a827aeef1409269f76c80f60250f45b379cd688e6800c14bd767478dcdfdfb75

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 09:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe
Size

2.1MB
MD5

2bdd82a68c04db9e9f53a02e7314f020
SHA1

e3aa309b76f60d5cf67ab80d683366c4578550d6
SHA256

a827aeef1409269f76c80f60250f45b379cd688e6800c14bd767478dcdfdfb75
SHA512

e45591aef694120d9ec17265ac25e356058c5d7698e8a25a96f3a85fe86315939e2a3bebc2341d45a1f5f69ac8cd4256e1214eb436fff0799a84aca8aac8ba62
SSDEEP

49152:zL/jf/gDmDn/cKy7+gATTC7w94qW0uwGv6umAOKIyZk:zLrfkW/U7X0QZTIyZk

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1312	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2236	WingSvrs.exe

Loads dropped DLL 11 IoCs

pid	Process
2196	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe
2196	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe
2196	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe
2196	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe
2196	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe
2196	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe
2196	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe
2196	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe
2196	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe
2236	WingSvrs.exe
2196	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\WingSearch	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\WingSearch\app = "C:\\Users\\Admin\\AppData\\Roaming\\WingSearch\\"	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2196	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe
2196	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe
2196	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe
2196	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	2196	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe
Token: SeBackupPrivilege	2196	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 1312	2196	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe	33
PID 2196 wrote to memory of 1312	2196	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe	33
PID 2196 wrote to memory of 1312	2196	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe	33
PID 2196 wrote to memory of 1312	2196	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe	33
PID 2196 wrote to memory of 1312	2196	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe	33
PID 2196 wrote to memory of 1312	2196	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe	33
PID 2196 wrote to memory of 1312	2196	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\SysWOW64\cmd.exe
  cmd /c \DelUS.bat
  2⤵
  - Deletes itself
  PID:1312

C:\Users\Admin\AppData\Roaming\WingSearch\WingSvrs.exe
C:\Users\Admin\AppData\Roaming\WingSearch\WingSvrs.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DelUS.bat

Filesize
228B

MD5
03fe97e784070d35e5eec3c83c0c4614

SHA1
13341f301b3a8008b83ceab4409b6e700b9abcf7

SHA256
9e541762167af210dc09f2ff060c10b677b9ae3b047a74083b0ccf3d1e61b292

SHA512
694068936fd38a3ba709ca29cc8287a4db67f1644995dbc7a098f708deb3ad1b0fea0a179fca8b7bebf5a2e4d917bf8d17c3030174869d542f7f9c2a9a82c46a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9649.tmp\svrreg.dll

Filesize
1.5MB

MD5
9984d4d8a4d912e4a1c34dd9324e2356

SHA1
7693138b480aa2bfae44b3b07649f30e09ae7e62

SHA256
e9133b9aff90f271881fefa99f562fbd2860d874e723f5945e72d04b9d6b2474

SHA512
28cd31da030b0ea13e7b96b1bd3e41f61e4c54fba63c9c650c5409ca669c16698a5610e126dca26d6de61e80d70f01b37183b8a82ccb2a75e54b6e4b6d9799f7

Download Submit
C:\Users\Admin\AppData\Roaming\WingSearch\MSVCR100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Users\Admin\AppData\Roaming\WingSearch\WingSvrs.exe

Filesize
10KB

MD5
7b9ed09fa5d96eec6ec2d330b49c5b61

SHA1
e3a7b005ab9b25250e598d85e238db53f755bd8e

SHA256
a48ac4c9801ce568a566f2501552419ac7216e5bb0da7af27571178e1ff6dfed

SHA512
b0f39baf0b8608788a58348d52ad9bf2709c6e1eba67cb65e3926859cc3a84c97b95a58349a6fbbb8dc0feec01baca38518e4f6fc99a4cc9e7b07f92930ea0c6

Download Submit
C:\Users\Admin\Desktop\11¹ø°¡.URL

Filesize
230B

MD5
c1a792bb5ecc351bb87bf4d5b17c57bd

SHA1
8a0e6fda71b7c9a7ac891f18592f82e6d512fa12

SHA256
28292e45ec5b2257cb30e9c5a630999e38aaedd67e215e238cb3800ed8a6153f

SHA512
fccbbe3d18aebc706104d5999f18381e7500c5048b13d2580527904bf1c9dbdd86cc2d2a8c77ec1c2206991e799c253afebb82c0b88f19d83b863134825c8e97

Download Submit
C:\Users\Admin\Desktop\G¸¶ÄÏ.URL

Filesize
238B

MD5
bf45997afd324e7deff22954893ed19d

SHA1
4978c62045e0ff1d325820cc23acca8002b4d8ae

SHA256
bfb8e299b16b2d0d44662bca16aa45a4a97a86d6029e800bb8a9091df765fe0b

SHA512
3440700f142217f7efb3de779dfab360d6d6431a45fe067842fbfc122b615335640667c43e1d4f169cb7cfdbe761c4f2049f7b0b4a7a2a8b3a2f0575930839ed

Download Submit
C:\Users\Admin\Desktop\¿Á¼Ç.URL

Filesize
238B

MD5
e294f0ee894f58708e778046b3415474

SHA1
748be27acc4fb18e03e1e503d54ed8a8749aa171

SHA256
72bc5aa352851eeb9c162fc4aef3580b22b7ada6a6a102758f382886e5376859

SHA512
3763c96203be48853a66b711d65d441ecb753cf63a60aa87683c7a7ffa30ab6e827152085df65dbd660c5d1222148fa0824bc05956ece1b33f2497d4c512c224

