dc199af68e70a161df7814b84a352866971e5b8342631a215330f52fe4e9d02b

Analysis

max time kernel
143s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24358e953fea2c9c3384da7a69be7a68_JaffaCakes118.exe
Size

7.4MB
MD5

24358e953fea2c9c3384da7a69be7a68
SHA1

74f5e9b92873cd43a685957153ebf548e3b60c07
SHA256

dc199af68e70a161df7814b84a352866971e5b8342631a215330f52fe4e9d02b
SHA512

21106963a0a9cd641b31520e2b41ac941da4f4ebda4c68de62cb57dd7a37e8a6dbe785deae76421ca29e451fc51891401c50d6ca34505497f6e0f91d5a79f80d
SSDEEP

49152:IZNfcxFpypoNncFZWWi8tc9qcMJ3AzcYsg7GonPh7CXSHU:IZNUbpypotl4Y7Gc7CCHU

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2140	KNIGHT ONLINE MULTICLENT.EXE
2548	RUNDLL.EXE

Loads dropped DLL 6 IoCs

pid	Process
1772	24358e953fea2c9c3384da7a69be7a68_JaffaCakes118.exe
1772	24358e953fea2c9c3384da7a69be7a68_JaffaCakes118.exe
1772	24358e953fea2c9c3384da7a69be7a68_JaffaCakes118.exe
1772	24358e953fea2c9c3384da7a69be7a68_JaffaCakes118.exe
2548	RUNDLL.EXE
2140	KNIGHT ONLINE MULTICLENT.EXE

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll = "\"C:\\Users\\Admin\\AppData\\Roaming\\rundll.exe \""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll = "\"C:\\Users\\Admin\\AppData\\Roaming\\rundll.exe \""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll = "\"C:\\Users\\Admin\\AppData\\Roaming\\rundll.exe \""	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
2712	reg.exe
2516	reg.exe
2540	reg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1772	24358e953fea2c9c3384da7a69be7a68_JaffaCakes118.exe
2548	RUNDLL.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2140	KNIGHT ONLINE MULTICLENT.EXE
2140	KNIGHT ONLINE MULTICLENT.EXE
2140	KNIGHT ONLINE MULTICLENT.EXE
2548	RUNDLL.EXE

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 3020	1772	24358e953fea2c9c3384da7a69be7a68_JaffaCakes118.exe	28
PID 1772 wrote to memory of 3020	1772	24358e953fea2c9c3384da7a69be7a68_JaffaCakes118.exe	28
PID 1772 wrote to memory of 3020	1772	24358e953fea2c9c3384da7a69be7a68_JaffaCakes118.exe	28
PID 1772 wrote to memory of 3020	1772	24358e953fea2c9c3384da7a69be7a68_JaffaCakes118.exe	28
PID 3020 wrote to memory of 3068	3020	cmd.exe	30
PID 3020 wrote to memory of 3068	3020	cmd.exe	30
PID 3020 wrote to memory of 3068	3020	cmd.exe	30
PID 3020 wrote to memory of 3068	3020	cmd.exe	30
PID 1772 wrote to memory of 2140	1772	24358e953fea2c9c3384da7a69be7a68_JaffaCakes118.exe	31
PID 1772 wrote to memory of 2140	1772	24358e953fea2c9c3384da7a69be7a68_JaffaCakes118.exe	31
PID 1772 wrote to memory of 2140	1772	24358e953fea2c9c3384da7a69be7a68_JaffaCakes118.exe	31
PID 1772 wrote to memory of 2140	1772	24358e953fea2c9c3384da7a69be7a68_JaffaCakes118.exe	31
PID 3068 wrote to memory of 2712	3068	cmd.exe	32
PID 3068 wrote to memory of 2712	3068	cmd.exe	32
PID 3068 wrote to memory of 2712	3068	cmd.exe	32
PID 3068 wrote to memory of 2712	3068	cmd.exe	32
PID 1772 wrote to memory of 2628	1772	24358e953fea2c9c3384da7a69be7a68_JaffaCakes118.exe	33
PID 1772 wrote to memory of 2628	1772	24358e953fea2c9c3384da7a69be7a68_JaffaCakes118.exe	33
PID 1772 wrote to memory of 2628	1772	24358e953fea2c9c3384da7a69be7a68_JaffaCakes118.exe	33
PID 1772 wrote to memory of 2628	1772	24358e953fea2c9c3384da7a69be7a68_JaffaCakes118.exe	33
PID 1772 wrote to memory of 2544	1772	24358e953fea2c9c3384da7a69be7a68_JaffaCakes118.exe	36
PID 1772 wrote to memory of 2544	1772	24358e953fea2c9c3384da7a69be7a68_JaffaCakes118.exe	36
PID 1772 wrote to memory of 2544	1772	24358e953fea2c9c3384da7a69be7a68_JaffaCakes118.exe	36
PID 1772 wrote to memory of 2544	1772	24358e953fea2c9c3384da7a69be7a68_JaffaCakes118.exe	36
PID 2628 wrote to memory of 2632	2628	cmd.exe	35
PID 2628 wrote to memory of 2632	2628	cmd.exe	35
PID 2628 wrote to memory of 2632	2628	cmd.exe	35
PID 2628 wrote to memory of 2632	2628	cmd.exe	35
PID 2544 wrote to memory of 2500	2544	cmd.exe	38
PID 2544 wrote to memory of 2500	2544	cmd.exe	38
PID 2544 wrote to memory of 2500	2544	cmd.exe	38
PID 2544 wrote to memory of 2500	2544	cmd.exe	38
PID 2500 wrote to memory of 2516	2500	cmd.exe	39
PID 2500 wrote to memory of 2516	2500	cmd.exe	39
PID 2500 wrote to memory of 2516	2500	cmd.exe	39
PID 2500 wrote to memory of 2516	2500	cmd.exe	39
PID 2632 wrote to memory of 2540	2632	cmd.exe	40
PID 2632 wrote to memory of 2540	2632	cmd.exe	40
PID 2632 wrote to memory of 2540	2632	cmd.exe	40
PID 2632 wrote to memory of 2540	2632	cmd.exe	40
PID 1772 wrote to memory of 2548	1772	24358e953fea2c9c3384da7a69be7a68_JaffaCakes118.exe	41
PID 1772 wrote to memory of 2548	1772	24358e953fea2c9c3384da7a69be7a68_JaffaCakes118.exe	41
PID 1772 wrote to memory of 2548	1772	24358e953fea2c9c3384da7a69be7a68_JaffaCakes118.exe	41
PID 1772 wrote to memory of 2548	1772	24358e953fea2c9c3384da7a69be7a68_JaffaCakes118.exe	41

C:\Users\Admin\AppData\Local\Temp\24358e953fea2c9c3384da7a69be7a68_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\24358e953fea2c9c3384da7a69be7a68_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\syscheck.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:2712
- C:\Users\Admin\AppData\Roaming\KNIGHT ONLINE MULTICLENT.EXE
  "C:\Users\Admin\AppData\Roaming\KNIGHT ONLINE MULTICLENT.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2140
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\syscheck.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:2540
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\syscheck.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:2516
- C:\Users\Admin\AppData\Roaming\RUNDLL.EXE
  "C:\Users\Admin\AppData\Roaming\RUNDLL.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\syscheck.bat

Filesize
150B

MD5
1265b09eaea9e3c69fe1f6a4e8b00e6e

SHA1
44face1bde83d56e9d8906c6661a7fae05e330c6

SHA256
9f67284e85933ba4412c4ab49c0638af67b6ee4db37f7c8d91bff97823dc6068

SHA512
30574540682fb600fba844cf1e9b11205c3ac2eb64cfc661a07b8782938715ca4ccdd3ec5fcd2c0f18e34f2678c374adeca6f180ba792ce36826940b7188a57a

Download Submit
C:\Users\Admin\AppData\Roaming\rundll.exe

Filesize
596KB

MD5
86cc711be46953bb98e58d5d260f43ef

SHA1
0ea0875d064968459f96c43853c0fa80e889b7a0

SHA256
d287d96399e251777b3088b3170b910125d01bc1243e31824b96d37b039ccfce

SHA512
18d5a4accba7dc67f1877bb81b2e635f9d1511e90440d9b876bc491f5c421ce4a7155726595e4c81347e94193f7e5d38992d95d2ca84852cb6ffff7e2475c641

Download Submit
\Users\Admin\AppData\Roaming\knight online multiclent.exe

Filesize
6.0MB

MD5
77317f462a0bc8335b873ada4b71222b

SHA1
98db5922ec06ab3f93fb1b21f1c1446d95649058

SHA256
5e3258e2d05368dc34db960ab576c34798ba6631922439786e67929b24393272

SHA512
6c0fa49d4f48506815c79e238fcdcd0a3192dd7ca754a999a250d6c9d14cc793ec2f26daa64d38edd89b21a95e1b2727edeb68a78c812eff42603005b47c0323

Download Submit
\Users\Admin\AppData\Roaming\ntldr.dll

Filesize
417KB

MD5
e2b7786a6f66cdff399e0ab0c7a2bb3c

SHA1
ebf01463a279bed4da2d77e37cef3b4f54a90318

SHA256
7c1b080ad1eea14bdf2a8324b85c86cc98d8371b86a0079b52e87294f75751bf

SHA512
e169a369af1df7e7e5083d37eb6e4f156d70aaca8f1946412c46f26d07126998c71c1e5d8250a0d591a5cf05dd881875fec2660f73bd1fe9ab34c7ab2846daf1

Download Submit
memory/1772-0-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1772-46-0x0000000000400000-0x0000000000B6E000-memory.dmp

Filesize
7.4MB

Download
memory/2140-53-0x00000000064C0000-0x000000000652E000-memory.dmp

Filesize
440KB

Download
memory/2140-51-0x0000000005450000-0x00000000064B2000-memory.dmp

Filesize
16.4MB

Download
memory/2140-54-0x00000000064C0000-0x000000000652E000-memory.dmp

Filesize
440KB

Download
memory/2548-50-0x0000000000510000-0x000000000057E000-memory.dmp

Filesize
440KB

Download
memory/2548-55-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2548-56-0x0000000000510000-0x000000000057E000-memory.dmp

Filesize
440KB

Download