ef65ff8d1127cdf737898d28247f215f62d8ee70e02faebc5ec19f18878ee4fb

Analysis

max time kernel
141s
max time network
134s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 23:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26a9c623d246bcd3aff93be73e73b82f_JaffaCakes118.exe
Size

268KB
MD5

26a9c623d246bcd3aff93be73e73b82f
SHA1

b74e161f0c0bd87046475676d804db0f99475924
SHA256

ef65ff8d1127cdf737898d28247f215f62d8ee70e02faebc5ec19f18878ee4fb
SHA512

c97d94148c826b8bcc664bc5f22373b2362836559b0b23f76dad6d040c5f7fed0a3c726d5061a02dc69f774b4305cc66eaeb8a4b9c60f9c206f2f59d5e932003
SSDEEP

6144:ioglNYGIMfbj3pdFpTrjeNxJ4LX+a5toF4cX9ZSoab+QWgwWobEHF:i1lGAfbj3NpnjeJufY4cGDWPzg

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2568	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2932	realupdate.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	sites.google.com
8	sites.google.com

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	realupdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_A3D4688236962EEA03574DE4F61B95D9	realupdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_A3D4688236962EEA03574DE4F61B95D9	realupdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\THWP0LQ3.txt	realupdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	realupdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199	realupdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6DA548C7E5915679F87E910D6581DEF1_9070507DE94D60F7B5DD071F498E2210	realupdate.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\HBCG5DIM.txt	realupdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	realupdate.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\PRYTQYGJ.txt	realupdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\PRYTQYGJ.txt	realupdate.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\THWP0LQ3.txt	realupdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\HBCG5DIM.txt	realupdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199	realupdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6DA548C7E5915679F87E910D6581DEF1_9070507DE94D60F7B5DD071F498E2210	realupdate.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\PHPOHUMU.txt	realupdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\PHPOHUMU.txt	realupdate.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\realupdate.exe	26a9c623d246bcd3aff93be73e73b82f_JaffaCakes118.exe
File opened for modification	C:\Windows\realupdate.exe	26a9c623d246bcd3aff93be73e73b82f_JaffaCakes118.exe
File created	C:\Windows\UNINSTAL.BAT	26a9c623d246bcd3aff93be73e73b82f_JaffaCakes118.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	realupdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CB0183C-95C5-4820-ACBB-59B75CBBC8BC}\WpadDecisionTime = 00ae4127b1ceda01	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	realupdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CB0183C-95C5-4820-ACBB-59B75CBBC8BC}\8a-b4-51-e9-59-b0	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	realupdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	realupdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-b4-51-e9-59-b0\WpadDecisionTime = 00ae4127b1ceda01	realupdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	realupdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	realupdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	realupdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CB0183C-95C5-4820-ACBB-59B75CBBC8BC}\WpadDecisionReason = "1"	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	realupdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	realupdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CB0183C-95C5-4820-ACBB-59B75CBBC8BC}\WpadNetworkName = "Network 3"	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CB0183C-95C5-4820-ACBB-59B75CBBC8BC}	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-b4-51-e9-59-b0	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	realupdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CB0183C-95C5-4820-ACBB-59B75CBBC8BC}\WpadDecision = "0"	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	realupdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	realupdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	realupdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-b4-51-e9-59-b0\WpadDecision = "0"	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	realupdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0139000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	realupdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	realupdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-b4-51-e9-59-b0\WpadDecisionReason = "1"	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	realupdate.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2836	26a9c623d246bcd3aff93be73e73b82f_JaffaCakes118.exe
Token: SeDebugPrivilege	2932	realupdate.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2932	realupdate.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2640	2932	realupdate.exe	29
PID 2932 wrote to memory of 2640	2932	realupdate.exe	29
PID 2932 wrote to memory of 2640	2932	realupdate.exe	29
PID 2932 wrote to memory of 2640	2932	realupdate.exe	29
PID 2836 wrote to memory of 2568	2836	26a9c623d246bcd3aff93be73e73b82f_JaffaCakes118.exe	30
PID 2836 wrote to memory of 2568	2836	26a9c623d246bcd3aff93be73e73b82f_JaffaCakes118.exe	30
PID 2836 wrote to memory of 2568	2836	26a9c623d246bcd3aff93be73e73b82f_JaffaCakes118.exe	30
PID 2836 wrote to memory of 2568	2836	26a9c623d246bcd3aff93be73e73b82f_JaffaCakes118.exe	30
PID 2836 wrote to memory of 2568	2836	26a9c623d246bcd3aff93be73e73b82f_JaffaCakes118.exe	30
PID 2836 wrote to memory of 2568	2836	26a9c623d246bcd3aff93be73e73b82f_JaffaCakes118.exe	30
PID 2836 wrote to memory of 2568	2836	26a9c623d246bcd3aff93be73e73b82f_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\26a9c623d246bcd3aff93be73e73b82f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\26a9c623d246bcd3aff93be73e73b82f_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\UNINSTAL.BAT
  2⤵
  - Deletes itself
  PID:2568

C:\Windows\realupdate.exe
C:\Windows\realupdate.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\UNINSTAL.BAT

Filesize
214B

MD5
ca8c3807fa27378233305a5149797acf

SHA1
999469aa1e6dfeb7ed4bc73cb978c2a49239d89e

SHA256
b9419da04db4394c4a22c80c36f61b6d06e2e3acf8df71080722733156baf77b

SHA512
39cd24e973abe4bde382c4fbbc48e51debeda5d1a4d8d53c235d64b14d409e5d2adb50403d3fb6f918e82d6a28f3e676dca99cb53d7867f22f57ca2b73994d6f

Download Submit
C:\Windows\realupdate.exe

Filesize
268KB

MD5
26a9c623d246bcd3aff93be73e73b82f

SHA1
b74e161f0c0bd87046475676d804db0f99475924

SHA256
ef65ff8d1127cdf737898d28247f215f62d8ee70e02faebc5ec19f18878ee4fb

SHA512
c97d94148c826b8bcc664bc5f22373b2362836559b0b23f76dad6d040c5f7fed0a3c726d5061a02dc69f774b4305cc66eaeb8a4b9c60f9c206f2f59d5e932003

Download Submit
memory/2836-0-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2836-1-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2836-17-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2932-6-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2932-7-0x0000000000510000-0x0000000000616000-memory.dmp

Filesize
1.0MB

Download
memory/2932-8-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2932-33-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2932-39-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2932-45-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download