0799ce6bca68ee46cd9c7c6a4519bd1182678176e38e49a3415f759159eec046

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 09:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe
Size

456KB
MD5

1586cc3a130eecae62a61fae4e4db332
SHA1

aa30896f6f3969335a5ac3bcc7023a7817875700
SHA256

0799ce6bca68ee46cd9c7c6a4519bd1182678176e38e49a3415f759159eec046
SHA512

a754074814fef94e0b0d6b73018eff7b1c94cecfbcc693db99df5dfe73d6159910dcc4c3b3e37de9b67014b66c4a8c0877f1b9e2bd60fedea429607609186651
SSDEEP

6144:zg+GnUR3dZVzcqON3wlrfnvoGL4+kPKy/OIjw/5UR3dZVzcqON3wlrfnOeg+BKni:vVtQcrHapjy6VtQcrgnwXQPk

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Tokka.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 36 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe\Debugger = "winlogon.exe"	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcc.exe	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcvsshld.exe	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "tokka.exe"	Tokka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "winlogon.exe"	Tokka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rtvscan.exe\Debugger = "winlogon.exe"	Tokka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PcCtlCom.exe\Debugger = "winlogon.exe"	Tokka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "tokka.exe"	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "winlogon.exe"	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PsCtrlS.exe	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\Debugger = "winlogon.exe"	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcvsshld.exe\Debugger = "winlogon.exe"	Tokka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcc.exe\Debugger = "winlogon.exe"	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe\Debugger = "winlogon.exe"	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PsCtrlS.exe\Debugger = "winlogon.exe"	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcvsshld.exe\Debugger = "winlogon.exe"	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rtvscan.exe\Debugger = "winlogon.exe"	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PcCtlCom.exe	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "winlogon.exe"	Tokka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PsCtrlS.exe\Debugger = "winlogon.exe"	Tokka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\Debugger = "winlogon.exe"	Tokka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PcCtlCom.exe\Debugger = "winlogon.exe"	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe\Debugger = "winlogon.exe"	Tokka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe\Debugger = "winlogon.exe"	Tokka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "winlogon.exe"	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "winlogon.exe"	Tokka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "winlogon.exe"	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rtvscan.exe	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcc.exe\Debugger = "winlogon.exe"	Tokka.exe

