c08556d3e92cb3ce9146679255bf971c3e6289f59773a0b9fc6135459aad63ec

Analysis

max time kernel
140s
max time network
126s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
Size

137KB
MD5

171cbefc4179440572eb137b65db294e
SHA1

d6810733d3a576aa83d059f67716f4033778b73e
SHA256

c08556d3e92cb3ce9146679255bf971c3e6289f59773a0b9fc6135459aad63ec
SHA512

aeab5f7478593559a19fac99f1914be58962007fcf4dd682aa6acecb6f3e3c34ab2f3956779fa9d15e529f4f9382c9911b15426e6b814af146e05520d52c4cb7
SSDEEP

1536:e4m5hdG78SadgsB6qAVmO1IrScroNmf97wNyic2fkf1a4HaBRr9wzdggaWL:eFk7xGgs8q9jf97y7c2fVYaBRBmgg

Score

8^/10

evasion execution upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\pcidump.sys	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 1 IoCs

pid	Process
264	259447945cba.exe

Loads dropped DLL 4 IoCs

pid	Process
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1704-0-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1704-19-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1704-32-0x0000000000400000-0x0000000000424000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kdnfdb.dll	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\progra~1\Len0v0\One.inf	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
File created	C:\progra~1\Len0v0\One.sys	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
File created	C:\progra~1\Len0v0\One.dll	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\323.mp3	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2424	sc.exe
2528	sc.exe
2652	sc.exe
2564	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeAuditPrivilege	2428	svchost.exe
Token: SeDebugPrivilege	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
Token: SeRestorePrivilege	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
Token: SeRestorePrivilege	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
Token: SeRestorePrivilege	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
Token: SeRestorePrivilege	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
Token: SeRestorePrivilege	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
Token: SeRestorePrivilege	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
Token: SeRestorePrivilege	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
Token: SeDebugPrivilege	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
Token: SeDebugPrivilege	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
Token: SeDebugPrivilege	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
Token: SeDebugPrivilege	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
Token: SeDebugPrivilege	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
Token: SeDebugPrivilege	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
Token: SeDebugPrivilege	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
Token: SeDebugPrivilege	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
Token: SeDebugPrivilege	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
Token: SeDebugPrivilege	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 1188	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe	28
PID 1704 wrote to memory of 1188	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe	28
PID 1704 wrote to memory of 1188	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe	28
PID 1704 wrote to memory of 1188	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe	28
PID 1704 wrote to memory of 2528	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe	30
PID 1704 wrote to memory of 2528	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe	30
PID 1704 wrote to memory of 2528	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe	30
PID 1704 wrote to memory of 2528	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe	30
PID 1704 wrote to memory of 2652	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe	32
PID 1704 wrote to memory of 2652	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe	32
PID 1704 wrote to memory of 2652	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe	32
PID 1704 wrote to memory of 2652	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe	32
PID 1704 wrote to memory of 2564	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe	34
PID 1704 wrote to memory of 2564	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe	34
PID 1704 wrote to memory of 2564	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe	34
PID 1704 wrote to memory of 2564	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe	34
PID 1704 wrote to memory of 2424	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe	37
PID 1704 wrote to memory of 2424	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe	37
PID 1704 wrote to memory of 2424	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe	37
PID 1704 wrote to memory of 2424	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe	37
PID 1704 wrote to memory of 264	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe	39
PID 1704 wrote to memory of 264	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe	39
PID 1704 wrote to memory of 264	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe	39
PID 1704 wrote to memory of 264	1704	171cbefc4179440572eb137b65db294e_JaffaCakes118.exe	39

C:\Users\Admin\AppData\Local\Temp\171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\171cbefc4179440572eb137b65db294e_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" import C:\Windows\323.mp3
  2⤵
  PID:1188
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" config PolicyAgent start= auto
  2⤵
  - Launches sc.exe
  PID:2528
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" stop PolicyAgent
  2⤵
  - Launches sc.exe
  PID:2652
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start PolicyAgent
  2⤵
  - Launches sc.exe
  PID:2564
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" stop PolicyAgent
  2⤵
  - Launches sc.exe
  PID:2424
- C:\Users\Admin\AppData\Local\Temp\259447945cba.exe
  "C:\Users\Admin\AppData\Local\Temp\259447945cba.exe"
  2⤵
  - Executes dropped EXE
  PID:264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\323.mp3

Filesize
56KB

MD5
bc8025bc98da7f4ed891c9f9991d3ff1

SHA1
70a69a7fcebe9b43f00a1fa713e3a0621bf3ac6d

SHA256
59b9dc39d69f8b0aa350f550e42e632b396237865776d0ce75477f8fe3f9016f

SHA512
7f772261e003d2df9162ae4aeaab2bda674ee2721b3300cc8b2a2f4904af6bc9c565c7f2c3e67a7394eb1a387860a2544fc5bdc3e6de384b664f8d232ad6acf5

Download Submit
\PROGRA~1\Len0v0\One.dll

Filesize
10KB

MD5
b0e097256838fb16f979918102d13bb3

SHA1
1715a838b2b7e4f36424f06e16b543165d3d1792

SHA256
e2aa94cb988562c24f261927c1dfcd8e5139f570115abb6ef8f1cce37cc2a4e1

SHA512
82a7c493737e79277027132ebb6cba39a9cf7d488dad3e768fd10074eabc9454dd977a3e8a6882ddaf4b46c558d48f2a14f399a63ae8c824bf245efe1c322495

Download Submit
\Users\Admin\AppData\Local\Temp\259447945cba.exe

Filesize
15KB

MD5
6305c392101fc885092d409b5ee49595

SHA1
40d7099d7cf129df398766399fd9b6f5de54b5b2

SHA256
75c1230d1c81b01785fac864f909a8a2a358b06b77853136520cce095e0add2e

SHA512
48f4c611d6ef831f62b0ae92cd81244f2b6bb0efd348b72a590c19322c2e35c1c933cf624d783b01728206e5cf32e85191eccf51d6b3969974577597f345bc9b

Download Submit
\Windows\SysWOW64\kdnfdb.dll

Filesize
16KB

MD5
add4832059173fcdb135d949194ad52b

SHA1
33f1dfd83e76e0897bd134d380fd56431a7cde6b

SHA256
2f9b075862a8509928a48c20bd988215c4f754d2ee3171cf15320ffe6f77f957

SHA512
ac04e7ec33592423a85dbcd0aa7a40e5e63671ad712101f007db8551be49b407c508e17d80fd3dcdece2a9d0a8cf9980aae5aa76e8452af73485fd62f31ad0d5

Download Submit
memory/1704-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1704-9-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/1704-18-0x0000000002650000-0x0000000002656000-memory.dmp

Filesize
24KB

Download
memory/1704-19-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1704-32-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1704-34-0x0000000002650000-0x0000000002656000-memory.dmp

Filesize
24KB

Download