5ae4eaa87266278a2fe9c3fe8ddb48de0f47318acf73bbfc533c6dcd3155c732

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 07:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1952cc987a40a9e33ad97ae90ef8426a_JaffaCakes118.exe
Size

162KB
MD5

1952cc987a40a9e33ad97ae90ef8426a
SHA1

b9e9afa655cf6cc86c17728eab48ab7b42e59860
SHA256

5ae4eaa87266278a2fe9c3fe8ddb48de0f47318acf73bbfc533c6dcd3155c732
SHA512

0a8f482d6482011cdd7427fa3adb76d7d3426ef12d153079adb345217d03252ace1d8405fa06a3852118e2e2cb06acf8e44752254c2eecafb64ac951f07e0cc4
SSDEEP

3072:NftffjmNox34elsUeaEXW6BQZv6NSgapKbDsnplerDRBjZqMN:dVfjmNEpyrZdBQZvGakbHxv

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2332	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3044	Logo1_.exe
2644	1952cc987a40a9e33ad97ae90ef8426a_JaffaCakes118.exe

Loads dropped DLL 2 IoCs

pid	Process
2332	cmd.exe
2332	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Portal\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\Lang\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cgg\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\MSBuild\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\id\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\or_IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\skins\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Mail\ja-JP\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	1952cc987a40a9e33ad97ae90ef8426a_JaffaCakes118.exe
File created	C:\Windows\Logo1_.exe	1952cc987a40a9e33ad97ae90ef8426a_JaffaCakes118.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 2332	1280	1952cc987a40a9e33ad97ae90ef8426a_JaffaCakes118.exe	28
PID 1280 wrote to memory of 2332	1280	1952cc987a40a9e33ad97ae90ef8426a_JaffaCakes118.exe	28
PID 1280 wrote to memory of 2332	1280	1952cc987a40a9e33ad97ae90ef8426a_JaffaCakes118.exe	28
PID 1280 wrote to memory of 2332	1280	1952cc987a40a9e33ad97ae90ef8426a_JaffaCakes118.exe	28
PID 1280 wrote to memory of 3044	1280	1952cc987a40a9e33ad97ae90ef8426a_JaffaCakes118.exe	29
PID 1280 wrote to memory of 3044	1280	1952cc987a40a9e33ad97ae90ef8426a_JaffaCakes118.exe	29
PID 1280 wrote to memory of 3044	1280	1952cc987a40a9e33ad97ae90ef8426a_JaffaCakes118.exe	29
PID 1280 wrote to memory of 3044	1280	1952cc987a40a9e33ad97ae90ef8426a_JaffaCakes118.exe	29
PID 3044 wrote to memory of 2600	3044	Logo1_.exe	31
PID 3044 wrote to memory of 2600	3044	Logo1_.exe	31
PID 3044 wrote to memory of 2600	3044	Logo1_.exe	31
PID 3044 wrote to memory of 2600	3044	Logo1_.exe	31
PID 2332 wrote to memory of 2644	2332	cmd.exe	33
PID 2332 wrote to memory of 2644	2332	cmd.exe	33
PID 2332 wrote to memory of 2644	2332	cmd.exe	33
PID 2332 wrote to memory of 2644	2332	cmd.exe	33
PID 2600 wrote to memory of 2628	2600	net.exe	34
PID 2600 wrote to memory of 2628	2600	net.exe	34
PID 2600 wrote to memory of 2628	2600	net.exe	34
PID 2600 wrote to memory of 2628	2600	net.exe	34
PID 3044 wrote to memory of 1188	3044	Logo1_.exe	21
PID 3044 wrote to memory of 1188	3044	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188
- C:\Users\Admin\AppData\Local\Temp\1952cc987a40a9e33ad97ae90ef8426a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\1952cc987a40a9e33ad97ae90ef8426a_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1EB7.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Users\Admin\AppData\Local\Temp\1952cc987a40a9e33ad97ae90ef8426a_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\1952cc987a40a9e33ad97ae90ef8426a_JaffaCakes118.exe"
      4⤵
      Executes dropped EXE
      PID:2644
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
9ad514334a1bfc1c74a46280c09776a4

SHA1
7fdd2f8c9f97512731093e5062eaaf072616a7d1

SHA256
62b8ca5c76c6e2a97620aeb19d1c71c15eda277ff2bf9e9944bc542313b22aee

SHA512
2446c7fc0039b0967e206af79e35c385e9f401a625aa7b20af9068fe0ae3e6cba65c566d508935ae28e90712745c76e251265c0e7503c73e51c0a7fe028efcb0

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
c6c8fde27f649c91ddaab8cb9ca344a6

SHA1
5e4865aec432a18107182f47edda176e8c566152

SHA256
32c3fed53bfc1d890e9bd1d771fdc7e2c81480e03f1425bce07b4045a192d100

SHA512
a8df7d1e852d871d7f16bae10c4ff049359583da88cc85a039f0298525839040d5363ce5ef4cbdb92a12a25785f73df83cf0df07752b78e6e6444f32160a2155

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a1EB7.bat

Filesize
614B

MD5
1a4c080ef490908243d366f6153626e6

SHA1
18c2e33c7b4886421c80cef45a999b0831a099f4

SHA256
dcfb3433bf1c4c96378540a9bd407bfed2b539d10d970141a92ac3ec33b9122a

SHA512
ad296170692d190c85af7c90ed547fba9d3e9999cc191c529bc379593230f6562d3eca7276b1fec15e77602da467010334e736b8ea6d1b80d9a7f389890bd138

Download Submit
C:\Users\Admin\AppData\Local\Temp\1952cc987a40a9e33ad97ae90ef8426a_JaffaCakes118.exe.exe

Filesize
136KB

MD5
25d82b8fac8d48b26f6c786cf9a837eb

SHA1
fdacc1a8d0763e9503e5cc3835166ccf11e265b5

SHA256
832dc7612c66c3ea20a24a77ecb504de69da961f250eb32fd04b0c3c977b7085

SHA512
3e18a3d5d6f710493009eb4d67518a528b8b586f291db1370f44293e3cd9093578eacfa9387c76423b31279eafbf417db803cd632ffc27ae2b74e948290c828c

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
c05108fbb845c342b64f0a379a2b3b9c

SHA1
12e24d99b5b22a712f6315a09f2a6bb5e2e9753f

SHA256
4038629babea975362c795543e13e53110f26a4513973f12dd4e50203925e6f5

SHA512
73037eeb9ae369e425b591fa921a2beebc7e9ec4da68c1d56f9ca4576f1ac80e29c17e44e275bb2150bb3efbf922a336802f28e7ef3a685112221a724df2bfdd

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2737914667-933161113-3798636211-1000\_desktop.ini

Filesize
9B

MD5
7905486656bdf3fb568c8ea7abf7bda1

SHA1
49bd27ff3dcc248ecab0f726abb60ca35dc0e78c

SHA256
238153572e1dcd784aa47b53eba4a41558719a908862c7b3d186928fb0237b09

SHA512
b981b1fd177812b877c92b63b7261d2951b98871da87c20232cb70317a68694d7f7b24cf2f01bc3db01f192b2b8b84c7569a2472204ec4e66226d1efd14c9c14

Download Submit
memory/1188-30-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/1280-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1280-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-93-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-677-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-1876-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-2272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-3336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download