897611a1fd6a2ff93247a0758f06ce5c34a06b50a859de487d10cd7d58d243f7

Analysis

max time kernel
140s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 09:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe
Size

62KB
MD5

0d7b33db1f531966add6c065885a5501
SHA1

cd7e136a587ecfa164010042540b2aac44ebb81c
SHA256

897611a1fd6a2ff93247a0758f06ce5c34a06b50a859de487d10cd7d58d243f7
SHA512

a12f4ad98db107cca8e9824f7ba7e48004a2c837fb43fee1e52aea95cb2f01341c2970558b410cc78286502606af8be82e85882544a8d68a760327b4581e3df8
SSDEEP

768:t4xjgvZqw6axPo6qcHMV4+ZC7d9443l/kJ/MUTW+cieBN2QOx2jqpoINN6fTjiAt:6SvZqNMPo3cHH5dk7TWkeBoTYqpqf0O

Score

8^/10

persistence upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\McaFee virus detect program. = "c:\\Program Files\\Network Associates\\VirusScan\\McaUpdate.exe"	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe

Drops file in Drivers directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\inc\Rijtoovxhpnetinfo.sys	cmd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\inc\Rijtoovxhpinfo.sys	cmd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\inc\Rijtoovxhpinfo.sys	cmd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\inc\Rijtoovxhpinfo.sys	cmd.exe
File created	C:\Windows\SysWOW64\drivers\inc\Rijtoovxhpinfolzw.sys	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\inc\Rijtoovxhpnetinfo.sys	cmd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\inc\Rijtoovxhpnetinfo.sys	cmd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\inc\Rijtoovxhpinfo.sys	cmd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\inc\Rijtoovxhpinfo.sys	cmd.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4932-0-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral2/memory/4932-2-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral2/memory/4932-22-0x0000000000400000-0x0000000000432000-memory.dmp	upx

Discovers systems in the same network 1 TTPs 1 IoCs

discovery

Remote System Discovery

T1018

pid	Process
1584	net.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
4472	tasklist.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1908	ipconfig.exe
1568	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2316	systeminfo.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4932	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe
4932	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe
4932	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe
4932	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1568	NETSTAT.EXE
Token: SeDebugPrivilege	4472	tasklist.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 3524	4932	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	80
PID 4932 wrote to memory of 3524	4932	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	80
PID 4932 wrote to memory of 3524	4932	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	80
PID 4932 wrote to memory of 3776	4932	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	82
PID 4932 wrote to memory of 3776	4932	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	82
PID 4932 wrote to memory of 3776	4932	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	82
PID 3776 wrote to memory of 1908	3776	cmd.exe	84
PID 3776 wrote to memory of 1908	3776	cmd.exe	84
PID 3776 wrote to memory of 1908	3776	cmd.exe	84
PID 3776 wrote to memory of 1584	3776	cmd.exe	85
PID 3776 wrote to memory of 1584	3776	cmd.exe	85
PID 3776 wrote to memory of 1584	3776	cmd.exe	85
PID 3776 wrote to memory of 1568	3776	cmd.exe	93
PID 3776 wrote to memory of 1568	3776	cmd.exe	93
PID 3776 wrote to memory of 1568	3776	cmd.exe	93
PID 3776 wrote to memory of 2316	3776	cmd.exe	94
PID 3776 wrote to memory of 2316	3776	cmd.exe	94
PID 3776 wrote to memory of 2316	3776	cmd.exe	94
PID 4932 wrote to memory of 2264	4932	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	97
PID 4932 wrote to memory of 2264	4932	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	97
PID 4932 wrote to memory of 2264	4932	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	97
PID 2264 wrote to memory of 4732	2264	cmd.exe	99
PID 2264 wrote to memory of 4732	2264	cmd.exe	99
PID 2264 wrote to memory of 4732	2264	cmd.exe	99
PID 4732 wrote to memory of 856	4732	net.exe	100
PID 4732 wrote to memory of 856	4732	net.exe	100
PID 4732 wrote to memory of 856	4732	net.exe	100
PID 2264 wrote to memory of 4472	2264	cmd.exe	101
PID 2264 wrote to memory of 4472	2264	cmd.exe	101
PID 2264 wrote to memory of 4472	2264	cmd.exe	101
PID 4932 wrote to memory of 1060	4932	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	102
PID 4932 wrote to memory of 1060	4932	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	102
PID 4932 wrote to memory of 1060	4932	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	102
PID 1060 wrote to memory of 4348	1060	cmd.exe	104
PID 1060 wrote to memory of 4348	1060	cmd.exe	104
PID 1060 wrote to memory of 4348	1060	cmd.exe	104
PID 4932 wrote to memory of 3584	4932	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	105
PID 4932 wrote to memory of 3584	4932	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	105
PID 4932 wrote to memory of 3584	4932	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	105
PID 3584 wrote to memory of 680	3584	cmd.exe	107
PID 3584 wrote to memory of 680	3584	cmd.exe	107
PID 3584 wrote to memory of 680	3584	cmd.exe	107
PID 4932 wrote to memory of 4464	4932	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	108
PID 4932 wrote to memory of 4464	4932	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	108
PID 4932 wrote to memory of 4464	4932	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	108
PID 4464 wrote to memory of 1224	4464	cmd.exe	110
PID 4464 wrote to memory of 1224	4464	cmd.exe	110
PID 4464 wrote to memory of 1224	4464	cmd.exe	110
PID 4932 wrote to memory of 5060	4932	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	111
PID 4932 wrote to memory of 5060	4932	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	111
PID 4932 wrote to memory of 5060	4932	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	111
PID 5060 wrote to memory of 920	5060	cmd.exe	113
PID 5060 wrote to memory of 920	5060	cmd.exe	113
PID 5060 wrote to memory of 920	5060	cmd.exe	113
PID 4932 wrote to memory of 888	4932	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	114
PID 4932 wrote to memory of 888	4932	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	114
PID 4932 wrote to memory of 888	4932	0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe	114
PID 888 wrote to memory of 2576	888	cmd.exe	116
PID 888 wrote to memory of 2576	888	cmd.exe	116
PID 888 wrote to memory of 2576	888	cmd.exe	116

