e026f6f1a5a4f5b39e68c8cdb050334174764d2c7fe041073c6e64872a3a4099

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01/07/2024, 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe
Size

165KB
MD5

1c5eb0e8f00fd584e8d1d3006278fe76
SHA1

03f5aa75940b9176a97ac41257f306c33cca93da
SHA256

e026f6f1a5a4f5b39e68c8cdb050334174764d2c7fe041073c6e64872a3a4099
SHA512

592c5856367f942c29f9f88c7ed20f65eb453475991ffafa11cd72b4c45ca3e58f47af0d4daf6cda2a3800de45789d55596bfcfe3588ee4f7f77417e52474590
SSDEEP

3072:yo5Htro+64OBGLvtwT+rGkLB0oA50BFLqlNyoNCzN2D3zCCR9GPU1:351llOBGLvuT+rjLBxAblNyN2zz7RWM

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1844	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118mgr.exe
1740	WerFault.exe

Loads dropped DLL 9 IoCs

pid	Process
852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe
852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe
1740	WerFault.exe
1740	WerFault.exe
1740	WerFault.exe
1740	WerFault.exe
1740	WerFault.exe
1740	WerFault.exe
1740	WerFault.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SYSWOW64\WERFAULT.EXE	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118mgr.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\setupact.log	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe
File opened for modification	C:\Windows\Panther\setuperr.log	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe
File opened for modification	C:\Windows\Panther\diagerr.xml	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe
File opened for modification	C:\Windows\Panther\diagwrn.xml	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process
1740	1844	WerFault.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = 20057459f6cbda01	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Migration	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Migration\IE Installed Date = 20057459f6cbda01	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe

Suspicious behavior: MapViewOfSection 24 IoCs

pid	Process
852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe
852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe
852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe
852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe
852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe
852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe
852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe
852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe
852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe
852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe
852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe
852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe
852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe
852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe
852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe
852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe
852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe
852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe
852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe
852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe
852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe
852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe
852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe
852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe
Token: SeRestorePrivilege	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe
Token: SeRestorePrivilege	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	1844	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118mgr.exe
Token: SeRestorePrivilege	1844	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118mgr.exe
Token: SeBackupPrivilege	1844	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118mgr.exe
Token: SeChangeNotifyPrivilege	1844	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118mgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 1844	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	29
PID 852 wrote to memory of 1844	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	29
PID 852 wrote to memory of 1844	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	29
PID 852 wrote to memory of 1844	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	29
PID 852 wrote to memory of 372	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	3
PID 852 wrote to memory of 372	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	3
PID 852 wrote to memory of 372	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	3
PID 852 wrote to memory of 372	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	3
PID 852 wrote to memory of 372	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	3
PID 852 wrote to memory of 372	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	3
PID 852 wrote to memory of 372	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	3
PID 852 wrote to memory of 396	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	4
PID 852 wrote to memory of 396	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	4
PID 852 wrote to memory of 396	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	4
PID 852 wrote to memory of 396	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	4
PID 852 wrote to memory of 396	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	4
PID 852 wrote to memory of 396	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	4
PID 852 wrote to memory of 396	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	4
PID 852 wrote to memory of 432	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	5
PID 852 wrote to memory of 432	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	5
PID 852 wrote to memory of 432	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	5
PID 852 wrote to memory of 432	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	5
PID 852 wrote to memory of 432	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	5
PID 852 wrote to memory of 432	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	5
PID 852 wrote to memory of 432	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	5
PID 852 wrote to memory of 480	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	6
PID 852 wrote to memory of 480	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	6
PID 852 wrote to memory of 480	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	6
PID 852 wrote to memory of 480	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	6
PID 852 wrote to memory of 480	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	6
PID 852 wrote to memory of 480	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	6
PID 852 wrote to memory of 480	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	6
PID 852 wrote to memory of 488	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	7
PID 852 wrote to memory of 488	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	7
PID 852 wrote to memory of 488	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	7
PID 852 wrote to memory of 488	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	7
PID 852 wrote to memory of 488	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	7
PID 852 wrote to memory of 488	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	7
PID 852 wrote to memory of 488	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	7
PID 852 wrote to memory of 496	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	8
PID 852 wrote to memory of 496	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	8
PID 852 wrote to memory of 496	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	8
PID 852 wrote to memory of 496	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	8
PID 852 wrote to memory of 496	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	8
PID 852 wrote to memory of 496	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	8
PID 852 wrote to memory of 496	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	8
PID 852 wrote to memory of 604	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	9
PID 852 wrote to memory of 604	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	9
PID 852 wrote to memory of 604	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	9
PID 852 wrote to memory of 604	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	9
PID 852 wrote to memory of 604	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	9
PID 852 wrote to memory of 604	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	9
PID 852 wrote to memory of 604	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	9
PID 852 wrote to memory of 680	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	10
PID 852 wrote to memory of 680	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	10
PID 852 wrote to memory of 680	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	10
PID 852 wrote to memory of 680	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	10
PID 852 wrote to memory of 680	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	10
PID 852 wrote to memory of 680	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	10
PID 852 wrote to memory of 680	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	10
PID 852 wrote to memory of 760	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	11
PID 852 wrote to memory of 760	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	11
PID 852 wrote to memory of 760	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	11
PID 852 wrote to memory of 760	852	1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe	11

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:372
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:480
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:604
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:2424
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:680
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:760
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:816
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1168
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:860
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:968
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:272
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:1008
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1084
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1092
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2304
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2252
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:488
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:496

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:396
- C:\Windows\system32\conhost.exe
  \??\C:\Windows\system32\conhost.exe "-677212024-73098000-77438666348748318697769356464776911-1326470532-128575295"
  2⤵
  PID:1668

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Users\Admin\AppData\Local\Temp\1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118mgr.exe
    C:\Users\Admin\AppData\Local\Temp\1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118mgr.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1844
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 92
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Program crash
      PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118mgr.exe

Filesize
60KB

MD5
cd963c64ad0bea4ca85a4819f6eefed1

SHA1
d9cd6316cf3c6ce5ceec9694c2debc7b7981775f

SHA256
33c4b715dc8b183dff9aac65cc42c7f2c70658580b8e3d449878251482a5d906

SHA512
f7cd12c57eff3acf7c89b0e7b55dfa81623618a65d6c49b490c199cfe63ae9e858f2681c8ef1425d1e4b25f7b0bbd6d4a9d9788956c23f52fece3d5d79b5907e

Download Submit
C:\Windows\SysWOW64\WerFault.exe

Filesize
352KB

MD5
5feab868caedbbd1b7a145ca8261e4aa

SHA1
f43f28cc5165608e6fb3794e9a3d083ca2c75f0e

SHA256
08bace187a0225e10677de9aa6738a7118be3e5cad6dc45fb8d3366a61bb343c

SHA512
91108ab6dd422c1d500fc0a65df6faffdb7000828a0f908b1c053129b4b8702fdb7309fa3f4f6054ad542dfe24fd4853e2fe32f7e45aa369e7a3cb6137bdaca1

Download Submit
memory/852-0-0x0000000001000000-0x000000000102E000-memory.dmp

Filesize
184KB

Download
memory/852-10-0x0000000077750000-0x0000000077751000-memory.dmp

Filesize
4KB

Download
memory/852-9-0x000000007774F000-0x0000000077750000-memory.dmp

Filesize
4KB

Download
memory/852-14-0x0000000001000000-0x000000000102E000-memory.dmp

Filesize
184KB

Download
memory/1740-17-0x000000007EFA0000-0x000000007EFAC000-memory.dmp

Filesize
48KB

Download
memory/1844-16-0x000000007EFA0000-0x000000007EFAC000-memory.dmp

Filesize
48KB

Download
memory/1844-25-0x000000007EFA0000-0x000000007EFAC000-memory.dmp

Filesize
48KB

Download