95c1777ec06aa5dde75c0fef744974fb86b29b4152f59b4a1723976a992b3949

Analysis

max time kernel
133s
max time network
137s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 18:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2d5c536008bc774963ff014483027f96_JaffaCakes118.exe
Size

421KB
MD5

2d5c536008bc774963ff014483027f96
SHA1

28d64f7b874e6821a015b45b99095e6b804d0867
SHA256

95c1777ec06aa5dde75c0fef744974fb86b29b4152f59b4a1723976a992b3949
SHA512

a4244e7868348dab120f4befcbf3d7216342e8ee93189b70dd78e16aca894eb8b58e3e32a7f58ad658ba78fe15d43df6ce312a7ed86d46d50c36e49126747d86
SSDEEP

12288:OjkArEN249AyE/rbaMct4bO2/Vqw/z81iel4u:JFE//Tct4bOsgqg1ielT

Score

8^/10

evasion execution upx

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 3 IoCs

pid	Process
2820	instsrv.exe
2824	srvany.exe
2344	MSInstallMgr.exe

Loads dropped DLL 3 IoCs

pid	Process
1684	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe
1684	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe
2824	srvany.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1684-0-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/1684-31-0x0000000000400000-0x00000000004C1000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1684-31-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\windows\SysWOW64\instsrv.exe	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe
File opened for modification	C:\windows\SysWOW64\srvany.exe	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe
File created	C:\windows\SysWOW64\instsrv.exe	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe
File created	C:\windows\SysWOW64\MSInstallMgr.exe	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe
File opened for modification	C:\windows\SysWOW64\MSInstallMgr.exe	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe
File created	C:\windows\SysWOW64\MSInstallMgr.exex	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe
File opened for modification	C:\windows\SysWOW64\MSInstallMgr.exex	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	MSInstallMgr.exe
File created	C:\windows\SysWOW64\srvany.exe	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2760	sc.exe
2724	sc.exe
2844	sc.exe
2964	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	MSInstallMgr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53B46A86-330F-4FCB-8C39-C295D41E504E}\WpadNetworkName = "Network 3"	MSInstallMgr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-96-60-b5-ca-0f\WpadDecisionReason = "1"	MSInstallMgr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	MSInstallMgr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53B46A86-330F-4FCB-8C39-C295D41E504E}\WpadDecisionTime = f09dc5e1a3d1da01	MSInstallMgr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	MSInstallMgr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	MSInstallMgr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	MSInstallMgr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-96-60-b5-ca-0f	MSInstallMgr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-96-60-b5-ca-0f\WpadDecisionTime = 90b5c02ea4d1da01	MSInstallMgr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	MSInstallMgr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	MSInstallMgr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MSInstallMgr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53B46A86-330F-4FCB-8C39-C295D41E504E}\WpadDecision = "0"	MSInstallMgr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	MSInstallMgr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-96-60-b5-ca-0f\WpadDetectedUrl	MSInstallMgr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53B46A86-330F-4FCB-8C39-C295D41E504E}	MSInstallMgr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-96-60-b5-ca-0f\WpadDecisionTime = f09dc5e1a3d1da01	MSInstallMgr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	MSInstallMgr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0082000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	MSInstallMgr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53B46A86-330F-4FCB-8C39-C295D41E504E}\WpadDecisionTime = 90b5c02ea4d1da01	MSInstallMgr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	MSInstallMgr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	MSInstallMgr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0082000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	MSInstallMgr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	MSInstallMgr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53B46A86-330F-4FCB-8C39-C295D41E504E}\WpadDecisionReason = "1"	MSInstallMgr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53B46A86-330F-4FCB-8C39-C295D41E504E}\b6-96-60-b5-ca-0f	MSInstallMgr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-96-60-b5-ca-0f\WpadDecision = "0"	MSInstallMgr.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1684	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe
1684	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe
1684	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe
1684	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1684	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe
1684	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe
1684	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe
1684	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2844	1684	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe	30
PID 1684 wrote to memory of 2844	1684	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe	30
PID 1684 wrote to memory of 2844	1684	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe	30
PID 1684 wrote to memory of 2844	1684	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe	30
PID 1684 wrote to memory of 2964	1684	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe	32
PID 1684 wrote to memory of 2964	1684	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe	32
PID 1684 wrote to memory of 2964	1684	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe	32
PID 1684 wrote to memory of 2964	1684	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe	32
PID 1684 wrote to memory of 2820	1684	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe	34
PID 1684 wrote to memory of 2820	1684	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe	34
PID 1684 wrote to memory of 2820	1684	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe	34
PID 1684 wrote to memory of 2820	1684	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe	34
PID 1684 wrote to memory of 2924	1684	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe	36
PID 1684 wrote to memory of 2924	1684	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe	36
PID 1684 wrote to memory of 2924	1684	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe	36
PID 1684 wrote to memory of 2924	1684	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe	36
PID 1684 wrote to memory of 2976	1684	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe	38
PID 1684 wrote to memory of 2976	1684	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe	38
PID 1684 wrote to memory of 2976	1684	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe	38
PID 1684 wrote to memory of 2976	1684	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe	38
PID 1684 wrote to memory of 2760	1684	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe	40
PID 1684 wrote to memory of 2760	1684	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe	40
PID 1684 wrote to memory of 2760	1684	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe	40
PID 1684 wrote to memory of 2760	1684	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe	40
PID 1684 wrote to memory of 2724	1684	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe	42
PID 1684 wrote to memory of 2724	1684	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe	42
PID 1684 wrote to memory of 2724	1684	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe	42
PID 1684 wrote to memory of 2724	1684	2d5c536008bc774963ff014483027f96_JaffaCakes118.exe	42
PID 2824 wrote to memory of 2344	2824	srvany.exe	45
PID 2824 wrote to memory of 2344	2824	srvany.exe	45
PID 2824 wrote to memory of 2344	2824	srvany.exe	45
PID 2824 wrote to memory of 2344	2824	srvany.exe	45
PID 2824 wrote to memory of 2344	2824	srvany.exe	45
PID 2824 wrote to memory of 2344	2824	srvany.exe	45
PID 2824 wrote to memory of 2344	2824	srvany.exe	45