Download Submit
C:\Users\Admin\Favorites\´ç½ÅÀÌ Ã£´Â ¸ðµç ½ºÅ¸ÀÏ, ¿Á¼Ç.url

Filesize
262B

MD5
90550300c85b340de7b07a62e97f9217

SHA1
4bd51dc37397d0c10d2b22fed4ce5755e8c77b9f

SHA256
615b3cec3304670e214a6ae9c8ebf33fb539fd598dfcf9ed49b5e2b626dc0fec

SHA512
b50a6b768e01b5cacd4f4b72cc7acbc87212b3d428d2af48a64f059d37be91b0ab355b6761e1fc0a608cee49199aa559592c17ce2d4f263ac482de0ad129257c

Download Submit
C:\Users\Admin\Favorites\µð¾Ø¼¥, ½ÃÁð 2.url

Filesize
258B

MD5
4a36278135120eea5f5e8680e1a7c572

SHA1
8fe636ce3e57eefec9d9035a7c039893a6c99484

SHA256
2ad4228865f7828a2487c66b4cb3e20e2fbf5a7cf1b1807cbd0713bb1b3f1cc6

SHA512
f92f18daa5d8e2f38f9658e9e29b5928102fcb67d83fcabac028f7aa438a266010a5948ad044996479a67fb4efcdff2fa4c2b03cbd16d60f5a77834a7208c246

Download Submit
C:\Users\Admin\Favorites\¼îÇÎ ½ºÆ®¸®Æ®, 11¹ø°¡.url

Filesize
179B

MD5
20e9155d385f1a5cbd100a899e962cfd

SHA1
e25d5a2474eea2a3b4e865a9c9f105719571a28d

SHA256
292ec0925c6c33b3546ba0c152649dd1e5e05514c977cced23227bff707c3034

SHA512
16188831eda7a437c2601deb14cc5276df0098280fd2f02a77ffa3d679d54c5b699f77d9078cc103e8575031a1eee89c1b93ccafbc63b921ffd07046eb70b308

Download Submit
\Users\Admin\AppData\Local\Temp\nsj9649.tmp\Dialer.dll

Filesize
3KB

MD5
4e6686aece13707435cce60dcb2ab572

SHA1
9bc7bcffa81e19ad315cab0f261e2394b99aa8f4

SHA256
b8bdabefe8360a157f287bf2b672d8d9a0453224a6b377348aa6a98438fccaf2

SHA512
a1936a86e1fd28a0d44e3e2bab4e41d3ebc6322155d47cd64df9d4ec1b3a093872f74f9848d39c6062242ea4f5af69b32e99f06fd892279b2a1a3cc6c1586e3e

Download Submit
\Users\Admin\AppData\Local\Temp\nsj9649.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
\Users\Admin\AppData\Local\Temp\nsj9649.tmp\Math.dll

Filesize
66KB

MD5
9eb6cecdd0df9fe32027fcdb51c625af

SHA1
52b5b054ff6e7325c3087822901ea2f2c4f9572a

SHA256
54cf1572ed47f614b0ffb886c99fc5725f454ef7ff919fbb2fd13d1cbe270560

SHA512
864742ec6f74f94057b54cd9b09707c0125ac8db4844fa80af201e8b72a811bb68276c993e75bce67e5ece4f83644572edbdee5e963634c5a37839615faea97a

Download Submit
\Users\Admin\AppData\Local\Temp\nsj9649.tmp\SelfDelete.dll

Filesize
24KB

MD5
7bf1bd7661385621c7908e36958f582e

SHA1
43242d7731c097e95fb96753c8262609ff929410

SHA256
c0ad2c13d48c9fe62f898da822a5f08be3bf6c4e2c1c7ffdf7634f2ca4a8859e

SHA512
8317af5cc3ac802eb095f3fa8cc71daa1265ca58fead031c07872f3d4bb07663a7002ae734fad392a7617f0923fe0caf1f54ed55afdf8516a6a08e202d86fa7f

Download Submit
\Users\Admin\AppData\Local\Temp\nsj9649.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\nsj9649.tmp\services.dll

Filesize
7KB

MD5
89408795f143525890bbda9281c42f45

SHA1
bd9f08641cbe86d18c985cea5325dc2ad8525aa6

SHA256
065564c3d7e19e7dea083fb9a426dfdfeabba6ca3a7587bee938f75db5753114

SHA512
ba11a243b97326f6cd12f7f6f8b81e67f7e8f55b5dcf63a7e705813f85c9af1866891770077514051ce153527b074dcba2881b94bdb1925dedc81354e9a84cd6

Download Submit
\Users\Admin\AppData\Local\Temp\nsj9649.tmp\wingfavi.dll

Filesize
1.6MB

MD5
96c2faa6800f061e2e03f6368b12dad4

SHA1
43a339e298e6786dff59c68d2ab6793fe34bc6a0

SHA256
f5d055f3ec74394ea4e988d9476b00107542bfc40032b6bf99b5662c42c33b98

SHA512
a283c3ebb906f0d6d6b43d4f99da851c9ad6884676da7e9c9dfcd809c4563f1e562e03cde4c9b76e1ad75fb0c784ebcbf5d17a81fdf59d4b99d5d95fcf70111f

Download Submit
memory/2196-14-0x0000000001E20000-0x0000000001E3A000-memory.dmp

Filesize
104KB

Download