5dceba157be9d2d78623211de8f4177ca9ac99356b444f291a0462f3f21e387f

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe
Size

607KB
MD5

289bdd184a7dbd1f02f3b35de92d8c04
SHA1

7cc34e320093129287d05a4cf33f41c1d5683c02
SHA256

5dceba157be9d2d78623211de8f4177ca9ac99356b444f291a0462f3f21e387f
SHA512

c77c5b91fb6d20ee8b04c0206ea3450b05c40e0865a746ac9dd557f771451a66eca0b66e066880718daa6c0ef36671c7057ac3f38cb91665b9cf321339f96c38
SSDEEP

12288:Iam7zyxnVVejG4q0lAGiqT/QK87nE8UKeA9N47oVMm:IamvyWKHGiqT/q7nEaeW27oVN

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4208	svchost.exe
3232	289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe
4936	svchost.exe
768	Au_.exe

Loads dropped DLL 5 IoCs

pid	Process
768	Au_.exe
768	Au_.exe
768	Au_.exe
768	Au_.exe
768	Au_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000023432-8.dat	nsis_installer_1
behavioral2/files/0x0007000000023432-8.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 4208	3140	289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe	82
PID 3140 wrote to memory of 4208	3140	289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe	82
PID 3140 wrote to memory of 4208	3140	289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe	82
PID 4208 wrote to memory of 3232	4208	svchost.exe	83
PID 4208 wrote to memory of 3232	4208	svchost.exe	83
PID 4208 wrote to memory of 3232	4208	svchost.exe	83
PID 3232 wrote to memory of 768	3232	289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe	86
PID 3232 wrote to memory of 768	3232	289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe	86
PID 3232 wrote to memory of 768	3232	289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4208
- - C:\Users\Admin\AppData\Local\Temp\289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3232
  - - C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:768

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe

Filesize
571KB

MD5
0b0aa621e74bdd37d35f8f08a639bcb3

SHA1
b83cf71fdc7823a22b08d3764f44bf8873946a63

SHA256
8b1e4e6e9d5732fd1a0492808946debac7d46b545bf1b2640b64e0ff4e601f9c

SHA512
a2ea86ee0c734ad9c5eb4e3289c7467f31b29289c8e7bb709a8aeac4737bed7d9eaa47c70f697d5c20f705afbabb7b22c1e8a1d8fa86ca835a30b6ea34b1b96d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh9914.tmp\InstallOptions.dll

Filesize
14KB

MD5
0dc0cc7a6d9db685bf05a7e5f3ea4781

SHA1
5d8b6268eeec9d8d904bc9d988a4b588b392213f

SHA256
8e287326f1cdd5ef2dcd7a72537c68cbe4299ceb1f820707c5820f3aa6d8206c

SHA512
814dd17ebb434f4a3356f716c783ab7f569f9ee34ce5274fa50392526925f044798f8006198ac7afe3d1c2ca83a2ca8c472ca53fec5f12bbfbbe0707abacd6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh9914.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh9914.tmp\UAC.dll

Filesize
17KB

MD5
09caf01bc8d88eeb733abc161acff659

SHA1
b8c2126d641f88628c632dd2259686da3776a6da

SHA256
3555afe95e8bb269240a21520361677b280562b802978fccfb27490c79b9a478

SHA512
ef1e8fc4fc8f5609483b2c459d00a47036699dfb70b6be6f10a30c5d2fc66bae174345bffa9a44abd9ca029e609ff834d701ff6a769cca09fe5562365d5010fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh9914.tmp\ioSpecial.ini

Filesize
582B

MD5
2c4ef12750d47241cb26c5c001a40d75

SHA1
dc3cabec6bb832e44e82e8859362c8c93b7ff80e

SHA256
de8cf1888e439ee1e3237160992f99c92d30cd252bb40b1e34151e71e550c81a

SHA512
490d76891602b9d04770cfa54641a2d67007d0b30fe07f839e3a8c06b5833ce2c0bfbd4a89b2f01fa5241b2908b52cee088e277fb5e9f8ed47e75dd61ba3b701

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
memory/3140-3-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4208-10-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4936-112-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4936-115-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4936-119-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download