Analysis
-
max time kernel
144s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
22-06-2024 12:48
Behavioral task
behavioral1
Sample
023005fb0f1eac24563f84180c659263_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
023005fb0f1eac24563f84180c659263_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
023005fb0f1eac24563f84180c659263_JaffaCakes118.exe
-
Size
2.1MB
-
MD5
023005fb0f1eac24563f84180c659263
-
SHA1
e3255e1fdee14c848f26a8849667300164b6b101
-
SHA256
7191e62ead1231701c2d050c13df42f11ff023a45c462ceb238404cd50aa6c7b
-
SHA512
81c0763adafa7d6cad53ad5bccbdaaeb47678217df5846f5993565a79d796eebb33d4295b9a126d11f6a1201dc2faeef071e3749d8c8643ea142b45ec8fdbe54
-
SSDEEP
49152:V1Wd46hen6dhZhOOtSkOI/WeP1g0Ztgd0gUigY6ukXO:adLk6dhXfSkOI/LXZta0prXO
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2764 setup.exe 2424 EEProSetup.exe 2568 is-32EQ6.tmp 1632 ~qwertyuiopa.exe -
Loads dropped DLL 15 IoCs
pid Process 2460 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe 2764 setup.exe 2764 setup.exe 2764 setup.exe 2764 setup.exe 2424 EEProSetup.exe 2424 EEProSetup.exe 2424 EEProSetup.exe 2424 EEProSetup.exe 2568 is-32EQ6.tmp 2568 is-32EQ6.tmp 2460 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe 2460 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe 2460 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe 1632 ~qwertyuiopa.exe -
resource yara_rule behavioral1/memory/2460-0-0x0000000000400000-0x0000000000842500-memory.dmp upx behavioral1/memory/2460-1-0x0000000000400000-0x0000000000842500-memory.dmp upx behavioral1/files/0x0037000000015bb5-45.dat upx behavioral1/memory/2460-50-0x0000000010000000-0x00000000100A0000-memory.dmp upx behavioral1/memory/2460-49-0x0000000000400000-0x0000000000842500-memory.dmp upx behavioral1/files/0x0004000000004ed7-55.dat upx behavioral1/memory/2460-60-0x0000000002DD0000-0x0000000002E0E000-memory.dmp upx behavioral1/memory/2460-67-0x0000000010000000-0x00000000100A0000-memory.dmp upx behavioral1/memory/1632-68-0x0000000000400000-0x000000000043D500-memory.dmp upx behavioral1/memory/2460-66-0x0000000000400000-0x0000000000842500-memory.dmp upx behavioral1/files/0x0006000000016c3a-74.dat upx behavioral1/memory/1632-76-0x0000000010000000-0x0000000010064000-memory.dmp upx behavioral1/memory/1632-80-0x0000000010000000-0x0000000010064000-memory.dmp upx behavioral1/memory/1632-79-0x0000000000400000-0x000000000043D500-memory.dmp upx -
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C7EB62D2-5C2D-4358-92DE-94CC31AEBCD2} ~qwertyuiopa.exe -
Modifies WinLogon 2 TTPs 13 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\adras\Startup = "OnEvent" 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nutps ~qwertyuiopa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\adras\DllName = "C:\\Windows\\Microsoft.NET\\adras.dll" 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\adras\Impersonate = "0" 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nutps\Asynchronous = "1" ~qwertyuiopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nutps\DllName = "c:\\windows\\web\\nutps.dll" ~qwertyuiopa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nutps\Impersonate = "0" ~qwertyuiopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nutps\Startup = "UserLogOn" ~qwertyuiopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nutps\Logoff = "UserLogOff" ~qwertyuiopa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\adras 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\adras\Asynchronous = "1" 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ~qwertyuiopa.