Executes dropped EXE 4 IoCs

pid	Process
2840	go.exe
2544	Tokka.exe
2856	go.exe
2728	Tokka.exe

Loads dropped DLL 8 IoCs

pid	Process
1988	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe
1988	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe
2840	go.exe
2840	go.exe
2544	Tokka.exe
2544	Tokka.exe
2856	go.exe
2856	go.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ShelI = "Tokka.exe"	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShelI = "Tokka.exe"	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ShelI = "Tokka.exe"	Tokka.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShelI = "Tokka.exe"	Tokka.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\autorun.inf	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\autorun.inf	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\autorun.inf	Tokka.exe
File created	C:\Windows\SysWOW64\autorun.inf	Tokka.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\go.exe	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Tokka.exe	go.exe
File created	C:\Windows\SysWOW64\Tokka.exe	go.exe
File opened for modification	C:\Windows\SysWOW64\taskmgr.exe	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Tokka.exe	go.exe
File opened for modification	C:\Windows\SysWOW64\taskmgr.exe	Tokka.exe
File opened for modification	C:\Windows\SysWOW64\go.exe	Tokka.exe
File opened for modification	C:\Windows\SysWOW64\Tokka.exe	go.exe
File opened for modification	C:\Windows\SysWOW64\autorun.inf	Tokka.exe
File created	C:\Windows\SysWOW64\autorun.inf	Tokka.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2864	taskkill.exe
2592	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Happy Tokka vs. Microsoft Internet Explorer"	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Happy Tokka vs. Microsoft Internet Explorer"	Tokka.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2864	taskkill.exe
Token: SeDebugPrivilege	2592	taskkill.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1988	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe
1988	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe
2840	go.exe
2840	go.exe
2544	Tokka.exe
2544	Tokka.exe
2856	go.exe
2856	go.exe
2728	Tokka.exe
2728	Tokka.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 2864	1988	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe	28
PID 1988 wrote to memory of 2864	1988	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe	28
PID 1988 wrote to memory of 2864	1988	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe	28
PID 1988 wrote to memory of 2864	1988	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe	28
PID 1988 wrote to memory of 2840	1988	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe	30
PID 1988 wrote to memory of 2840	1988	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe	30
PID 1988 wrote to memory of 2840	1988	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe	30
PID 1988 wrote to memory of 2840	1988	1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe	30
PID 2840 wrote to memory of 2544	2840	go.exe	32
PID 2840 wrote to memory of 2544	2840	go.exe	32
PID 2840 wrote to memory of 2544	2840	go.exe	32
PID 2840 wrote to memory of 2544	2840	go.exe	32
PID 2544 wrote to memory of 2592	2544	Tokka.exe	33
PID 2544 wrote to memory of 2592	2544	Tokka.exe	33
PID 2544 wrote to memory of 2592	2544	Tokka.exe	33
PID 2544 wrote to memory of 2592	2544	Tokka.exe	33
PID 2544 wrote to memory of 2856	2544	Tokka.exe	35
PID 2544 wrote to memory of 2856	2544	Tokka.exe	35
PID 2544 wrote to memory of 2856	2544	Tokka.exe	35
PID 2544 wrote to memory of 2856	2544	Tokka.exe	35
PID 2856 wrote to memory of 2728	2856	go.exe	36
PID 2856 wrote to memory of 2728	2856	go.exe	36
PID 2856 wrote to memory of 2728	2856	go.exe	36
PID 2856 wrote to memory of 2728	2856	go.exe	36

C:\Users\Admin\AppData\Local\Temp\1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Event Triggered Execution: Image File Execution Options Injection
- Loads dropped DLL
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /s . /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\Windows\SysWOW64\go.exe
  go.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\Tokka.exe
    C:\Windows\SysWOW64\Tokka.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Event Triggered Execution: Image File Execution Options Injection
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /s . /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2592
  - - C:\Windows\SysWOW64\go.exe
      go.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Windows\SysWOW64\Tokka.exe
        
        C:\Windows\SysWOW64\Tokka.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\autorun.inf

Filesize
112B

MD5
289b2b890f83ed21a1db157b74813226

SHA1
512fc87f2d105a9449aea9a3ceb19c5d1667cf73

SHA256
7e98ea87f04ca754a6b8f6abc74ff08f20faa50f85b9071af6bc322106d394cd

SHA512
5f6dd5f5f437b10f8d6efcfde7a5c28eaff00c7d42df8f4b0982fda25c9920dfef7464372d687c981418a1037549a6f598e5294620aa3cabd50fb786093bf35a

Download Submit
C:\Windows\SysWOW64\Tokka.exe

Filesize
456KB

MD5
1586cc3a130eecae62a61fae4e4db332

SHA1
aa30896f6f3969335a5ac3bcc7023a7817875700

SHA256
0799ce6bca68ee46cd9c7c6a4519bd1182678176e38e49a3415f759159eec046

SHA512
a754074814fef94e0b0d6b73018eff7b1c94cecfbcc693db99df5dfe73d6159910dcc4c3b3e37de9b67014b66c4a8c0877f1b9e2bd60fedea429607609186651

Download Submit
\Windows\SysWOW64\go.exe

Filesize
60KB

MD5
ac9223cd1090d3c19753028b8f63793f

SHA1
167e04c62af0c5413344eb1e69bc6df45dbe0545

SHA256
5c97e87d145f9beade1f6330b6db08e3bc499aaac7405326223209e4522746d6

SHA512
22b594a3c1a253745164414fd44ba542f7a361b4ada9959c36cd5cb251ad03e52b3d91b86ce9c1c03d80bf82ff3297792e326d6e80f04449eb58b303a8a6f5be

Download Submit
memory/1988-0-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2544-27-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2728-40-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2728-44-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2840-26-0x00000000024A0000-0x0000000002524000-memory.dmp

Filesize
528KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads