6fba4f77289d1914029f66a23f9042232ceb2d5ee22bca2c323a806034138e3e

Analysis

max time kernel
141s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 22:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3250fbd90d024c908106cbec8e9f51bc_JaffaCakes118.exe
Size

41KB
MD5

3250fbd90d024c908106cbec8e9f51bc
SHA1

1778ea02760b5fc2c4215deb7ea3d04502f37345
SHA256

6fba4f77289d1914029f66a23f9042232ceb2d5ee22bca2c323a806034138e3e
SHA512

195fad238b9f0d62581afa13b8a9ff915c2f71d11f6ee7720b1dd59f75da7ece1c3101ad4a885aaca2d2c47b5e905410c169db8568f8223c95a0afc58fae67a3
SSDEEP

768:KvBgclfRsHJhSS2/TsiD9e12jECpBvU+z6Isas06E+:KE/nwTl9e12Jpu+z5ds06E

Score

10^/10

adware defense_evasion evasion persistence stealer upx

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\rundll32.exe = "C:\\Windows\\SysWOW64\\rundll32.exe:*:Enabled:rundll32"	rundll32.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	792	rundll32.exe

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\crcdisk.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\dxgkrnl.sys	rundll32.exe
File created	C:\Windows\SysWOW64\DRIVERS\ndisuio.sys	rundll32.exe
File created	C:\Windows\SysWOW64\DRIVERS\tdx.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\Wdf01000.sys	rundll32.exe
File created	C:\Windows\SysWOW64\DRIVERS\blbdrive.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\amdsata.sys	rundll32.exe
File created	C:\Windows\SysWOW64\DRIVERS\ndiscap.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\gagp30kx.sys	rundll32.exe
File created	C:\Windows\SysWOW64\DRIVERS\ipfltdrv.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\peauth.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\usbuhci.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\circlass.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\compbatt.sys	rundll32.exe
File created	C:\Windows\SysWOW64\DRIVERS\fvevol.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\agp440.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\lsi_sas2.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\MSTEE.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\usbcir.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\errdev.sys	rundll32.exe
File created	C:\Windows\SysWOW64\DRIVERS\nwifi.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\WudfPf.sys	rundll32.exe
File created	C:\Windows\SysWOW64\Drivers\ksecdd.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\msahci.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\storvsc.sys	rundll32.exe
File created	C:\Windows\SysWOW64\Drivers\BrSerWdm.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\mshidkmdf.sys	rundll32.exe
File created	C:\Windows\SysWOW64\DRIVERS\b57nd60a.sys	rundll32.exe
File created	C:\Windows\SysWOW64\DRIVERS\rassstp.sys	rundll32.exe
File created	C:\Windows\SysWOW64\DRIVERS\usbehci.sys	rundll32.exe
File created	C:\Windows\SysWOW64\DRIVERS\raspppoe.sys	rundll32.exe
File created	C:\Windows\SysWOW64\DRIVERS\hidusb.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\lsi_sas.sys	rundll32.exe
File created	C:\Windows\SysWOW64\DRIVERS\mouclass.sys	rundll32.exe
File created	C:\Windows\SysWOW64\DRIVERS\ndiswan.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\nsiproxy.sys	rundll32.exe
File created	C:\Windows\SysWOW64\DRIVERS\usbhub.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\vmbus.sys	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\1394ohci.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\lsi_scsi.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\pcw.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\ksthunk.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\amdsbs.sys	rundll32.exe
File created	C:\Windows\SysWOW64\DRIVERS\mssmbios.sys	rundll32.exe
File created	C:\Windows\SysWOW64\DRIVERS\ndistapi.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\discache.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\mountmgr.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\wacompen.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\amdxata.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\ipnat.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\isapnp.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\volmgr.sys	rundll32.exe
File created	C:\Windows\SysWOW64\DRIVERS\cdrom.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\adp94xx.sys	rundll32.exe
File created	C:\Windows\SysWOW64\DRIVERS\CompositeBus.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\MSKSSRV.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\sffdisk.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\synth3dvsc.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\vdrvroot.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\volsnap.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\acpipmi.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\ws2ifsl.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\csc.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\megasas.sys	rundll32.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000a000000012283-5.dat	acprotect

Deletes itself 1 IoCs

pid	Process
792	rundll32.exe

Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\java2.sys	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\java2.sys\ = "Driver"	rundll32.exe

Loads dropped DLL 5 IoCs

pid	Process
2948	3250fbd90d024c908106cbec8e9f51bc_JaffaCakes118.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2948-0-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/files/0x000a000000012283-5.dat	upx
behavioral1/memory/2948-8-0x0000000010000000-0x0000000010040000-memory.dmp	upx
behavioral1/memory/792-15-0x0000000010000000-0x0000000010040000-memory.dmp	upx
behavioral1/memory/2948-16-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2948-18-0x0000000010000000-0x0000000010040000-memory.dmp	upx
behavioral1/memory/792-227-0x0000000010000000-0x0000000010040000-memory.dmp	upx