C:\Users\Admin\AppData\Local\Temp\0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe"
1⤵
- Adds policy Run key to start application
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "del C:\Windows\system32\drivers\inc\HPsys\*.* /q"
  2⤵
  PID:3524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "ipconfig -all >C:\Windows\system32\drivers\inc\Rijtoovxhpnetinfo.sys & net view >>C:\Windows\system32\drivers\inc\Rijtoovxhpnetinfo.sys & netstat -an >>C:\Windows\system32\drivers\inc\Rijtoovxhpnetinfo.sys & systeminfo >>C:\Windows\system32\drivers\inc\Rijtoovxhpnetinfo.sys"
  2⤵
  - Drops file in Drivers directory
  - Suspicious use of WriteProcessMemory
  PID:3776
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig -all
    3⤵
    - Gathers network information
    PID:1908
- - C:\Windows\SysWOW64\net.exe
    net view
    3⤵
    - Discovers systems in the same network
    PID:1584
- - C:\Windows\SysWOW64\NETSTAT.EXE
    netstat -an
    3⤵
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:1568
- - C:\Windows\SysWOW64\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:2316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "net start >>C:\Windows\system32\drivers\inc\Rijtoovxhpnetinfo.sys & tasklist /svc >>C:\Windows\system32\drivers\inc\Rijtoovxhpnetinfo.sys & dir c: >>C:\Windows\system32\drivers\inc\Rijtoovxhpnetinfo.sys & dir d: >>C:\Windows\system32\drivers\inc\Rijtoovxhpnetinfo.sys"
  2⤵
  - Drops file in Drivers directory
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\SysWOW64\net.exe
    net start
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4732
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start
      4⤵
      PID:856
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /svc
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "tree C: /F /A >>C:\Windows\system32\drivers\inc\Rijtoovxhpinfo.sys"
  2⤵
  - Drops file in Drivers directory
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Windows\SysWOW64\tree.com
    tree C: /F /A
    3⤵
    PID:4348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "tree D: /F /A >>C:\Windows\system32\drivers\inc\Rijtoovxhpinfo.sys"
  2⤵
  - Drops file in Drivers directory
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Windows\SysWOW64\tree.com
    tree D: /F /A
    3⤵
    PID:680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "tree E: /F /A >>C:\Windows\system32\drivers\inc\Rijtoovxhpinfo.sys"
  2⤵
  - Drops file in Drivers directory
  - Suspicious use of WriteProcessMemory
  PID:4464
- - C:\Windows\SysWOW64\tree.com
    tree E: /F /A
    3⤵
    PID:1224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "tree F: /F /A >>C:\Windows\system32\drivers\inc\Rijtoovxhpinfo.sys"
  2⤵
  - Drops file in Drivers directory
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Windows\SysWOW64\tree.com
    tree F: /F /A
    3⤵
    PID:920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "tree G: /F /A >>C:\Windows\system32\drivers\inc\Rijtoovxhpinfo.sys"
  2⤵
  - Drops file in Drivers directory
  - Suspicious use of WriteProcessMemory
  PID:888
- - C:\Windows\SysWOW64\tree.com
    tree G: /F /A
    3⤵
    PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\drivers\inc\Rijtoovxhpinfo.sys

