c51b81d5cf79239bb5e998e4a93fc9f0cb1efb651fe1826acb23dff348fcded2

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d48da15758ba9187e066a2f3dd6f6c5_JaffaCakes118.exe
Size

51KB
MD5

2d48da15758ba9187e066a2f3dd6f6c5
SHA1

7ec6b59d541af84b02d1953e6e6c33e5d6cc23d2
SHA256

c51b81d5cf79239bb5e998e4a93fc9f0cb1efb651fe1826acb23dff348fcded2
SHA512

8897e00384d49627324f1b8d5c2b1f77012091b4d325b8e4c7ac8b03b48f1004e4636e411ba697b1e4547b4880751fd365537f15c7abb5ca23750ad527b93804
SSDEEP

1536:2fgLdQAQfcfymNG+KxgVDrXjl/kOrlrO:2ftffjmNoxgVDrXhzlrO

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2656	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2872	Logo1_.exe
2524	2d48da15758ba9187e066a2f3dd6f6c5_JaffaCakes118.exe

Loads dropped DLL 2 IoCs

pid	Process
2656	cmd.exe
2656	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Games\Chess\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\browser\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\lua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Lime\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Chess\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\my\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kab\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	2d48da15758ba9187e066a2f3dd6f6c5_JaffaCakes118.exe
File created	C:\Windows\Logo1_.exe	2d48da15758ba9187e066a2f3dd6f6c5_JaffaCakes118.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2872	Logo1_.exe
2872	Logo1_.exe
2872	Logo1_.exe
2872	Logo1_.exe
2872	Logo1_.exe
2872	Logo1_.exe
2872	Logo1_.exe
2872	Logo1_.exe
2872	Logo1_.exe
2872	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2656	2676	2d48da15758ba9187e066a2f3dd6f6c5_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2656	2676	2d48da15758ba9187e066a2f3dd6f6c5_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2656	2676	2d48da15758ba9187e066a2f3dd6f6c5_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2656	2676	2d48da15758ba9187e066a2f3dd6f6c5_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2872	2676	2d48da15758ba9187e066a2f3dd6f6c5_JaffaCakes118.exe	32
PID 2676 wrote to memory of 2872	2676	2d48da15758ba9187e066a2f3dd6f6c5_JaffaCakes118.exe	32
PID 2676 wrote to memory of 2872	2676	2d48da15758ba9187e066a2f3dd6f6c5_JaffaCakes118.exe	32
PID 2676 wrote to memory of 2872	2676	2d48da15758ba9187e066a2f3dd6f6c5_JaffaCakes118.exe	32
PID 2872 wrote to memory of 2732	2872	Logo1_.exe	33
PID 2872 wrote to memory of 2732	2872	Logo1_.exe	33
PID 2872 wrote to memory of 2732	2872	Logo1_.exe	33
PID 2872 wrote to memory of 2732	2872	Logo1_.exe	33
PID 2732 wrote to memory of 3024	2732	net.exe	36
PID 2732 wrote to memory of 3024	2732	net.exe	36
PID 2732 wrote to memory of 3024	2732	net.exe	36
PID 2732 wrote to memory of 3024	2732	net.exe	36
PID 2656 wrote to memory of 2524	2656	cmd.exe	37
PID 2656 wrote to memory of 2524	2656	cmd.exe	37
PID 2656 wrote to memory of 2524	2656	cmd.exe	37
PID 2656 wrote to memory of 2524	2656	cmd.exe	37
PID 2872 wrote to memory of 1232	2872	Logo1_.exe	21
PID 2872 wrote to memory of 1232	2872	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1232
- C:\Users\Admin\AppData\Local\Temp\2d48da15758ba9187e066a2f3dd6f6c5_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2d48da15758ba9187e066a2f3dd6f6c5_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aEF20.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Users\Admin\AppData\Local\Temp\2d48da15758ba9187e066a2f3dd6f6c5_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\2d48da15758ba9187e066a2f3dd6f6c5_JaffaCakes118.exe"
      4⤵
      Executes dropped EXE
      PID:2524
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
93178cd015cbcf907874eb9b42415cf9

SHA1
f159cd61c7da56345dc8019c1125c0d84c7318f6

SHA256
df11c85e6a4a66f5d5c8a7c06b24be3111d5f7f6840366974b2fba7caada27f1

SHA512
71c8a7c267f06571fe4a973d26dcb3f251070956d5981ecde8e8557aa8e10549f46fc17449c8ad9eae2a534c1f0fc686d79bf325344e484129ca313e77e3bfa1

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
c6c8fde27f649c91ddaab8cb9ca344a6

SHA1
5e4865aec432a18107182f47edda176e8c566152

SHA256
32c3fed53bfc1d890e9bd1d771fdc7e2c81480e03f1425bce07b4045a192d100

SHA512
a8df7d1e852d871d7f16bae10c4ff049359583da88cc85a039f0298525839040d5363ce5ef4cbdb92a12a25785f73df83cf0df07752b78e6e6444f32160a2155

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aEF20.bat

Filesize
614B

MD5
9b8b76765f7ca6951cb7321bc7a1a499

SHA1
29397ffbadacf843d1710abc199206364bc14045

SHA256
1551f4292981e2cf6b0e267f3a7e0a2766c600caa7ddea5df7ca0b2ee23618ad

SHA512
0e8a6e92532e2faa6614bf4ad22d5788bc68fd72ae76b8f396eab020234f7be7a99452a9c998dbfbc41969b94af8c017a7044a00c4438308159acaca932807ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\2d48da15758ba9187e066a2f3dd6f6c5_JaffaCakes118.exe.exe

Filesize
25KB

MD5
a75372cca53b68ae02bf9eb45587a0e7

SHA1
0f1477d3630f3bbee88d28c2ccb6b06b5ccb2e33

SHA256
9b58450116b3b734b2debbc68e8457f29cd0d5c3e2155e8e562f189094bb3ed3

SHA512
eb48c5570627b143663b7f4e16898ce19f89046598ef325dece753ca4821bd7ad13f0517961efb3d456f8d6b3636c3b7588863f0bd5b1a97e997faeab6c3b488

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
aa2ad1ef24d81ec2484d5e43e75d5c49

SHA1
d2c583f2bad73df381a256bbfc937a41887aab31

SHA256
8cd6eab7eeac4389b3c6bc3eb539e75d439300964a2a256dd9fc9e7797601be7

SHA512
9149392d185673c14dd5d06949390c71b3417c5a4b0a621d3568ba7fa91e2d0009354b7d1985ec2272947ac37ca9154322bcee45925046cc3474d4ce178bd93e

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1506706701-1246725540-2219210854-1000\_desktop.ini

Filesize
8B

MD5
d8dca68320777bb03e3a6dbdb7624c4f

SHA1
094cbdfea49743824e2aaf9c66082c25da2157b1

SHA256
ebe46a39e49fe879afd1b4ac0de5c6c62e8e90342cd71aaaf3ec1d84269e9c6e

SHA512
9097e8a3df0ae12235002caaef04951ab586d84ea9db1b9952e684b5ab570a033ba1bf047598fca329652cab23a5ec1516e6cd6dbcbd979fd32b9b8afbdf88cc

Download Submit
memory/1232-31-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/2676-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2676-16-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/2676-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-46-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-92-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-331-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-1875-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-3335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-22-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download