322e7d7d4245bbc92bf6ba22ed754ef2a7c7f5f9ffd206d874b186c5ef83482f

Analysis

max time kernel
141s
max time network
34s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
06/07/2024, 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe
Size

5.5MB
MD5

2923741317a4e7ae4285060d6f0297f2
SHA1

26870024a6780ea6b2433f36ddcbe302072f5b15
SHA256

322e7d7d4245bbc92bf6ba22ed754ef2a7c7f5f9ffd206d874b186c5ef83482f
SHA512

4a6cbff480babc2af58cdbd3e3d184a75d60501c4318906204dbdfb67c48f1ba14c1d9d7c33063945d6a3a13a87896a6f25be5b461c1a4e24d8dda27e56af337
SSDEEP

98304:tzzsbbcV2VQ52AlFj6DN1ZwFvpQx/2gld9CX4qcezkw+B9dzOZh2TdgWPeQtc8QP:tzz+wt27DNniFglTC3ceAw+B9MZh2TKb

Score

7^/10

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000b000000014678-4.dat	acprotect

Loads dropped DLL 20 IoCs

pid	Process
828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe
828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe
828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe
828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe
828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe
828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe
828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe
828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe
828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe
828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe
828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe
828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe
828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe
828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe
828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe
828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe
828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe
828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe
828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe
828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 6 IoCs

evasion

pid	Process
2704	taskkill.exe
1656	taskkill.exe
928	taskkill.exe
2800	taskkill.exe
2592	taskkill.exe
2304	taskkill.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe
828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe
828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe
828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe
828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe
828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe
828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe
828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe
828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe
828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe
828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe
828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe
828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe
828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe
828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	taskkill.exe
Token: SeDebugPrivilege	2592	taskkill.exe
Token: SeDebugPrivilege	2304	taskkill.exe
Token: SeDebugPrivilege	2704	taskkill.exe
Token: SeDebugPrivilege	1656	taskkill.exe
Token: SeDebugPrivilege	928	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 1888	828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe	30
PID 828 wrote to memory of 1888	828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe	30
PID 828 wrote to memory of 1888	828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe	30
PID 828 wrote to memory of 1888	828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe	30
PID 828 wrote to memory of 1888	828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe	30
PID 828 wrote to memory of 1888	828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe	30
PID 828 wrote to memory of 1888	828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe	30
PID 1888 wrote to memory of 2800	1888	cmd.exe	32
PID 1888 wrote to memory of 2800	1888	cmd.exe	32
PID 1888 wrote to memory of 2800	1888	cmd.exe	32
PID 1888 wrote to memory of 2800	1888	cmd.exe	32
PID 1888 wrote to memory of 2800	1888	cmd.exe	32
PID 1888 wrote to memory of 2800	1888	cmd.exe	32
PID 1888 wrote to memory of 2800	1888	cmd.exe	32
PID 828 wrote to memory of 2684	828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe	34
PID 828 wrote to memory of 2684	828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe	34
PID 828 wrote to memory of 2684	828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe	34
PID 828 wrote to memory of 2684	828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe	34
PID 828 wrote to memory of 2684	828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe	34
PID 828 wrote to memory of 2684	828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe	34
PID 828 wrote to memory of 2684	828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe	34
PID 2684 wrote to memory of 2592	2684	cmd.exe	36
PID 2684 wrote to memory of 2592	2684	cmd.exe	36
PID 2684 wrote to memory of 2592	2684	cmd.exe	36
PID 2684 wrote to memory of 2592	2684	cmd.exe	36
PID 2684 wrote to memory of 2592	2684	cmd.exe	36
PID 2684 wrote to memory of 2592	2684	cmd.exe	36
PID 2684 wrote to memory of 2592	2684	cmd.exe	36
PID 828 wrote to memory of 1948	828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe	37
PID 828 wrote to memory of 1948	828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe	37
PID 828 wrote to memory of 1948	828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe	37
PID 828 wrote to memory of 1948	828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe	37
PID 828 wrote to memory of 1948	828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe	37
PID 828 wrote to memory of 1948	828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe	37
PID 828 wrote to memory of 1948	828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe	37
PID 1948 wrote to memory of 2304	1948	cmd.exe	39
PID 1948 wrote to memory of 2304	1948	cmd.exe	39
PID 1948 wrote to memory of 2304	1948	cmd.exe	39
PID 1948 wrote to memory of 2304	1948	cmd.exe	39
PID 1948 wrote to memory of 2304	1948	cmd.exe	39
PID 1948 wrote to memory of 2304	1948	cmd.exe	39
PID 1948 wrote to memory of 2304	1948	cmd.exe	39
PID 828 wrote to memory of 1264	828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe	40
PID 828 wrote to memory of 1264	828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe	40
PID 828 wrote to memory of 1264	828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe	40
PID 828 wrote to memory of 1264	828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe	40
PID 828 wrote to memory of 1264	828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe	40
PID 828 wrote to memory of 1264	828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe	40
PID 828 wrote to memory of 1264	828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe	40
PID 1264 wrote to memory of 2704	1264	cmd.exe	42
PID 1264 wrote to memory of 2704	1264	cmd.exe	42
PID 1264 wrote to memory of 2704	1264	cmd.exe	42
PID 1264 wrote to memory of 2704	1264	cmd.exe	42
PID 1264 wrote to memory of 2704	1264	cmd.exe	42
PID 1264 wrote to memory of 2704	1264	cmd.exe	42
PID 1264 wrote to memory of 2704	1264	cmd.exe	42
PID 828 wrote to memory of 1880	828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe	43
PID 828 wrote to memory of 1880	828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe	43
PID 828 wrote to memory of 1880	828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe	43
PID 828 wrote to memory of 1880	828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe	43
PID 828 wrote to memory of 1880	828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe	43
PID 828 wrote to memory of 1880	828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe	43
PID 828 wrote to memory of 1880	828	2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe	43
PID 1880 wrote to memory of 1656	1880	cmd.exe	45