Filesize
2KB

MD5
632f2c476aae0fbe08304d1bdbf3da90

SHA1
e4db5877a0d2ee915370dd9f64963c177239384b

SHA256
f11982e6e0466b86eaa121d538116dfccb23f27ed27f8a5f1b6473995afec8d2

SHA512
c414cab0484dd75ef23278138367523b90d0009695cea19a920352da66ac6dbaad8dd6c4d8525bfe8c9a80c57950ce08c424154dce084a0448b7fff24bdfdaac

Download Submit
C:\Windows\SysWOW64\drivers\inc\Rijtoovxhpinfo.sys

Filesize
2KB

MD5
f2b6a5c7f4f3c97873a47ff720aafe5a

SHA1
49aca91572e049e6a3fe1cb4729a4f6c2cc98ff6

SHA256
16e9ee878b851bf3991c004afe13038cf11e759e50e25dbf94112f794aee5c89

SHA512
943590a35d9f87ee1eba82d831089b87af1c417402b981500f8df8170be98da41de6583b5a3f65f9633c4706d1a742e5678c35a54e8832e3b876d950f450125f

Download Submit
C:\Windows\SysWOW64\drivers\inc\Rijtoovxhpinfo.sys

Filesize
2KB

MD5
a3d71265a9d540907d1a4f62c4e733b3

SHA1
c57c388dd731c4dac11b1fa13bdfb7ee1117e3c0

SHA256
ae86651c1f0e2f64069571904d7030a8d79656aa235e1070357176408dcbf5e2

SHA512
b4c60060eaa04754aea2b864894fb9cb2d8c6c36fa5e19aa7a915ae8eba72329bbb910476d8300d5f8f5e49947f8bb47549a75d563edb95aaa2e8d1cac37f8d4

Download Submit
C:\Windows\SysWOW64\drivers\inc\Rijtoovxhpinfo.sys

Filesize
2KB

MD5
7cd364c5a25b8847cd1ec92d4406825a

SHA1
10a46a37738c693ee0cbb9d9090cd3b16985219e

SHA256
51512e0957b67b3bf83969f52ca08ce0661ba4e981a93936b5d6f8a94b874810

SHA512
e348af35be61ac6b109298bd4157ed46aba0ed1a5bafddd2c35e118752febcf51268337ef2a1d6149373bfb7efff989b3d0ea353ca1f3c835782398b7fcd4c01

Download Submit
C:\Windows\SysWOW64\drivers\inc\Rijtoovxhpinfo.sys

Filesize
2KB

MD5
60d2d4573c106a570ebde1522121eeef

SHA1
9353a111b7a73c5c1b3b2e0903788aa9ecdf009c

SHA256
84bbc9ac9f523427ab730a2dbd71f5ca20d7248a23102966a4fafc52cec636aa

SHA512
6aff6e003675a89e42f48f8e1dd60c089356b78879e4e4bd4ad1484152e3f2a95ea4ca8049721c343c7d7de4d3121fe84a3f15a1f4be65f7d6a3f5b8fcefd6ab

Download Submit
C:\Windows\SysWOW64\drivers\inc\Rijtoovxhpnetinfo.sys

Filesize
6KB

MD5
eb92329e953e7a76cb7f1638e462b644

SHA1
5f16be44bd78684bfd3139550dc6439fa74ea37e

SHA256
a48bf1d350434906ed40a5a40d93a44fc6e1fee595c63b06765d4b8fd70c39be

SHA512
20bd6ad39356c4f5d8519c1169dbbbc99e73373cca9b582379ee4f862e25981bdbdef5a9c7253f35e0e1350958b7cd909ba310409ba36378ebf27136e4bc926a

Download Submit
C:\Windows\SysWOW64\drivers\inc\Rijtoovxhpnetinfo.sys

Filesize
19KB

MD5
1b4326f8176e19eb3c20b3b8e1277adc

SHA1
4eae3fd83fc46b032f5c2693260a8481917c01c9

SHA256
254f471bded492401a07bc19b344a0c5654e00cb8ddad75b61eb63504254f848

SHA512
0b13731a691cb2b37b71c313a1360b375ab5620fbf09622a814a0cea484b7f2c819c5989257f8d7b18f68f5ee0c240a5611f10a291c32f9dbe3c586998f18c73

Download Submit
memory/4932-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4932-2-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4932-22-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download