaCakes118.exe	29
PID 2240 wrote to memory of 2572	2240	08c5ef80503c103afd00d71a5a9bf8be_JaffaCakes118.exe	29
PID 2240 wrote to memory of 2572	2240	08c5ef80503c103afd00d71a5a9bf8be_JaffaCakes118.exe	29
PID 2240 wrote to memory of 2572	2240	08c5ef80503c103afd00d71a5a9bf8be_JaffaCakes118.exe	29
PID 2240 wrote to memory of 2596	2240	08c5ef80503c103afd00d71a5a9bf8be_JaffaCakes118.exe	30
PID 2240 wrote to memory of 2596	2240	08c5ef80503c103afd00d71a5a9bf8be_JaffaCakes118.exe	30
PID 2240 wrote to memory of 2596	2240	08c5ef80503c103afd00d71a5a9bf8be_JaffaCakes118.exe	30
PID 2240 wrote to memory of 2596	2240	08c5ef80503c103afd00d71a5a9bf8be_JaffaCakes118.exe	30
PID 3024 wrote to memory of 2868	3024	NIW.exe	33
PID 3024 wrote to memory of 2868	3024	NIW.exe	33
PID 3024 wrote to memory of 2868	3024	NIW.exe	33
PID 3024 wrote to memory of 2868	3024	NIW.exe	33
PID 3024 wrote to memory of 2624	3024	NIW.exe	34
PID 3024 wrote to memory of 2624	3024	NIW.exe	34
PID 3024 wrote to memory of 2624	3024	NIW.exe	34
PID 3024 wrote to memory of 2624	3024	NIW.exe	34
PID 3024 wrote to memory of 2104	3024	NIW.exe	35
PID 3024 wrote to memory of 2104	3024	NIW.exe	35
PID 3024 wrote to memory of 2104	3024	NIW.exe	35
PID 3024 wrote to memory of 2104	3024	NIW.exe	35
PID 2572 wrote to memory of 2652	2572	net.exe	37
PID 2572 wrote to memory of 2652	2572	net.exe	37
PID 2572 wrote to memory of 2652	2572	net.exe	37
PID 2572 wrote to memory of 2652	2572	net.exe	37
PID 2624 wrote to memory of 2116	2624	NIW.exe	39
PID 2624 wrote to memory of 2116	2624	NIW.exe	39
PID 2624 wrote to memory of 2116	2624	NIW.exe	39
PID 2624 wrote to memory of 2116	2624	NIW.exe	39
PID 2624 wrote to memory of 2884	2624	NIW.exe	40
PID 2624 wrote to memory of 2884	2624	NIW.exe	40
PID 2624 wrote to memory of 2884	2624	NIW.exe	40
PID 2624 wrote to memory of 2884	2624	NIW.exe	40
PID 2624 wrote to memory of 3056	2624	NIW.exe	41
PID 2624 wrote to memory of 3056	2624	NIW.exe	41
PID 2624 wrote to memory of 3056	2624	NIW.exe	41
PID 2624 wrote to memory of 3056	2624	NIW.exe	41
PID 2868 wrote to memory of 2896	2868	net.exe	42
PID 2868 wrote to memory of 2896	2868	net.exe	42
PID 2868 wrote to memory of 2896	2868	net.exe	42
PID 2868 wrote to memory of 2896	2868	net.exe	42
PID 2884 wrote to memory of 2740	2884	NIW.exe	45
PID 2884 wrote to memory of 2740	2884	NIW.exe	45
PID 2884 wrote to memory of 2740	2884	NIW.exe	45
PID 2884 wrote to memory of 2740	2884	NIW.exe	45
PID 2884 wrote to memory of 2704	2884	NIW.exe	46
PID 2884 wrote to memory of 2704	2884	NIW.exe	46
PID 2884 wrote to memory of 2704	2884	NIW.exe	46
PID 2884 wrote to memory of 2704	2884	NIW.exe	46
PID 2884 wrote to memory of 2728	2884	NIW.exe	47
PID 2884 wrote to memory of 2728	2884	NIW.exe	47
PID 2884 wrote to memory of 2728	2884	NIW.exe	47
PID 2884 wrote to memory of 2728	2884	NIW.exe	47
PID 2116 wrote to memory of 2752	2116	net.exe	49
PID 2116 wrote to memory of 2752	2116	net.exe	49
PID 2116 wrote to memory of 2752	2116	net.exe	49
PID 2116 wrote to memory of 2752	2116	net.exe	49
PID 2704 wrote to memory of 2156	2704	net.exe	51
PID 2704 wrote to memory of 2156	2704	net.exe	51
PID 2704 wrote to memory of 2156	2704	net.exe	51
PID 2704 wrote to memory of 2156	2704	net.exe	51

C:\Users\Admin\AppData\Local\Temp\08c5ef80503c103afd00d71a5a9bf8be_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\08c5ef80503c103afd00d71a5a9bf8be_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\NIW.exe
  "C:\Windows\system32\NIW.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop sharedaccess
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop sharedaccess
      4⤵
      PID:2896
- - C:\Windows\SysWOW64\NIW.exe
    "C:\Windows\system32\NIW.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" stop sharedaccess
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2116
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sharedaccess
        5⤵
        
        PID:2752
  - - C:\Windows\SysWOW64\NIW.exe
      "C:\Windows\system32\NIW.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Windows\SysWOW64\NIW.exe
        
        "C:\Windows\system32\NIW.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2740
      - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop sharedaccess
        6⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sharedaccess
        7⤵
        
        PID:1572
      - C:\Windows\SysWOW64\NIW.exe
        
        "C:\Windows\system32\NIW.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1616
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop sharedaccess
        7⤵
        
        PID:864
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sharedaccess
        8⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\NIW.exe
        
        "C:\Windows\system32\NIW.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2324
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop sharedaccess
        8⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sharedaccess
        9⤵
        
        PID:856
        
        C:\Windows\SysWOW64\NIW.exe
        
        "C:\Windows\system32\NIW.exe"
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 268 -s 292
        9⤵
        Loads dropped DLL
        Program crash
        
        PID:1416
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop sharedaccess
        9⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\NIW.exe"
        8⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\NIW.exe"
        7⤵
        
        PID:2212
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\NIW.exe"
        6⤵
        
        PID:1920
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop sharedaccess
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2704
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sharedaccess
        6⤵
        
        PID:2156
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\NIW.exe"
        5⤵
        
        PID:2728
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\NIW.exe"
      4⤵
      PID:3056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\NIW.exe"
    3⤵
    PID:2104
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop sharedaccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop sharedaccess
    3⤵
    PID:2652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\08c5ef80503c103afd00d71a5a9bf8be_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\NIW.exe

Filesize
18KB

MD5
08c5ef80503c103afd00d71a5a9bf8be

SHA1
b26925b6dd411bc6a5ec85a0fc3c64523eb7b904

SHA256
9394f8970fceedbac0856b945e8e32b54d373cf7cf584dcf85eb728350ebc3cf

SHA512
d240323a07b2a95554fc7181e8def78d3e4c1ffcd999f351c29488856cc38ca78ba2a5fe5cfc63c8e6530a93ff8c43248e4e4c38e55681b024f02d44ca243ff0

Download Submit
memory/268-54-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1616-43-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2240-13-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2324-52-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2624-25-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2740-35-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2884-28-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3024-17-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download