f12ddd573b5b3e7f29858254e43a73f962f56480651af0ef5029e463339bde33

Analysis

max time kernel
150s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-06-2024 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cffb15d2a92d4169dbef0e7bedc4d0e_JaffaCakes118.exe
Size

833KB
MD5

0cffb15d2a92d4169dbef0e7bedc4d0e
SHA1

7e53ee3117a5557a6f0dc3955f4aa1c0f49cfc9b
SHA256

f12ddd573b5b3e7f29858254e43a73f962f56480651af0ef5029e463339bde33
SHA512

e251dc8ea6c0bd7ec461dbb0485f78e371d19caa08c84bb0818636122abc5c5c7ec1f2ba9c92cf18ca955b3c114f21848ae057f34750ed46dde8469f505ce218
SSDEEP

12288:Rg8nSmRYJAo1e0Vl3kFb9d8ZaAlhHfflAaTcS3yv7sbuVHU9V8cwCoGH+c+sBYlq:dnSmeJhZVlOb9d8Zj3ifqV8chP

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3088	winService.exe

Loads dropped DLL 44 IoCs

pid	Process
1812	0cffb15d2a92d4169dbef0e7bedc4d0e_JaffaCakes118.exe
1812	0cffb15d2a92d4169dbef0e7bedc4d0e_JaffaCakes118.exe
1812	0cffb15d2a92d4169dbef0e7bedc4d0e_JaffaCakes118.exe
1812	0cffb15d2a92d4169dbef0e7bedc4d0e_JaffaCakes118.exe
1812	0cffb15d2a92d4169dbef0e7bedc4d0e_JaffaCakes118.exe
1812	0cffb15d2a92d4169dbef0e7bedc4d0e_JaffaCakes118.exe
1812	0cffb15d2a92d4169dbef0e7bedc4d0e_JaffaCakes118.exe
1812	0cffb15d2a92d4169dbef0e7bedc4d0e_JaffaCakes118.exe
1812	0cffb15d2a92d4169dbef0e7bedc4d0e_JaffaCakes118.exe
1812	0cffb15d2a92d4169dbef0e7bedc4d0e_JaffaCakes118.exe
1812	0cffb15d2a92d4169dbef0e7bedc4d0e_JaffaCakes118.exe
1812	0cffb15d2a92d4169dbef0e7bedc4d0e_JaffaCakes118.exe
1812	0cffb15d2a92d4169dbef0e7bedc4d0e_JaffaCakes118.exe
1812	0cffb15d2a92d4169dbef0e7bedc4d0e_JaffaCakes118.exe
1812	0cffb15d2a92d4169dbef0e7bedc4d0e_JaffaCakes118.exe
1812	0cffb15d2a92d4169dbef0e7bedc4d0e_JaffaCakes118.exe
1812	0cffb15d2a92d4169dbef0e7bedc4d0e_JaffaCakes118.exe
1812	0cffb15d2a92d4169dbef0e7bedc4d0e_JaffaCakes118.exe
1812	0cffb15d2a92d4169dbef0e7bedc4d0e_JaffaCakes118.exe
1812	0cffb15d2a92d4169dbef0e7bedc4d0e_JaffaCakes118.exe
1812	0cffb15d2a92d4169dbef0e7bedc4d0e_JaffaCakes118.exe
1812	0cffb15d2a92d4169dbef0e7bedc4d0e_JaffaCakes118.exe
3088	winService.exe
3088	winService.exe
3088	winService.exe
3088	winService.exe
3088	winService.exe
3088	winService.exe
3088	winService.exe
3088	winService.exe
3088	winService.exe
3088	winService.exe
3088	winService.exe
3088	winService.exe
3088	winService.exe
3088	winService.exe
3088	winService.exe
3088	winService.exe
3088	winService.exe
3088	winService.exe
3088	winService.exe
3088	winService.exe
3088	winService.exe
3088	winService.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winService = "C:\\Users\\Admin\\AppData\\Roaming\\winService.exe"	0cffb15d2a92d4169dbef0e7bedc4d0e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3088	winService.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1812	0cffb15d2a92d4169dbef0e7bedc4d0e_JaffaCakes118.exe
3088	winService.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 3088	1812	0cffb15d2a92d4169dbef0e7bedc4d0e_JaffaCakes118.exe	90
PID 1812 wrote to memory of 3088	1812	0cffb15d2a92d4169dbef0e7bedc4d0e_JaffaCakes118.exe	90
PID 1812 wrote to memory of 3088	1812	0cffb15d2a92d4169dbef0e7bedc4d0e_JaffaCakes118.exe	90
PID 3088 wrote to memory of 1088	3088	winService.exe	91
PID 3088 wrote to memory of 1088	3088	winService.exe	91
PID 3088 wrote to memory of 1088	3088	winService.exe	91
PID 1088 wrote to memory of 2848	1088	cmd.exe	93
PID 1088 wrote to memory of 2848	1088	cmd.exe	93
PID 1088 wrote to memory of 2848	1088	cmd.exe	93
PID 2848 wrote to memory of 2796	2848	net.exe	94
PID 2848 wrote to memory of 2796	2848	net.exe	94
PID 2848 wrote to memory of 2796	2848	net.exe	94