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	rundll32.exe

Modifies WinLogon 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\snjava	3250fbd90d024c908106cbec8e9f51bc_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	3250fbd90d024c908106cbec8e9f51bc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\snjava\DllName = "snjava.dll"	3250fbd90d024c908106cbec8e9f51bc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\snjava\Startup = "snjava"	3250fbd90d024c908106cbec8e9f51bc_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\snjava\Impersonate = "1"	3250fbd90d024c908106cbec8e9f51bc_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\snjava\Asynchronous = "1"	3250fbd90d024c908106cbec8e9f51bc_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\snjava\MaxWait = "1"	3250fbd90d024c908106cbec8e9f51bc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\snjava\ngrvv = "[92231A31FAE9F4C8C]"	3250fbd90d024c908106cbec8e9f51bc_JaffaCakes118.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\snjava.dll	3250fbd90d024c908106cbec8e9f51bc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\java2.sys	3250fbd90d024c908106cbec8e9f51bc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\java2.sys	3250fbd90d024c908106cbec8e9f51bc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\z98.bin	3250fbd90d024c908106cbec8e9f51bc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\z98.bin	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\a9k.bin	3250fbd90d024c908106cbec8e9f51bc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\CLFS.sys	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2748	792	WerFault.exe	28

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4F3C-8081-5663EE0C6C49}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
792	rundll32.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 792	2948	3250fbd90d024c908106cbec8e9f51bc_JaffaCakes118.exe	28
PID 2948 wrote to memory of 792	2948	3250fbd90d024c908106cbec8e9f51bc_JaffaCakes118.exe	28
PID 2948 wrote to memory of 792	2948	3250fbd90d024c908106cbec8e9f51bc_JaffaCakes118.exe	28
PID 2948 wrote to memory of 792	2948	3250fbd90d024c908106cbec8e9f51bc_JaffaCakes118.exe	28
PID 2948 wrote to memory of 792	2948	3250fbd90d024c908106cbec8e9f51bc_JaffaCakes118.exe	28
PID 2948 wrote to memory of 792	2948	3250fbd90d024c908106cbec8e9f51bc_JaffaCakes118.exe	28
PID 2948 wrote to memory of 792	2948	3250fbd90d024c908106cbec8e9f51bc_JaffaCakes118.exe	28
PID 792 wrote to memory of 2748	792	rundll32.exe	31
PID 792 wrote to memory of 2748	792	rundll32.exe	31
PID 792 wrote to memory of 2748	792	rundll32.exe	31
PID 792 wrote to memory of 2748	792	rundll32.exe	31

C:\Users\Admin\AppData\Local\Temp\3250fbd90d024c908106cbec8e9f51bc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3250fbd90d024c908106cbec8e9f51bc_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe snjava.dll,snjava C:\Users\Admin\AppData\Local\Temp\3250fbd90d024c908106cbec8e9f51bc_JaffaCakes118.exe
  2⤵
  - Modifies firewall policy service
  - Blocklisted process makes network request
  - Drops file in Drivers directory
  - Deletes itself
  - Impair Defenses: Safe Mode Boot
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: LoadsDriver
  - Suspicious use of WriteProcessMemory
  PID:792
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 792 -s 772
    3⤵
    - Program crash
    PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Browser Extensions

T1176

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\java2.sys

Filesize
8KB

MD5
0379dacc71dbfbde873f5683f83a4f65

SHA1
f4dbb8bf2d34b6f5e7330ca0b6f9217f8e41f0d0

SHA256
8bae64289b178ed447f8e86510cc4c33686d35ef0b00ab90765886a961075e8b

SHA512
3d628d1370a858d1779bed3d152687878257bb5a4676060719bb1fa2e4b5c0416707476ab94789f68f3549c6650c1e162ed3c6a72ff0259f4a6f71163e4bc65f

Download Submit
\Windows\SysWOW64\snjava.dll

Filesize
23KB

MD5
13e16461d3d121cbdccd2805ab70e67c

SHA1
017a31b829204fc4237bb0fad70c68e2811af3b6

SHA256
32d6540b5f4323bf9e93e523ec1edd3f029dc60a90317dcbfbfedbc6db4c58de

SHA512
f7010ecc3a29d22a6f742fe7086b460a7678d1412243f0f1322310cf50d5f0bcc68d69f6cd878d65ea3f8e4264086ef80a97a0d376cb77d14fe75974fc988ef3

Download Submit
memory/792-14-0x0000000010000000-0x0000000010040000-memory.dmp

Filesize
256KB

Download
memory/792-15-0x0000000010000000-0x0000000010040000-memory.dmp

Filesize
256KB

Download
memory/792-227-0x0000000010000000-0x0000000010040000-memory.dmp

Filesize
256KB

Download
memory/2948-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2948-8-0x0000000010000000-0x0000000010040000-memory.dmp

Filesize
256KB

Download
memory/2948-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2948-18-0x0000000010000000-0x0000000010040000-memory.dmp

Filesize
256KB

Download