897611a1fd6a2ff93247a0758f06ce5c34a06b50a859de487d10cd7d58d243f7

Analysis

max time kernel
140s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 09:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe
Size

62KB
MD5

0d7b33db1f531966add6c065885a5501
SHA1

cd7e136a587ecfa164010042540b2aac44ebb81c
SHA256

897611a1fd6a2ff93247a0758f06ce5c34a06b50a859de487d10cd7d58d243f7
SHA512

a12f4ad98db107cca8e9824f7ba7e48004a2c837fb43fee1e52aea95cb2f01341c2970558b410cc78286502606af8be82e85882544a8d68a760327b4581e3df8
SSDEEP

768:t4xjgvZqw6axPo6qcHMV4+ZC7d9443l/kJ/MUTW+cieBN2QOx2jqpoINN6fTjiAt:6SvZqNMPo3cHH5dk7TWkeBoTYqpqf0O

Score

8^/10

persistence upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\McaFee virus detect program. = "c:\\Program Files\\Network Associates\\VirusScan\\McaUpdate.exe"	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe

Drops file in Drivers directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\inc\Ticcautdhpnetinfo.sys	cmd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\inc\Ticcautdhpnetinfo.sys	cmd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\inc\Ticcautdhpinfo.sys	cmd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\inc\Ticcautdhpinfo.sys	cmd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\inc\Ticcautdhpinfo.sys	cmd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\inc\Ticcautdhpnetinfo.sys	cmd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\inc\Ticcautdhpinfo.sys	cmd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\inc\Ticcautdhpinfo.sys	cmd.exe
File created	C:\Windows\SysWOW64\drivers\inc\Ticcautdhpinfolzw.sys	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2124-0-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/2124-21-0x0000000000400000-0x0000000000432000-memory.dmp	upx

Discovers systems in the same network 1 TTPs 1 IoCs

discovery

Remote System Discovery

T1018

pid	Process
2704	net.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2940	tasklist.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1140	ipconfig.exe
2588	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2664	systeminfo.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2124	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe
2124	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2588	NETSTAT.EXE
Token: SeDebugPrivilege	2940	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 1236	2124	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	28
PID 2124 wrote to memory of 1236	2124	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	28
PID 2124 wrote to memory of 1236	2124	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	28
PID 2124 wrote to memory of 1236	2124	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	28
PID 2124 wrote to memory of 2556	2124	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	30
PID 2124 wrote to memory of 2556	2124	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	30
PID 2124 wrote to memory of 2556	2124	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	30
PID 2124 wrote to memory of 2556	2124	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	30
PID 2556 wrote to memory of 1140	2556	cmd.exe	32
PID 2556 wrote to memory of 1140	2556	cmd.exe	32
PID 2556 wrote to memory of 1140	2556	cmd.exe	32
PID 2556 wrote to memory of 1140	2556	cmd.exe	32
PID 2556 wrote to memory of 2704	2556	cmd.exe	33
PID 2556 wrote to memory of 2704	2556	cmd.exe	33
PID 2556 wrote to memory of 2704	2556	cmd.exe	33
PID 2556 wrote to memory of 2704	2556	cmd.exe	33
PID 2556 wrote to memory of 2588	2556	cmd.exe	34
PID 2556 wrote to memory of 2588	2556	cmd.exe	34
PID 2556 wrote to memory of 2588	2556	cmd.exe	34
PID 2556 wrote to memory of 2588	2556	cmd.exe	34
PID 2556 wrote to memory of 2664	2556	cmd.exe	35
PID 2556 wrote to memory of 2664	2556	cmd.exe	35
PID 2556 wrote to memory of 2664	2556	cmd.exe	35
PID 2556 wrote to memory of 2664	2556	cmd.exe	35
PID 2124 wrote to memory of 2480	2124	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	38
PID 2124 wrote to memory of 2480	2124	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	38
PID 2124 wrote to memory of 2480	2124	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	38
PID 2124 wrote to memory of 2480	2124	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	38
PID 2480 wrote to memory of 2584	2480	cmd.exe	40
PID 2480 wrote to memory of 2584	2480	cmd.exe	40
PID 2480 wrote to memory of 2584	2480	cmd.exe	40
PID 2480 wrote to memory of 2584	2480	cmd.exe	40
PID 2584 wrote to memory of 2928	2584	net.exe	41
PID 2584 wrote to memory of 2928	2584	net.exe	41
PID 2584 wrote to memory of 2928	2584	net.exe	41
PID 2584 wrote to memory of 2928	2584	net.exe	41
PID 2480 wrote to memory of 2940	2480	cmd.exe	42
PID 2480 wrote to memory of 2940	2480	cmd.exe	42
PID 2480 wrote to memory of 2940	2480	cmd.exe	42
PID 2480 wrote to memory of 2940	2480	cmd.exe	42
PID 2124 wrote to memory of 2180	2124	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	43
PID 2124 wrote to memory of 2180	2124	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	43
PID 2124 wrote to memory of 2180	2124	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	43
PID 2124 wrote to memory of 2180	2124	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	43
PID 2180 wrote to memory of 1036	2180	cmd.exe	45
PID 2180 wrote to memory of 1036	2180	cmd.exe	45
PID 2180 wrote to memory of 1036	2180	cmd.exe	45
PID 2180 wrote to memory of 1036	2180	cmd.exe	45
PID 2124 wrote to memory of 1604	2124	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	46
PID 2124 wrote to memory of 1604	2124	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	46
PID 2124 wrote to memory of 1604	2124	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	46
PID 2124 wrote to memory of 1604	2124	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	46
PID 1604 wrote to memory of 1596	1604	cmd.exe	48
PID 1604 wrote to memory of 1596	1604	cmd.exe	48
PID 1604 wrote to memory of 1596	1604	cmd.exe	48
PID 1604 wrote to memory of 1596	1604	cmd.exe	48
PID 2124 wrote to memory of 1220	2124	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	49
PID 2124 wrote to memory of 1220	2124	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	49
PID 2124 wrote to memory of 1220	2124	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	49
PID 2124 wrote to memory of 1220	2124	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	49
PID 1220 wrote to memory of 2532	1220	cmd.exe	51
PID 1220 wrote to memory of 2532	1220	cmd.exe	51
PID 1220 wrote to memory of 2532	1220	cmd.exe	51
PID 1220 wrote to memory of 2532	1220	cmd.exe	51