C:\Users\Admin\AppData\Local\Temp\0cffb15d2a92d4169dbef0e7bedc4d0e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0cffb15d2a92d4169dbef0e7bedc4d0e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Users\Admin\AppData\Roaming\winService.exe
  C:\Users\Admin\AppData\Roaming\winService.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "\Users\Admin\AppData\Roaming\nsc.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1088
  - - C:\Windows\SysWOW64\net.exe
      net user Admin
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user Admin
        5⤵
        
        PID:2796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4116,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:8
1⤵
PID:3244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mrtF637.tmp\Binary.mfx

Filesize
101KB

MD5
2220971bfb8c2ff836fdb8a80f1016e2

SHA1
f511f75bd7328e59c45924ac6eaf2dcabbafc7f0

SHA256
e7c47b8693373f716692b8cc3c30422c6bb3497202c81c06916b030eacbd6cfc

SHA512
7bdda97efadf74a56c98f3cb14043e28dd9d8ebec7de4066265cf7cf006419a69eed5bf19e5f5942e6bac69fd710170a50ca36f182a430be301ac219344ee68e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrtF637.tmp\Console.mfx

Filesize
27KB

MD5
f094fd1b219b2e52f9968ba4006ff37d

SHA1
756d21f1a658185fff05cccb753e174410865a26

SHA256
9674de7e0b37af5c01eefd642ad69de76d456249242fede87246be420e9508d5

SHA512
359f8e8c1dcabfa1c6c31f3b9a9885a5330f27c3b18b0d967a58cc5fb626cede5c1ff811b6775b6e6483087b09badc9d76c9eceea6291ea8ac6ff66b261c85a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrtF637.tmp\Get.mfx

Filesize
21KB

MD5
3979eda042b41b6d1e9d60e43308f9b5

SHA1
a09de3323aeece0ac4211fc5688772aa90aea5a6

SHA256
b4ae004206a09f38088f966c0ef274c141a35bb9368f2d0f19b0f43e00a06785

SHA512
3fbd2d28a953119cbdde1572b8a7e95d771860a87fa68f84ead3d385cb7fe10a4ccc9b8312971bbec2d9b87917dff2af204871e8827e6272bd3dd3a13cfd81b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrtF637.tmp\KcSyso.mfx

Filesize
24KB

MD5
16d802096e4b4c0e7768d46c6c3c0b7f

SHA1
1135cc3f5f82cbc4b49276dfb1cd20bd1a9e531a

SHA256
5149c2d7fe6f0d2b4bffec292c2b386f3dd7743bcc0a5b75d8142d132dd43ddb

SHA512
e585de80689e9f1ce7ed71ccb1a1cc877273fb609bbf7c85516a4f9200cf20038118e581402927c1b66bef86da31cb165168bf085881e48016c9fcf5d3cdceac