C:\Users\Admin\AppData\Local\Temp\2d5c536008bc774963ff014483027f96_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2d5c536008bc774963ff014483027f96_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\SysWOW64\sc.exe
  sc stop OracleInstManager
  2⤵
  - Launches sc.exe
  PID:2844
- C:\Windows\SysWOW64\sc.exe
  sc delete OracleInstManager
  2⤵
  - Launches sc.exe
  PID:2964
- C:\Windows\SysWOW64\instsrv.exe
  C:\Windows\system32\instsrv OracleInstManager C:\Windows\system32\srvany.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\SysWOW64\reg.exe
  C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\OracleInstManager\Parameters /v Application /t REG_SZ /d C:\windows\system32\MSInstallMgr.exe /f
  2⤵
  PID:2924
- C:\Windows\SysWOW64\reg.exe
  C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\OracleInstManager /v Type /t REG_DWORD /d 272 /f
  2⤵
  PID:2976
- C:\Windows\SysWOW64\sc.exe
  sc config OracleInstManager type= auto
  2⤵
  - Launches sc.exe
  PID:2760
- C:\Windows\SysWOW64\sc.exe
  sc start OracleInstManager
  2⤵
  - Launches sc.exe
  PID:2724

C:\Windows\SysWOW64\srvany.exe
C:\Windows\SysWOW64\srvany.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824
- C:\windows\SysWOW64\MSInstallMgr.exe
  C:\windows\system32\MSInstallMgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\instsrv.exe

Filesize
18KB

MD5
c43d1b84143fb2561f22e1a2c8facf53

SHA1
3f1357007f61f02f97f0aaabb8756c6eca2acebd

SHA256
bbf4c224f9861b2c1f5a1364ee71e38728495b2709621763053b979ba88522f1

SHA512
27a25ab6045498e0b7131be58556c685dfa01596675c3af689e61d8329e1a0eff4128c57e202c32c69271b84f57e7425c45fb5fa132ec0f5b352f86323ffa13e

Download Submit
C:\Windows\SysWOW64\srvany.exe

Filesize
15KB

MD5
f03ea3d3a14db51b505b86aba8ed3be2

SHA1
63803ee958baa09e34cd97104e45c3a27dbfe05c

SHA256
ba051c67d3a9ba33efb02fcf354f4be373dcf7daa636de73bdec84456d76dd27

SHA512
24d620729b23efd692744f30f99ea051ee99a8b1afa1899f9bbe904274e13ee26c488ccb3fbd5f4e9a2c901036eac2a2a155fec172d7c58c200f3ed88eabbc18

Download Submit
C:\windows\SysWOW64\MSInstallMgr.exe

Filesize
123KB

MD5
a97d2d1298c14603390a8c7b8fce7b06

SHA1
acfc4dac8c41fc7e8fd879e9d5556c5e6488c8e9

SHA256
0d02d1653ccffe6bb74763e09da16ba988200a92dedf308447ea6dbd4bd7d489

SHA512
628492a8e7b0fc52cc68323b88d29cd4f7b1a9cf9731e1bc386a7e4998dcad1c9a8cefdd0e9927640fddbdffbf435be405d9b066cdc34ed9ddb874dd45d72994

Download Submit
memory/1684-0-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1684-31-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2820-28-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download