C:\Users\Admin\AppData\Local\Temp\2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "Funshion.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "Funshion.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "FSPServer.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "FSPServer.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "FunshionService.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "FunshionService.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "Updater.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "Updater.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "FunshionUpdate.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "FunshionUpdate.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "FunshionUpgrade.exe"
  2⤵
  PID:1476
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "FunshionUpgrade.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nszEE0B.tmp\WelcomePage.ini

Filesize
126B

MD5
35e4b01a17602245e12abbc306e3613a

SHA1
4624562000e4fc68b436adcddf6cae7db8d5cb8c

SHA256
b886699e29278b684f76da55532f1e31640bca631165eb664ded5e43cc79f7db

SHA512
1d846ba4cd93262e217dd937f18042c27875a31fed0751055c94111d16e475e795e77aa0023d2d29f5f476347ba97344d73ff7af17e42aabfc37246218ddc09e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszEE0B.tmp\WelcomePage.ini

Filesize
139B

MD5
3bba3b4acda7d4f5ed39f4ecdc1da2d7

SHA1
c3b53a413b6a27c00473efa84d0e8cebb0f2c2af

SHA256
e1c568525bb35c56ddc70018c9b140c3d8f9602d88331901fd49801db2117c5c

SHA512
8e41b05338a4d30a51620c7e31c1520e3b250f0f5c1cabb7bb4a40132f726cd92a04ac42676a56de3e5ff902d3657eb8e007aa56bd900082e63819a42efc7368

Download Submit
\Users\Admin\AppData\Local\Temp\getmacaddress.dll

Filesize
156KB

MD5
0fc4d42653fc43553b7dcb6ffe55d189

SHA1
49f4aac3f3fb089f310b7a526a5ab45d16d0dc0b

SHA256
e648ca2482f9e4bd7fffec2b80ab30adda424c26dae781bcb1760e384430cfc9

SHA512
603c759ee4b16c1d862a2a82814df939207c61120543b807821aba394ddc7ec9db228e19dbf09e8a26c439d9e1548154eadb7ec6d8757b4492e132fc47059546

Download Submit
\Users\Admin\AppData\Local\Temp\ixlEC52.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
\Users\Admin\AppData\Local\Temp\nszEE0B.tmp\ExecCmd.dll

Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
\Users\Admin\AppData\Local\Temp\nszEE0B.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
\Users\Admin\AppData\Local\Temp\nszEE0B.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
\Users\Admin\AppData\Local\Temp\nszEE0B.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
\Users\Admin\AppData\Local\Temp\nszEE0B.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
\Users\Admin\AppData\Local\Temp\nszEE0B.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nszEE0B.tmp\md5dll.dll

Filesize
8KB

MD5
a7d710e78711d5ab90e4792763241754

SHA1
f31cecd926c5d497aba163a17b75975ec34beb13

SHA256
9b05dd603f13c196f3f21c43f48834208fed2294f7090fcd1334931014611fb2

SHA512
f0ca2d6f9a8aeac84ef8b051154a041adffc46e3e9aced142e9c7bf5f7272b047e1db421d38cb2d9182d7442bee3dd806618b019ec042a23ae0e71671d2943c0

Download Submit
memory/828-97-0x0000000000B80000-0x0000000000BA8000-memory.dmp

Filesize
160KB

Download
memory/828-0-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/828-21-0x0000000000740000-0x000000000074B000-memory.dmp

Filesize
44KB

Download
memory/828-6-0x0000000000470000-0x00000000004E3000-memory.dmp

Filesize
460KB

Download
memory/828-2-0x00000000002F0000-0x000000000035D000-memory.dmp

Filesize
436KB

Download
memory/828-1-0x00000000002F0000-0x000000000035D000-memory.dmp

Filesize
436KB

Download
memory/828-151-0x0000000000470000-0x00000000004E3000-memory.dmp

Filesize
460KB

Download
memory/828-152-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/828-154-0x00000000002F0000-0x000000000035D000-memory.dmp

Filesize
436KB

Download
memory/828-156-0x0000000000470000-0x00000000004E3000-memory.dmp

Filesize
460KB

Download