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrtF637.tmp\Registry2.mfx

Filesize
14KB

MD5
53e5f0c38ba530d525ae454b2daaf9ef

SHA1
3ebd4f01f82c8b3e83fd71da2791ec0d2c149428

SHA256
72eeee8cdaf3f7e72f4182a77fd3b5bf6b5564352b4a98832a8f456173e12011

SHA512
971fb3d6d9f6b8fee646c3830989f9511a691e9764366aff83263bfd08c10558298b8286b7f1c0b1d103cb425035ad85a6e0954957bc98eccc9f5cbb87303a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrtF637.tmp\comObject.mfx

Filesize
15KB

MD5
6b9094de2bbdac5fd02965d338696bab

SHA1
8e0cf86574eaee81c60cbe86b67ef163bd4731f5

SHA256
a8a1d865a670db633f7a8fe1e1d970521cc79f31ce80c675d4318c3161e49487

SHA512
8423b3f87cef329f88f7764e46ce764f6a831cadb17feff0c83fc450ba391103a9956589c02a3b27ce8a7dfffeb28717fee80e902ce73dd4fd0404b1bf876424

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrtF637.tmp\kcedit.mfx

Filesize
32KB

MD5
6e48480835f787cf590d50365561d5fe

SHA1
f26e0820688e10906f73a41ba4b8736fca5f6709

SHA256
e26a27ae3ddc74e943e4fbdf4bf26b40f243d92cda3cd5db8a8ab8d973bcda3f

SHA512
b4186a23885f573cda4b18188d95a677c745acec068f54dae0b5b2892cd2bdabb964945b302cb8eda89370044965fdab9c723a0cc7d68600625fb6540fdeb4cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrtF637.tmp\kcfile.mfx

Filesize
36KB

MD5
74225f508b64ec89e79531aabee00467

SHA1
ba695660f4c22ff57a91d9370fffef1fdc5d5162

SHA256
a404436d2f3c665ec782f991914ac90ef80143226c94e1affc43a02a2fe304d4

SHA512
0a5dc09d1229d4b8d301c14c72474b79481ac500675c73a9ad6477bdcd5f00d6eb8db077ec2f96ce30a1fd1d54f9cc84349ce406cc9e403564d7310740ec012c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrtF637.tmp\kcpop.mfx

Filesize
10KB

MD5
44557bf7ff780cfa6019c0c4119fb54a

SHA1
e02f00a1f9b9eae1855ca0168c362bd389fd6b8d

SHA256
28726ae556cbe1e2b4995ab135da1bfc72d0bc4e4f56d821e95dab738eed61a6

SHA512
071c11c89f59397b873d540561bc26f96651b6647f991b34ccdbb22809a16241c5e0167e892d3b660038d3fed5089c20a19eea1ca2a8607acdb6984d84cdf62e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrtF637.tmp\mfxcom.dll

Filesize
45KB

MD5
18037c0a81482f07449f996576d02cfd

SHA1
cb9285d407b16e4b3a177b38fd344705b175ccf7

SHA256
880817d0662b24f052254fbc825d39ce588d9ee8098938c5bfdb88191806e70b

SHA512
690622b084ee549f11deeb055d847bd36931a1a568e91ba46b4ec3ea49c2de039a1d9c0d1d64d71068a731b91b64c8c447f8815163b7f871aba46a464fb4aaad

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrtF637.tmp\mmfs2.dll

Filesize
300KB

MD5
dffca25b1fc4cc0b9e4b08a551ed0344

SHA1
1982f8ed843bb9a0d80eb11bc357c6e9798d277f

SHA256
186d448aabec4fcb6661ee105c5d399ad01f4ec1f7bf6c5cb70364d74cc34709

SHA512
6926760c16b32787a814da24b20786d3c00202ffe658cd4e3d943d5cf6bedb70105babb7f352a286f410d3dad30c1c6257ac707226c84f39d322ddc7ab25e563

