395317448d8d6e65bfcaae02a963bacbece2402c002b548765dedb7c9ea8f56c

Analysis

max time kernel
140s
max time network
139s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
03-07-2024 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
Size

30KB
MD5

2289bd4ac5da0afbb734d2d8aab933b7
SHA1

83bcb67e5c5a7def9010eb9592f2ce4f621571e0
SHA256

395317448d8d6e65bfcaae02a963bacbece2402c002b548765dedb7c9ea8f56c
SHA512

580ea7440c58590e1fe1d17239b22a81485ff38e39c59343bb0d68021171d5a0bd9477bb713916c178006d279f5e3473c7a827944b202e469fbd2258e49e19f4
SSDEEP

768:4VTsxfSjwC7On2qcQk7GW6OyOzhUG1nbcuyD7UONm:w2LB2R7yOzqG1nouy8Sm

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\l:	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
File opened (read-only)	\??\t:	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
File opened (read-only)	\??\u:	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
File opened (read-only)	\??\v:	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
File opened (read-only)	\??\y:	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
File opened (read-only)	\??\h:	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
File opened (read-only)	\??\q:	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
File opened (read-only)	\??\r:	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
File opened (read-only)	\??\x:	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
File opened (read-only)	\??\z:	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
File opened (read-only)	\??\p:	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
File opened (read-only)	\??\i:	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
File opened (read-only)	\??\s:	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
File opened (read-only)	\??\e:	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
File opened (read-only)	\??\j:	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
File opened (read-only)	\??\k:	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
File opened (read-only)	\??\m:	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
File opened (read-only)	\??\n:	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
File opened (read-only)	\??\o:	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
File opened (read-only)	\??\w:	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
File opened (read-only)	\??\g:	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\259397526.CPL	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\rgdltecq\ngoifz.pif	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\rgdltecq\ngoifz.pif	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32\ = "C:\\Windows\\SysWow64\\259397526.CPL"	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
Token: SeDebugPrivilege	2648	2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2289bd4ac5da0afbb734d2d8aab933b7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\259397526.CPL

Filesize
12.1MB

MD5
1c75cc7f0447939b32adcc46077acf3b

SHA1
a9cbf03add11ab7b1428e70bf97c08757ba1b820

SHA256
b9572f7dca1d3d7b74b7a337041a65c982c7ca35d6a12b32473ff1c6119458b9

SHA512
e4d74f465a47ac737d47dbdd08a8d9b8779b6ff18f2f2a43d7774e5b8bf6312f87c249d5205b6a52670dd152c8b59c5bda08c75b6d0ca4bdad127e80a6b75be3

Download Submit
memory/2648-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2648-5-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download