C:\Users\Admin\AppData\Local\Temp\0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe"
1⤵
- Adds policy Run key to start application
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "del C:\Windows\system32\drivers\inc\HPsys\*.* /q"
  2⤵
  PID:1236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "ipconfig -all >C:\Windows\system32\drivers\inc\Ticcautdhpnetinfo.sys & net view >>C:\Windows\system32\drivers\inc\Ticcautdhpnetinfo.sys & netstat -an >>C:\Windows\system32\drivers\inc\Ticcautdhpnetinfo.sys & systeminfo >>C:\Windows\system32\drivers\inc\Ticcautdhpnetinfo.sys"
  2⤵
  - Drops file in Drivers directory
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig -all
    3⤵
    - Gathers network information
    PID:1140
- - C:\Windows\SysWOW64\net.exe
    net view
    3⤵
    - Discovers systems in the same network
    PID:2704
- - C:\Windows\SysWOW64\NETSTAT.EXE
    netstat -an
    3⤵
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:2588
- - C:\Windows\SysWOW64\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:2664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "net start >>C:\Windows\system32\drivers\inc\Ticcautdhpnetinfo.sys & tasklist /svc >>C:\Windows\system32\drivers\inc\Ticcautdhpnetinfo.sys & dir c: >>C:\Windows\system32\drivers\inc\Ticcautdhpnetinfo.sys & dir d: >>C:\Windows\system32\drivers\inc\Ticcautdhpnetinfo.sys"
  2⤵
  - Drops file in Drivers directory
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\SysWOW64\net.exe
    net start
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start
      4⤵
      PID:2928
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /svc
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "tree C: /F /A >>C:\Windows\system32\drivers\inc\Ticcautdhpinfo.sys"
  2⤵
  - Drops file in Drivers directory
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\SysWOW64\tree.com
    tree C: /F /A
    3⤵
    PID:1036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "tree D: /F /A >>C:\Windows\system32\drivers\inc\Ticcautdhpinfo.sys"
  2⤵
  - Drops file in Drivers directory
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Windows\SysWOW64\tree.com
    tree D: /F /A
    3⤵
    PID:1596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "tree E: /F /A >>C:\Windows\system32\drivers\inc\Ticcautdhpinfo.sys"
  2⤵
  - Drops file in Drivers directory
  - Suspicious use of WriteProcessMemory
  PID:1220
- - C:\Windows\SysWOW64\tree.com
    tree E: /F /A
    3⤵
    PID:2532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "tree F: /F /A >>C:\Windows\system32\drivers\inc\Ticcautdhpinfo.sys"
  2⤵
  - Drops file in Drivers directory
  PID:1716
- - C:\Windows\SysWOW64\tree.com
    tree F: /F /A
    3⤵
    PID:1704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "tree G: /F /A >>C:\Windows\system32\drivers\inc\Ticcautdhpinfo.sys"
  2⤵
  - Drops file in Drivers directory
  PID:1216
- - C:\Windows\SysWOW64\tree.com
    tree G: /F /A
    3⤵
    PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\drivers\inc\Ticcautdhpinfo.sys