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrtF637.tmp\moosock.mfx

Filesize
52KB

MD5
8efbb748c3988208ac034c7703b184bf

SHA1
8f924b93a5df40285196b7340f6901e0d59c1137

SHA256
e339037ecc9d3dddb7d452e4ba962440e30a70e6b54f789aa4c880c31948b100

SHA512
26dc9a3d2a6b80fc8613fa3626aff0cb0180ac413986ed49f116c96e14d3d0507ed6362bc3cc8109d401fa95ad74c253d9e2f5ba8d9147a5ae2e4193105c1efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrtF637.tmp\parser.mfx

Filesize
30KB

MD5
3d165afb1f937f1bc9faa6ee300f34a5

SHA1
c574e596eed3a84ecfce83c51b22821f1322c7af

SHA256
d1059245292aafd7f1d6e3251998b11ff3eda4baee85ba3812044bbca5d10410

SHA512
95080c539da77dd855dfbb440cdef840bfbbc235750f07ed1403e044a7a6dd1b563a0b8ece1ca1eb3ceb19e70520b4c2db11c9e3cee4bc14463836a989842d5d

Download Submit
C:\Users\Admin\AppData\Roaming\nsc.bat

Filesize
30B

MD5
feb2938b8163ba65810107ec6f1bb145

SHA1
ac706fdc612336a2a7beeb75a8aab81284459dd9

SHA256
75cd9d5b5a05ad0a0bc8d299dae8425fdc6a54a6618e1e0ddc181bcad1986893

SHA512
c300ddcb62d6bb9d740263241d1de7505d8e54726a9a08f44ffed03b293df9ae512d3e74910bfebd46d047164af4b879f07b54747b7db7a4c235875e53cefcc8

Download Submit
C:\Users\Admin\AppData\Roaming\nsc.dll

Filesize
847B

MD5
d4f662db6bc7da93969472ebe2b178a7

SHA1
f435578a87ff85359ca6dc4ab0534223235f4355

SHA256
03d860908ce0cf13ce606954e5bf65292325e1601d037e0ffe43582974787ca6

SHA512
929dbee55f77d4eaf92fc7ceaf59cf21677359dc24afac8c157a5310d762f09000d66ae4acea4aeda46784f165376dd9102aaf0c97b22d67c916f6334057eb57

Download Submit
C:\Users\Admin\AppData\Roaming\winService.exe

Filesize
833KB

MD5
0cffb15d2a92d4169dbef0e7bedc4d0e

SHA1
7e53ee3117a5557a6f0dc3955f4aa1c0f49cfc9b

SHA256
f12ddd573b5b3e7f29858254e43a73f962f56480651af0ef5029e463339bde33

SHA512
e251dc8ea6c0bd7ec461dbb0485f78e371d19caa08c84bb0818636122abc5c5c7ec1f2ba9c92cf18ca955b3c114f21848ae057f34750ed46dde8469f505ce218

Download Submit
memory/1812-61-0x00000000023B0000-0x00000000023BB000-memory.dmp

Filesize
44KB

Download
memory/1812-72-0x0000000002560000-0x000000000256D000-memory.dmp

Filesize
52KB

Download
memory/1812-44-0x0000000002390000-0x000000000239A000-memory.dmp

Filesize
40KB

Download
memory/1812-37-0x0000000002240000-0x000000000224F000-memory.dmp

Filesize
60KB

Download
memory/1812-27-0x0000000000650000-0x000000000066F000-memory.dmp

Filesize
124KB

Download
memory/3088-119-0x00000000020B0000-0x00000000020CF000-memory.dmp

Filesize
124KB

Download
memory/3088-129-0x0000000002100000-0x000000000210F000-memory.dmp

Filesize
60KB

Download
memory/3088-136-0x0000000002130000-0x000000000213A000-memory.dmp

Filesize
40KB

Download
memory/3088-153-0x0000000002160000-0x000000000216B000-memory.dmp

Filesize
44KB

Download
memory/3088-164-0x0000000002180000-0x000000000218D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads