29b732557cb9e5f15b0c92ce6efb0c2c5ef22bd59068f3a87d40c4560ebaa2b5

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 09:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07a3273b9918b7ecbd2a22b3a8e61bc1_JaffaCakes118.exe
Size

101KB
MD5

07a3273b9918b7ecbd2a22b3a8e61bc1
SHA1

c3a101466578a60b4a15c508983d6cb4cf48da8e
SHA256

29b732557cb9e5f15b0c92ce6efb0c2c5ef22bd59068f3a87d40c4560ebaa2b5
SHA512

3f1dd243cc8bd80113498781eba2c8b99c6ad765dcd3ef45380519f0705f4fdabb332aa7532a910a0d8e7039817d7d15412477355fd79a2888a96119bd9d960e
SSDEEP

1536:ApgpHzb9dZVX9fHMvG0D3XJdgaGtB1V/bax8isQzxX/8b+qJSaLEYdVN25+Q/:WgXdZt9P6D3XJW3z/+Dzx0b+qJSsNzQ/

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2592	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
1992	EBcdssvc.exe
2684	EBcdssvc.exe
2524	EBcds.exe

Loads dropped DLL 8 IoCs

pid	Process
2336	07a3273b9918b7ecbd2a22b3a8e61bc1_JaffaCakes118.exe
2336	07a3273b9918b7ecbd2a22b3a8e61bc1_JaffaCakes118.exe
2336	07a3273b9918b7ecbd2a22b3a8e61bc1_JaffaCakes118.exe
1992	EBcdssvc.exe
1992	EBcdssvc.exe
1992	EBcdssvc.exe
2684	EBcdssvc.exe
2684	EBcdssvc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	EBcdssvc.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\EBcds\uninstall.exe	07a3273b9918b7ecbd2a22b3a8e61bc1_JaffaCakes118.exe
File created	C:\Program Files (x86)\EBcds\EBcdssvc.exe	07a3273b9918b7ecbd2a22b3a8e61bc1_JaffaCakes118.exe
File created	C:\Program Files (x86)\EBcds\EBcds.exe	07a3273b9918b7ecbd2a22b3a8e61bc1_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	EBcdssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	EBcdssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	EBcdssvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	EBcdssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	EBcdssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	EBcdssvc.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2684	EBcdssvc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	2684	EBcdssvc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2524	EBcds.exe
2524	EBcds.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 1992	2336	07a3273b9918b7ecbd2a22b3a8e61bc1_JaffaCakes118.exe	28
PID 2336 wrote to memory of 1992	2336	07a3273b9918b7ecbd2a22b3a8e61bc1_JaffaCakes118.exe	28
PID 2336 wrote to memory of 1992	2336	07a3273b9918b7ecbd2a22b3a8e61bc1_JaffaCakes118.exe	28
PID 2336 wrote to memory of 1992	2336	07a3273b9918b7ecbd2a22b3a8e61bc1_JaffaCakes118.exe	28
PID 2336 wrote to memory of 1992	2336	07a3273b9918b7ecbd2a22b3a8e61bc1_JaffaCakes118.exe	28
PID 2336 wrote to memory of 1992	2336	07a3273b9918b7ecbd2a22b3a8e61bc1_JaffaCakes118.exe	28
PID 2336 wrote to memory of 1992	2336	07a3273b9918b7ecbd2a22b3a8e61bc1_JaffaCakes118.exe	28
PID 2336 wrote to memory of 2592	2336	07a3273b9918b7ecbd2a22b3a8e61bc1_JaffaCakes118.exe	29
PID 2336 wrote to memory of 2592	2336	07a3273b9918b7ecbd2a22b3a8e61bc1_JaffaCakes118.exe	29
PID 2336 wrote to memory of 2592	2336	07a3273b9918b7ecbd2a22b3a8e61bc1_JaffaCakes118.exe	29
PID 2336 wrote to memory of 2592	2336	07a3273b9918b7ecbd2a22b3a8e61bc1_JaffaCakes118.exe	29
PID 2336 wrote to memory of 2592	2336	07a3273b9918b7ecbd2a22b3a8e61bc1_JaffaCakes118.exe	29
PID 2336 wrote to memory of 2592	2336	07a3273b9918b7ecbd2a22b3a8e61bc1_JaffaCakes118.exe	29
PID 2336 wrote to memory of 2592	2336	07a3273b9918b7ecbd2a22b3a8e61bc1_JaffaCakes118.exe	29
PID 2684 wrote to memory of 2524	2684	EBcdssvc.exe	33
PID 2684 wrote to memory of 2524	2684	EBcdssvc.exe	33
PID 2684 wrote to memory of 2524	2684	EBcdssvc.exe	33
PID 2684 wrote to memory of 2524	2684	EBcdssvc.exe	33

