105b735fccde8b14e542b10e9b86db7c844b33cfd98de91abcc3d7b086f5f6ed

Analysis

max time kernel
144s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10-07-2024 18:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
Size

656KB
MD5

35cb5a8861275f735bb7e04c9e2bcf43
SHA1

cfd6aae764308249a1dacfc74d105b2fd1f971c9
SHA256

105b735fccde8b14e542b10e9b86db7c844b33cfd98de91abcc3d7b086f5f6ed
SHA512

e49b29dcdc00785f56feb988341baae692e06ceeeef4f4c557776a72908d34f218f3f20bb4445fde0c8429dadd50b96c9764a83ebebcb3eed9bbb8e2bdc6e102
SSDEEP

12288:CjkArEN249AyE/rbaMct4bO2/Vvt0dYK3DMHRH0IkEEJBPo7IAyUEXQZJ:1FE//Tct4bOsVtyYUDMxKEEJ+7IAlEs

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, killer.exe"	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .exe	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .exe	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2560-0-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral1/files/0x000900000001435d-13.dat	upx
behavioral1/files/0x00070000000145ca-26.dat	upx
behavioral1/memory/2560-53-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral1/memory/2560-80-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral1/memory/2560-107-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral1/memory/2560-130-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral1/memory/2560-157-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral1/memory/2560-180-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral1/memory/2560-208-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral1/memory/2560-231-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral1/memory/2560-258-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral1/memory/2560-281-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral1/memory/2560-308-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral1/memory/2560-332-0x0000000000400000-0x00000000004E5000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runonce = "C:\\Windows\\myloveever.exe"	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\u:	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
File opened (read-only)	\??\z:	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
File opened (read-only)	\??\b:	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
File opened (read-only)	\??\e:	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
File opened (read-only)	\??\h:	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
File opened (read-only)	\??\p:	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
File opened (read-only)	\??\t:	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
File opened (read-only)	\??\v:	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
File opened (read-only)	\??\w:	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
File opened (read-only)	\??\k:	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
File opened (read-only)	\??\l:	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
File opened (read-only)	\??\o:	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
File opened (read-only)	\??\q:	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
File opened (read-only)	\??\s:	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
File opened (read-only)	\??\a:	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
File opened (read-only)	\??\g:	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
File opened (read-only)	\??\j:	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
File opened (read-only)	\??\n:	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
File opened (read-only)	\??\r:	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
File opened (read-only)	\??\i:	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
File opened (read-only)	\??\m:	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
File opened (read-only)	\??\x:	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
File opened (read-only)	\??\y:	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe

AutoIT Executable 12 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2560-53-0x0000000000400000-0x00000000004E5000-memory.dmp	autoit_exe
behavioral1/memory/2560-80-0x0000000000400000-0x00000000004E5000-memory.dmp	autoit_exe
behavioral1/memory/2560-107-0x0000000000400000-0x00000000004E5000-memory.dmp	autoit_exe
behavioral1/memory/2560-130-0x0000000000400000-0x00000000004E5000-memory.dmp	autoit_exe
behavioral1/memory/2560-157-0x0000000000400000-0x00000000004E5000-memory.dmp	autoit_exe
behavioral1/memory/2560-180-0x0000000000400000-0x00000000004E5000-memory.dmp	autoit_exe
behavioral1/memory/2560-208-0x0000000000400000-0x00000000004E5000-memory.dmp	autoit_exe
behavioral1/memory/2560-231-0x0000000000400000-0x00000000004E5000-memory.dmp	autoit_exe
behavioral1/memory/2560-258-0x0000000000400000-0x00000000004E5000-memory.dmp	autoit_exe
behavioral1/memory/2560-281-0x0000000000400000-0x00000000004E5000-memory.dmp	autoit_exe
behavioral1/memory/2560-308-0x0000000000400000-0x00000000004E5000-memory.dmp	autoit_exe
behavioral1/memory/2560-332-0x0000000000400000-0x00000000004E5000-memory.dmp	autoit_exe

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\\autorun.inf	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
File created	\??\f:\autorun.inf	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
File opened for modification	F:\\autorun.inf	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
File opened for modification	C:\Windows\autorun.inf	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
File created	\??\c:\autorun.inf	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\YahooMessenger.exe	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
File opened for modification	C:\Windows\killer.exe	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
File opened for modification	C:\Windows\YahooMessenger.exe	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
File opened for modification	C:\Windows\myloveever.exe	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
File opened for modification	C:\Windows\autorun.inf	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
File created	C:\Windows\myloveever.exe	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
File created	C:\Windows\killer.exe	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "exefile"	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "exefile"	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
2560	35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\35cb5a8861275f735bb7e04c9e2bcf43_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .exe

Filesize
272KB

MD5
b4df070a34c0e2738aace0242dfc4dc8

SHA1
4e6dea0de82c7e8e4c0387a0356762fe44b13fb4

SHA256
0e1ef49d17fd4b52c4353bb39dda56896d194acb204a35f6277335e7a6d4e4a9

SHA512
b6e4af40a4b6c48ac28d3908d2a59e48f8463c9dbe46744646c16715231b62f0dbe7c10138c93c4cc67f5366e96e79b63b72e227323aceaac988ca62a7c6596a

Download Submit
C:\Windows\YahooMessenger.exe

Filesize
656KB

MD5
35cb5a8861275f735bb7e04c9e2bcf43

SHA1
cfd6aae764308249a1dacfc74d105b2fd1f971c9

SHA256
105b735fccde8b14e542b10e9b86db7c844b33cfd98de91abcc3d7b086f5f6ed

SHA512
e49b29dcdc00785f56feb988341baae692e06ceeeef4f4c557776a72908d34f218f3f20bb4445fde0c8429dadd50b96c9764a83ebebcb3eed9bbb8e2bdc6e102

Download Submit
C:\Windows\autorun.inf

Filesize
168B

MD5
b52439c4f343e5df4e24bbfebb1f945e

SHA1
e2a2463a8b1b5634ff8c14bd05514a93a3a32af8

SHA256
cb4311eff1857598b906cfe0283faa97b507103dd341f737308d3076b8de08c9

SHA512
50974a51ab1de6b43bc8a1dec27c543641905c99a7c8bdcf4bf5bc58bf7b295ec1654043b5c9ee94ed84f3f1302ea53b308199b737391cfc04fa39a9dc9b5288

Download Submit
memory/2560-157-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2560-53-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2560-80-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2560-107-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2560-130-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2560-0-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2560-180-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2560-208-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2560-231-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2560-258-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2560-281-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2560-308-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2560-332-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download