17197c9e103636ab7e6c0615e4b0143c0579d52a4a9f0b0f77dd6d91dca4fa9e

Analysis

max time kernel
147s
max time network
140s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05/07/2024, 00:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26c1c05472608fc132a6de9b2f036f0f_JaffaCakes118.exe
Size

72KB
MD5

26c1c05472608fc132a6de9b2f036f0f
SHA1

c803dbacea063ba7e190df719d71d0d956c68dbc
SHA256

17197c9e103636ab7e6c0615e4b0143c0579d52a4a9f0b0f77dd6d91dca4fa9e
SHA512

6d9f45c90498249422b2a99ed419cdb129cddf225586f68bf42e9d85a1ca7e9a45c288cfcb485a3554b03aa2f5138cd011e9f937d4d548b1209c68aea984f836
SSDEEP

768:bO5MoPND/5Ge2oU8RsodAJLr6gMiibj6Pt29oeHvXE6oMwwrmt9Xd17jV6M:v4j6odAp6gMiGDoOE6Kbt9PnV

Score

8^/10

evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3048	netsh.exe
1816	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
2868	oavawqs.exe
2988	oavawqs.exe

Loads dropped DLL 1 IoCs

pid	Process
2868	oavawqs.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\oavawqs.exe	26c1c05472608fc132a6de9b2f036f0f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\oavawqs.exe	26c1c05472608fc132a6de9b2f036f0f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\oavawqs.exe	oavawqs.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2480 set thread context of 2224	2480	26c1c05472608fc132a6de9b2f036f0f_JaffaCakes118.exe	30
PID 2868 set thread context of 2988	2868	oavawqs.exe	32
PID 2988 set thread context of 1888	2988	oavawqs.exe	33
PID 2224 set thread context of 1760	2224	26c1c05472608fc132a6de9b2f036f0f_JaffaCakes118.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Modifies data under HKEY_USERS 23 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	oavawqs.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	oavawqs.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	oavawqs.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	oavawqs.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000f07344ceb5ceda01	oavawqs.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2224	2480	26c1c05472608fc132a6de9b2f036f0f_JaffaCakes118.exe	30
PID 2480 wrote to memory of 2224	2480	26c1c05472608fc132a6de9b2f036f0f_JaffaCakes118.exe	30
PID 2480 wrote to memory of 2224	2480	26c1c05472608fc132a6de9b2f036f0f_JaffaCakes118.exe	30
PID 2480 wrote to memory of 2224	2480	26c1c05472608fc132a6de9b2f036f0f_JaffaCakes118.exe	30
PID 2480 wrote to memory of 2224	2480	26c1c05472608fc132a6de9b2f036f0f_JaffaCakes118.exe	30
PID 2480 wrote to memory of 2224	2480	26c1c05472608fc132a6de9b2f036f0f_JaffaCakes118.exe	30
PID 2480 wrote to memory of 2224	2480	26c1c05472608fc132a6de9b2f036f0f_JaffaCakes118.exe	30
PID 2480 wrote to memory of 2224	2480	26c1c05472608fc132a6de9b2f036f0f_JaffaCakes118.exe	30
PID 2480 wrote to memory of 2224	2480	26c1c05472608fc132a6de9b2f036f0f_JaffaCakes118.exe	30
PID 2480 wrote to memory of 2224	2480	26c1c05472608fc132a6de9b2f036f0f_JaffaCakes118.exe	30
PID 2868 wrote to memory of 2988	2868	oavawqs.exe	32
PID 2868 wrote to memory of 2988	2868	oavawqs.exe	32
PID 2868 wrote to memory of 2988	2868	oavawqs.exe	32
PID 2868 wrote to memory of 2988	2868	oavawqs.exe	32
PID 2868 wrote to memory of 2988	2868	oavawqs.exe	32
PID 2868 wrote to memory of 2988	2868	oavawqs.exe	32
PID 2868 wrote to memory of 2988	2868	oavawqs.exe	32
PID 2868 wrote to memory of 2988	2868	oavawqs.exe	32
PID 2868 wrote to memory of 2988	2868	oavawqs.exe	32
PID 2868 wrote to memory of 2988	2868	oavawqs.exe	32
PID 2988 wrote to memory of 1888	2988	oavawqs.exe	33
PID 2988 wrote to memory of 1888	2988	oavawqs.exe	33
PID 2988 wrote to memory of 1888	2988	oavawqs.exe	33
PID 2988 wrote to memory of 1888	2988	oavawqs.exe	33
PID 2988 wrote to memory of 1888	2988	oavawqs.exe	33
PID 2224 wrote to memory of 1760	2224	26c1c05472608fc132a6de9b2f036f0f_JaffaCakes118.exe	34
PID 2224 wrote to memory of 1760	2224	26c1c05472608fc132a6de9b2f036f0f_JaffaCakes118.exe	34
PID 2224 wrote to memory of 1760	2224	26c1c05472608fc132a6de9b2f036f0f_JaffaCakes118.exe	34
PID 2224 wrote to memory of 1760	2224	26c1c05472608fc132a6de9b2f036f0f_JaffaCakes118.exe	34
PID 2224 wrote to memory of 1760	2224	26c1c05472608fc132a6de9b2f036f0f_JaffaCakes118.exe	34
PID 2988 wrote to memory of 3048	2988	oavawqs.exe	35
PID 2988 wrote to memory of 3048	2988	oavawqs.exe	35
PID 2988 wrote to memory of 3048	2988	oavawqs.exe	35
PID 2988 wrote to memory of 3048	2988	oavawqs.exe	35
PID 2988 wrote to memory of 1816	2988	oavawqs.exe	37
PID 2988 wrote to memory of 1816	2988	oavawqs.exe	37
PID 2988 wrote to memory of 1816	2988	oavawqs.exe	37
PID 2988 wrote to memory of 1816	2988	oavawqs.exe	37

C:\Users\Admin\AppData\Local\Temp\26c1c05472608fc132a6de9b2f036f0f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\26c1c05472608fc132a6de9b2f036f0f_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Users\Admin\AppData\Local\Temp\26c1c05472608fc132a6de9b2f036f0f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\26c1c05472608fc132a6de9b2f036f0f_JaffaCakes118.exe
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1760

C:\Windows\SysWOW64\oavawqs.exe
C:\Windows\SysWOW64\oavawqs.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\SysWOW64\oavawqs.exe
  C:\Windows\SysWOW64\oavawqs.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1888
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name="Generic Host Process" dir=in
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - Modifies data under HKEY_USERS
    PID:3048
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Generic Host Process" dir=in program="%systemroot%\system32\svchost.exe" action=allow
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - Modifies data under HKEY_USERS
    PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\oavawqs.exe

Filesize
72KB

MD5
26c1c05472608fc132a6de9b2f036f0f

SHA1
c803dbacea063ba7e190df719d71d0d956c68dbc

SHA256
17197c9e103636ab7e6c0615e4b0143c0579d52a4a9f0b0f77dd6d91dca4fa9e

SHA512
6d9f45c90498249422b2a99ed419cdb129cddf225586f68bf42e9d85a1ca7e9a45c288cfcb485a3554b03aa2f5138cd011e9f937d4d548b1209c68aea984f836

Download Submit
memory/1760-51-0x0000000000080000-0x0000000000084000-memory.dmp

Filesize
16KB

Download
memory/1760-46-0x0000000000080000-0x0000000000084000-memory.dmp

Filesize
16KB

Download
memory/1888-38-0x0000000000080000-0x0000000000084000-memory.dmp

Filesize
16KB

Download
memory/1888-41-0x0000000000080000-0x0000000000084000-memory.dmp

Filesize
16KB

Download
memory/1888-42-0x0000000000080000-0x0000000000084000-memory.dmp

Filesize
16KB

Download
memory/1888-43-0x0000000000080000-0x0000000000084000-memory.dmp

Filesize
16KB

Download
memory/1888-44-0x0000000000080000-0x0000000000084000-memory.dmp

Filesize
16KB

Download
memory/1888-45-0x0000000000080000-0x0000000000084000-memory.dmp

Filesize
16KB

Download
memory/2224-8-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2224-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2224-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2224-2-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2224-4-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2224-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2224-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2224-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2224-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2224-12-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2988-39-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2988-47-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2988-37-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2988-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2988-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads