ec959d30cbd501b5e81246cc8b3e9ad171e4cf7b629a40fdae8acbd09a292bff

Analysis

max time kernel
142s
max time network
139s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-06-2024 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e60642f21f5e25d644a032eb085b9f6_JaffaCakes118.exe
Size

1.5MB
MD5

0e60642f21f5e25d644a032eb085b9f6
SHA1

a1e41e9576a20dd5f29f5ad1b6a246b287e9063c
SHA256

ec959d30cbd501b5e81246cc8b3e9ad171e4cf7b629a40fdae8acbd09a292bff
SHA512

d534b6f2bbccfbbfc2640589595afcf27b8f01e87f23edffa6df74f42ae16585e554c8a24e1765d8a4e4f82381738d698f8d2d44badfd330b71096b3f3b91625
SSDEEP

49152:j2XGhfikdOXuiej91aKz0BtFgQn+cM9a3NuZI:jiGNiPuXnzA5ys30Z

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ctfmon.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\ctfmon.exe \""	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
3044	setup.exe
2756	chaosupgrade.exe
2532	ctfmon.exe

Loads dropped DLL 19 IoCs

pid	Process
2880	0e60642f21f5e25d644a032eb085b9f6_JaffaCakes118.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
2756	chaosupgrade.exe
2756	chaosupgrade.exe
2756	chaosupgrade.exe
2532	ctfmon.exe
2532	ctfmon.exe
2532	ctfmon.exe
2532	ctfmon.exe
2532	ctfmon.exe
3044	setup.exe
2756	chaosupgrade.exe
2756	chaosupgrade.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	chaosupgrade.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2500	reg.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
2532	ctfmon.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3044	setup.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2532	ctfmon.exe
2532	ctfmon.exe
2756	chaosupgrade.exe
2756	chaosupgrade.exe
2756	chaosupgrade.exe
2756	chaosupgrade.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 3044	2880	0e60642f21f5e25d644a032eb085b9f6_JaffaCakes118.exe	28
PID 2880 wrote to memory of 3044	2880	0e60642f21f5e25d644a032eb085b9f6_JaffaCakes118.exe	28
PID 2880 wrote to memory of 3044	2880	0e60642f21f5e25d644a032eb085b9f6_JaffaCakes118.exe	28
PID 2880 wrote to memory of 3044	2880	0e60642f21f5e25d644a032eb085b9f6_JaffaCakes118.exe	28
PID 2880 wrote to memory of 3044	2880	0e60642f21f5e25d644a032eb085b9f6_JaffaCakes118.exe	28
PID 2880 wrote to memory of 3044	2880	0e60642f21f5e25d644a032eb085b9f6_JaffaCakes118.exe	28
PID 2880 wrote to memory of 3044	2880	0e60642f21f5e25d644a032eb085b9f6_JaffaCakes118.exe	28
PID 3044 wrote to memory of 2756	3044	setup.exe	29
PID 3044 wrote to memory of 2756	3044	setup.exe	29
PID 3044 wrote to memory of 2756	3044	setup.exe	29
PID 3044 wrote to memory of 2756	3044	setup.exe	29
PID 3044 wrote to memory of 2756	3044	setup.exe	29
PID 3044 wrote to memory of 2756	3044	setup.exe	29
PID 3044 wrote to memory of 2756	3044	setup.exe	29
PID 3044 wrote to memory of 2532	3044	setup.exe	30
PID 3044 wrote to memory of 2532	3044	setup.exe	30
PID 3044 wrote to memory of 2532	3044	setup.exe	30
PID 3044 wrote to memory of 2532	3044	setup.exe	30
PID 3044 wrote to memory of 2532	3044	setup.exe	30
PID 3044 wrote to memory of 2532	3044	setup.exe	30
PID 3044 wrote to memory of 2532	3044	setup.exe	30
PID 3044 wrote to memory of 3064	3044	setup.exe	31
PID 3044 wrote to memory of 3064	3044	setup.exe	31
PID 3044 wrote to memory of 3064	3044	setup.exe	31
PID 3044 wrote to memory of 3064	3044	setup.exe	31
PID 3044 wrote to memory of 3064	3044	setup.exe	31
PID 3044 wrote to memory of 3064	3044	setup.exe	31
PID 3044 wrote to memory of 3064	3044	setup.exe	31
PID 3064 wrote to memory of 2428	3064	cmd.exe	33
PID 3064 wrote to memory of 2428	3064	cmd.exe	33
PID 3064 wrote to memory of 2428	3064	cmd.exe	33
PID 3064 wrote to memory of 2428	3064	cmd.exe	33
PID 3064 wrote to memory of 2428	3064	cmd.exe	33
PID 3064 wrote to memory of 2428	3064	cmd.exe	33
PID 3064 wrote to memory of 2428	3064	cmd.exe	33
PID 2428 wrote to memory of 2500	2428	cmd.exe	34
PID 2428 wrote to memory of 2500	2428	cmd.exe	34
PID 2428 wrote to memory of 2500	2428	cmd.exe	34
PID 2428 wrote to memory of 2500	2428	cmd.exe	34
PID 2428 wrote to memory of 2500	2428	cmd.exe	34
PID 2428 wrote to memory of 2500	2428	cmd.exe	34
PID 2428 wrote to memory of 2500	2428	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\0e60642f21f5e25d644a032eb085b9f6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0e60642f21f5e25d644a032eb085b9f6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Users\Admin\AppData\Roaming\Microsoft\setup.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Users\Admin\AppData\Roaming\chaosupgrade.exe
    "C:\Users\Admin\AppData\Roaming\chaosupgrade.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2756
- - C:\Users\Admin\AppData\Roaming\ctfmon.exe
    "C:\Users\Admin\AppData\Roaming\ctfmon.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2532
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c syscheck.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V ctfmon.exe /D "\"C:\Users\Admin\AppData\Roaming\ctfmon.exe \"" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2428
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V ctfmon.exe /D "\"C:\Users\Admin\AppData\Roaming\ctfmon.exe \"" /f
        5⤵
        Adds policy Run key to start application
        Modifies registry key
        
        PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\syscheck.bat

Filesize
172B

MD5
61d21ff42e2378738c7acb939aecf1fa

SHA1
006283f8e5d75f493f3ebc1d3d02eb383cb18b9e

SHA256
1ad4c1a258c9415f9bcb623a78e77b5e857d1fc1be33f46db030daeae7e58719

SHA512
8179ede61d292461e5002986f1ed06508ce5ca23fbfc19dd363cb56da65306c8c57a45c024c3ea1d0c5a0819223be334a4a3b51c9500f2eb8180201358cf9093

Download Submit
C:\Users\Admin\AppData\Roaming\chaosupgrade.exe

Filesize
120KB

MD5
9762cb860159a9838b065a03cb5d60a3

SHA1
355639e16156bea80c86f6dd4e9facf2607cce06

SHA256
2cd47869927ba0f0c214727bca2ed98814b37959b60b7dc0103c54a7e6e68fad

SHA512
f5f17866c6fd5ff476d4e013dfaa762b278838706e218142505e8c671ec1742cc9f67729235d5029ce86f329b54b7caaff0bd0218ff354604908ea9f26c40341

Download Submit
C:\Users\Admin\AppData\Roaming\ctfmon.exe

Filesize
237KB

MD5
f0832f8fa95fbf622e21da79f12a3739

SHA1
b4967afbd5e66e3c19c10549f2358d9770a78764

SHA256
fa123e6f6e8611e6630afeedcbbafd153326d11cf341044d8c5a81e6f5875305

SHA512
cd774e349979b03732ae0e22fc0409099bdad41d79292ae673cf78d7a877d1c40fee7698051180e50163d0c2108b4ccf295fc2ed126ae5f0772d56acf8638b55

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\setup.exe

Filesize
1.1MB

MD5
146d21bc5a15ce02b9b95be81c219431

SHA1
15a7d389e56fec684def71fc0915337d368c8cf6

SHA256
d375580e1d06bc00ed24f2c765e9fe2e75770657c5c0578b3911d5285d2a1fc4

SHA512
902a38371cbd506e5c9c2d79065b143287b200c5ed755ffbea6a528bb87d7574394ca5a3e1141d3b24d2144f0f327f381e568dfb7df0f0d589641329614f285d

Download Submit
\Users\Admin\AppData\Roaming\ntdata.dll

Filesize
285KB

MD5
fe2232f82e4beb5ae483da8e699e1a51

SHA1
ed2131d0f70e709f8791bfff64d2b8a4cb658ed5

SHA256
0cb462094392aeb31dd7588d95de2577efd0987315be0ce84a531c26bee3b49e

SHA512
df9ab5afb94cff850dd5c4b4ba0cfcd77d4a5887ac85a60db223eba8c5d1d64467d77c6133b8e1f5ca795deae3623717ff4cc669919d9f96ef6df193187fcc0b

Download Submit
\Users\Admin\AppData\Roaming\ntldr.dll

Filesize
148KB

MD5
921f473593f90a40253b31bd5d6c876e

SHA1
3ad2fb71ff8ccde1e68e908b55b11227619e3fa5

SHA256
223c12f4c8c6c1c7c75b3a542e173aed16bd171c4f98903c584dc93dfd025602

SHA512
f7b147c1313a1f6b6108a9feebdb4b32dffadadd3c9a60a22914d437e1378b95f1d7f468b6b3b95d7e95eebd500b8bb6c64a410e4d6d0d8f9e6f761592c29c86

Download Submit
memory/2532-37-0x00000000002B0000-0x00000000002FC000-memory.dmp

Filesize
304KB

Download
memory/2532-80-0x0000000000360000-0x000000000038A000-memory.dmp

Filesize
168KB

Download
memory/2532-46-0x0000000000360000-0x000000000038A000-memory.dmp

Filesize
168KB

Download
memory/2532-123-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2532-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2532-93-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2532-78-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2532-79-0x00000000002B0000-0x00000000002FC000-memory.dmp

Filesize
304KB

Download
memory/2756-76-0x00000000002B0000-0x00000000002FC000-memory.dmp

Filesize
304KB

Download
memory/2756-64-0x0000000004F40000-0x0000000005FA2000-memory.dmp

Filesize
16.4MB

Download
memory/2756-77-0x0000000000820000-0x000000000084A000-memory.dmp

Filesize
168KB

Download
memory/2756-60-0x0000000000820000-0x000000000084A000-memory.dmp

Filesize
168KB

Download
memory/2880-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2880-7-0x0000000004000000-0x0000000004188000-memory.dmp

Filesize
1.5MB

Download
memory/3044-49-0x00000000034E0000-0x000000000352C000-memory.dmp

Filesize
304KB

Download
memory/3044-62-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/3044-63-0x00000000034E0000-0x000000000352C000-memory.dmp

Filesize
304KB

Download