C:\Users\Admin\AppData\Local\Temp\07a3273b9918b7ecbd2a22b3a8e61bc1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\07a3273b9918b7ecbd2a22b3a8e61bc1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Program Files (x86)\EBcds\EBcdssvc.exe
  "C:\Program Files (x86)\EBcds\EBcdssvc.exe" -s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c \DelUS.bat
  2⤵
  - Deletes itself
  PID:2592

C:\Program Files (x86)\EBcds\EBcdssvc.exe
"C:\Program Files (x86)\EBcds\EBcdssvc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Program Files (x86)\EBcds\EBcds.exe
  /u
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DelUS.bat

Filesize
228B

MD5
233e97bc06c3fc862720e2f0cb60343d

SHA1
c6f0dbe1cbbfc49773cf193f3d07ada4b556025e

SHA256
3a89d93516e176bf56f7cd2b572924c854bd1ba91b5208f9235e9ab4f785d05b

SHA512
f68acfa36bb9c6417a8b5a1301b5d9dbc0deee92895f6176b08b196fd165f8c8a243e631b78464788196fbfaed1fa54a434c5e9f515dd016f46ad7eeaef73a8c

Download Submit
\Program Files (x86)\EBcds\EBcds.exe

Filesize
220KB

MD5
f5309c8b31a83bcbcb340cf0b951c016

SHA1
323a5eba82629c6734bda2f91469ac51d8c31c99

SHA256
321dec38ad670d6440467cc1c851d4e7a8ad16e3ba43a2d8e427922dfd177bb7

SHA512
f986323b9b21fc4e4a0d379c1eae0328d92fca82f3de8a425bee1361b0856c8e03ceafe2c863812e432e004da4566215b79b9f9aba38896fe2c2d1ab9c1f7a1b

Download Submit
\Program Files (x86)\EBcds\EBcdssvc.exe

Filesize
20KB

MD5
134454ccda9649c659682fa0b1d5d687

SHA1
1db5be866ccf1f677ae54196489e4abbbc1b1c29

SHA256
3c3d9f236f4b70f2bdc48a61953b5f72696628e86c3f53f8070df66e70d5e347

SHA512
77ada47a7bb607224db3ace6274b6e27a497389c8573046decad6409beba1392e53a95bf4971ee0c212611145ed48003de3f72d8534b9fa7f520ca0ebe56107c

Download Submit
\Users\Admin\AppData\Local\Temp\nso202F.tmp\SelfDelete.dll

Filesize
24KB

MD5
7bf1bd7661385621c7908e36958f582e

SHA1
43242d7731c097e95fb96753c8262609ff929410

SHA256
c0ad2c13d48c9fe62f898da822a5f08be3bf6c4e2c1c7ffdf7634f2ca4a8859e

SHA512
8317af5cc3ac802eb095f3fa8cc71daa1265ca58fead031c07872f3d4bb07663a7002ae734fad392a7617f0923fe0caf1f54ed55afdf8516a6a08e202d86fa7f

Download Submit