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\java\adras.dl 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\adras.dl 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe File opened for modification C:\Windows\Microsoft.NET\adras.dll 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe File created C:\Windows\Web\nutps.dl ~qwertyuiopa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 23 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PsapiAnalyzer.PsapiAnalyzer.1 ~qwertyuiopa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7EB62D2-5C2D-4358-92DE-94CC31AEBCD2}\ProgID ~qwertyuiopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7EB62D2-5C2D-4358-92DE-94CC31AEBCD2}\TypeLib\ = "{FD344746-28E1-4495-9F6B-EF629FF475AF}" ~qwertyuiopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7EB62D2-5C2D-4358-92DE-94CC31AEBCD2}\ProgID\ = "PsapiAnalyzer.PsapiAnalyzer.1" ~qwertyuiopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7EB62D2-5C2D-4358-92DE-94CC31AEBCD2}\VersionIndependentProgID\ = "PsapiAnalyzer.PsapiAnalyzer" ~qwertyuiopa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7EB62D2-5C2D-4358-92DE-94CC31AEBCD2}\TypeLib ~qwertyuiopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PsapiAnalyzer.PsapiAnalyzer.1\CLSID\ = "{C7EB62D2-5C2D-4358-92DE-94CC31AEBCD2}" ~qwertyuiopa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PsapiAnalyzer.PsapiAnalyzer\CLSID ~qwertyuiopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PsapiAnalyzer.PsapiAnalyzer\CurVer\ = "PsapiAnalyzer.PsapiAnalyzer.1" ~qwertyuiopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PsapiAnalyzer.PsapiAnalyzer\CLSID\ = "{C7EB62D2-5C2D-4358-92DE-94CC31AEBCD2}" ~qwertyuiopa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PsapiAnalyzer.PsapiAnalyzer\CurVer ~qwertyuiopa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7EB62D2-5C2D-4358-92DE-94CC31AEBCD2} ~qwertyuiopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7EB62D2-5C2D-4358-92DE-94CC31AEBCD2}\ = "PsapiAnalyzer Object" ~qwertyuiopa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7EB62D2-5C2D-4358-92DE-94CC31AEBCD2}\InprocServer32 ~qwertyuiopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PsapiAnalyzer.PsapiAnalyzer.1\ = "PsapiAnalyzer Object" ~qwertyuiopa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PsapiAnalyzer.PsapiAnalyzer ~qwertyuiopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PsapiAnalyzer.PsapiAnalyzer\ = "PsapiAnalyzer Object" ~qwertyuiopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7EB62D2-5C2D-4358-92DE-94CC31AEBCD2}\AppID ~qwertyuiopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7EB62D2-5C2D-4358-92DE-94CC31AEBCD2}\InprocServer32\ = "C:\\Windows\\Web\\nutps.dll" ~qwertyuiopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7EB62D2-5C2D-4358-92DE-94CC31AEBCD2}\InprocServer32\ThreadingModel = "apartment" ~qwertyuiopa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PsapiAnalyzer.PsapiAnalyzer.1\CLSID ~qwertyuiopa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7EB62D2-5C2D-4358-92DE-94CC31AEBCD2}\VersionIndependentProgID ~qwertyuiopa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7EB62D2-5C2D-4358-92DE-94CC31AEBCD2}\Programmable ~qwertyuiopa.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2460 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe 2460 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe 2460 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe 2460 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe 1632 ~qwertyuiopa.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2568 is-32EQ6.tmp -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1632 ~qwertyuiopa.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2460 wrote to memory of 2764 2460 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe 29 PID 2460 wrote to memory of 2764 2460 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe 29 PID 2460 wrote to memory of 2764 2460 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe 29 PID 2460 wrote to memory of 2764 2460 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe 29 PID 2460 wrote to memory of 2764 2460 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe 29 PID 2460 wrote to memory of 2764 2460 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe 29 PID 2460 wrote to memory of 2764 2460 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe 29 PID 2764 wrote to memory of 2424 2764 setup.exe 30 PID 2764 