Filesize
1KB

MD5
8099a02c3c96840ada46a5dd77951418

SHA1
03a5876220e8c37fe2c52db058560d36ff13cc6d

SHA256
d7b3b40f834c898606d7a5eb515e1f92e5f65102aaea1d26f23441a6ae067eec

SHA512
54cf0402cf0322366ec1b7db1a8144d0a4f28c6d27f733ec6ea44d472b0181370d74f733bddd4e9b574dc067b4992294f255af66577df492a5f47d0a32632a78

Download Submit
C:\Windows\SysWOW64\drivers\inc\Ticcautdhpinfo.sys

Filesize
1KB

MD5
8c844629aad94cd7edb9a0cc1f26ec07

SHA1
a5e7d9464ce871448f5bde93c879a96d4d412c2f

SHA256
300869576c898807984535e07c68e029bb4a5e409074e1d62b60269bfdb07f9a

SHA512
3d21ca690d70dfa3e846b0a46e856f8ae8af8c884769c7d5177ba35e38a0d9cd0695365342bdb5b8ea9feca1475f3fca9d1f5dc9b95343a52939b13bf12a071a

Download Submit
C:\Windows\SysWOW64\drivers\inc\Ticcautdhpinfo.sys

Filesize
1KB

MD5
76197fd2784657004fdb240268afeca5

SHA1
eba03469cda679b1f3916957b43aad7c21815537

SHA256
6bcfdccefd463aaf76f7ac8ca873191ceda3cbb0b8d43a0bab77f741a8183ff0

SHA512
4f116d90a29b6d70e2e0ec93a16d0f85942de62a3429e522a019af16368df13e88df713e272120acfee3c34ad992c27aceb2c43f51bc531e25dd95dc61fb0200

Download Submit
C:\Windows\SysWOW64\drivers\inc\Ticcautdhpinfo.sys

Filesize
1KB

MD5
c7b4c9a51149b72134666d2531f3a0f4

SHA1
7ef5caf5521057bc8b1f3172c00393c0cc716256

SHA256
a49639c2dfa6dead551e8eda325d64384c5e5cfadbfdf04e52295a9707ce9d18

SHA512
78121bcf685772aedd16838f6e1b3fafea417dd8e5111caa7ea96ccf3924f6d3c051068ae1f4eb6f7ed285be8a82631bb0e493c83baa7d20ff834e862da8dce2

Download Submit
C:\Windows\SysWOW64\drivers\inc\Ticcautdhpinfo.sys

Filesize
1KB

MD5
b8479b94092d75ae2b8af5f874465a17

SHA1
8ccb1cec26c2f0cf47a2d1707db609f1f6222137

SHA256
81a97f284683c69ecda8808930007f0fe15d0646485abeec8a51de405a45b769

SHA512
cd38553465df991480f6c0f5db8cfab4d20b56bc91c74a504d66bc79daf20564fc868c383babd12328760ba099424b8dfbf3336b3b0945b5e7e5400b229101d5

Download Submit
C:\Windows\SysWOW64\drivers\inc\Ticcautdhpnetinfo.sys

Filesize
5KB

MD5
868f830b38a08a19edd724e32ba36cdb

SHA1
5a2018201a610f4770fa414d87b5544a757d3e76

SHA256
514d3b663f909e9445cd36685fd10064c3bcd80c5253977e2e6293dfbed273da

SHA512
76536456885ecf128cf8d16d1e5559804897fdb90f89453583fa517a0dcfc2bd4f0f3aa909c6a0a92762186cac66a87c470474f1356c64cd434dabb8e9ebdb7a

Download Submit
C:\Windows\SysWOW64\drivers\inc\Ticcautdhpnetinfo.sys

Filesize
12KB

MD5
2aed6839c7f3b3f86ce09de67c705360

SHA1
e2c7b11f4c723d69933db487df0a61ae4a3c6553

SHA256
0222fc7f2e3ef82637e58d35c53bd7e5461cceeae3801ef85eeab8987a062ce5

SHA512
2386e6b269668280f17261611958c4d2a79bd9572fc7c48e292588d4e92be5c8c0444c48a3ec4b6840031334d088929d0e1356f993ed4f231a6c85f82faec203

Download Submit
memory/2124-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2124-21-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download