wrote to memory of 2424 2764 setup.exe 30 PID 2764 wrote to memory of 2424 2764 setup.exe 30 PID 2764 wrote to memory of 2424 2764 setup.exe 30 PID 2764 wrote to memory of 2424 2764 setup.exe 30 PID 2764 wrote to memory of 2424 2764 setup.exe 30 PID 2764 wrote to memory of 2424 2764 setup.exe 30 PID 2424 wrote to memory of 2568 2424 EEProSetup.exe 31 PID 2424 wrote to memory of 2568 2424 EEProSetup.exe 31 PID 2424 wrote to memory of 2568 2424 EEProSetup.exe 31 PID 2424 wrote to memory of 2568 2424 EEProSetup.exe 31 PID 2424 wrote to memory of 2568 2424 EEProSetup.exe 31 PID 2424 wrote to memory of 2568 2424 EEProSetup.exe 31 PID 2424 wrote to memory of 2568 2424 EEProSetup.exe 31 PID 2460 wrote to memory of 1204 2460 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe 21 PID 2460 wrote to memory of 1632 2460 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe 34 PID 2460 wrote to memory of 1632 2460 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe 34 PID 2460 wrote to memory of 1632 2460 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe 34 PID 2460 wrote to memory of 1632 2460 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe 34 PID 1632 wrote to memory of 1204 1632 ~qwertyuiopa.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\023005fb0f1eac24563f84180c659263_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\023005fb0f1eac24563f84180c659263_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Users\Admin\AppData\Local\Temp\setup.exeC:\Users\Admin\AppData\Local\Temp\setup.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\EEProSetup.exeC:\Users\Admin\AppData\Local\Temp\EEProSetup.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\is-7IKLD.tmp\is-32EQ6.tmp"C:\Users\Admin\AppData\Local\Temp\is-7IKLD.tmp\is-32EQ6.tmp" /SL4 $50016 "C:\Users\Admin\AppData\Local\Temp\EEProSetup.exe" 1393535 522245⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2568
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\~qwertyuiopa.exeC:\Users\Admin\AppData\Local\Temp\~qwertyuiopa.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies WinLogon
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
643KB
MD5036ef63e2f9b138a42d6adb54ec0cd1e
SHA1353db5d438205a726a6d54beb62f9c62638f501d
SHA25671b487f0523f213004766402b22bf86fa0ef9891e940d2a4cb12eba6627e7cc6
SHA51231b8f6e76c8c4f5323f12384c41f6f2b04e58545c121da71e2a4da947a9c0aea9eb05df4f8199cc6dc89bc238577c4e2d5fb4b66e77e1130bc72b6c38f207cc9
-
Filesize
1.6MB
MD5251c34d11dd66e2c0b678c3af9813c4a
SHA13aa135742a05bf768e2e4410de0931586bd4a27d
SHA256874912d8e3bd9369fee116ef6b72cde8f44c9be57259accff41ec3e62d2f039e
SHA512966e6b5b8c96626d32d8726bca630de2092786b9fcb99a364a0e52880d66f5b7aa9feac256300a49535c2a5b2b41f232170623749a186e42a2f853182855fbfe
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
1.6MB
MD52c131f0eaf3c74c05e0620a30848db74
SHA1e1fd5f28a0ad5df9bb7ded2fccf3017d29d19e1e
SHA25669d8ae1e9ea15adee88fa563e45a721f5d073799db2e64520ce19542757d38a0
SHA51226ca32ae597ca74df495bf0a62b9c7beae91e4ac0509ea028808098e3b203343f5c6685d5ce4582bcd8e6b103f08881c3e9d8863c1a33638f4d5e6c439fa21ae
-
Filesize
201KB
MD55bcfb909d7b9377f249e7c2a41c16490
SHA1c6353932216f3fb1976fe6b362ba5a373eafb842
SHA256cafa0fd6de888d191d65a35bc1ddfcc85c665c50e7fe835a42d5d0f6e335a012
SHA5122d325c1f39bb9eac5c4816255be9b44c76a90f6fb7253691ef138e7697d1df5ff85e2d09616d81784b83de3835cb49d31e0a5a0d84e6d5b00d23e2773306e526
-
Filesize
248KB
MD5aeeb64067a87e8e46e522c2eeaf45535
SHA17a31869b5a66182eb16e0b52ac8168ad9a1bb27c
SHA2563761ff04e5e9be07a206e1292c4c6d83f7fccec65f793ddb630637bd18982c7f
SHA512221d82b94814b9d9e526a19576b8424a174e88f9b46388d42fdbb1e7798bc46bcd906e61273f2b7e2e4942c85c46228201d94ffa9632964e966bdd5c182d0c35
-
Filesize
163KB
MD5a00286212e09124078c937614be400d3
SHA1d18b980423ef3b695002a5be256aace6a7140396
SHA2563b3eacf2e68464e1a6cde21bc42a3a2c5dede0bf1c6a22bd592f6a77a3ff45ca
SHA512caf4313a0ad5076d6fdec9e92f71e7555531b7ca9ab32b334ee246a95c4f9a32329d59788f14e19a6033651367c23ed64994dd16e55b726a5f821daa21381c01