35c3112c7fc91bd013dd72a802b99d6d548c1be56fdcd6c7c69cf2e819bc57ef

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
Size

167KB
MD5

37cdacaa9e3c4dd02945c33ae408545c
SHA1

c5b69145cbd9ee0f901effaa0886f1c1bca1f313
SHA256

35c3112c7fc91bd013dd72a802b99d6d548c1be56fdcd6c7c69cf2e819bc57ef
SHA512

59e11fce92669d949025c614640907888708563781121d60abb6d3ce0bf83fc3dd3269de126b201fad760aa9f28d5d294280283055feaef9da6b8d950800f8d3
SSDEEP

3072:l6FmjFBOMLzOWLfWPdPAutIfxRpwCj1ZqI7gYEiZNk/Xt0X5IdfvEfkZp:wFmzOMLzffSZAu+5RpjZqmciZqyX0vd

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2784	microsoftoperativo.exe
1588	officeoffice.exe
1620	windowssqloledb.exe
1244	microsoftwindows.exe

Loads dropped DLL 8 IoCs

pid	Process
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsOperating = "c:\\program files (x86)\\common files\\system\\ole db\\fr-fr\\windowssqloledb.exe"	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\Windowsoperativo6.1.7600.16385 = "c:\\program files (x86)\\windows photo viewer\\it-it\\microsoftoperativo.exe"	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\digsig32Runtime = "c:\\program files (x86)\\microsoft office\\office14\\microsoftipdesign.exe"	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ComponentsNatural = "c:\\program files (x86)\\microsoft office\\office14\\proof\\1033\\msgr3encomponents.exe"	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EngineOffice = "C:\\Users\\Admin\\AppData\\Local\\Temp\\37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe"	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\EngineSource = "C:\\Users\\Admin\\AppData\\Local\\Temp\\37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe"	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BCSSync = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\BCSSync.exe\" /DelayServices"	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Companionosetupui = "c:\\program files (x86)\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officeoffice.exe"	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WABMIGWindows = "c:\\program files (x86)\\windows mail\\microsoftwindows.exe"	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ntdll.dll.dll	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	microsoftoperativo.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	officeoffice.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	windowssqloledb.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	microsoftwindows.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\MicrosoftWindows.exe	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\MicrosoftWindows.exe	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\Microsoftoperativo.exe	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeOffice.exe	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\Windowssqloledb.exe	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1033\msgr3enComponents.exe	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Microsoftipdesign.exe	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 2784	1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe	29
PID 1288 wrote to memory of 2784	1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe	29
PID 1288 wrote to memory of 2784	1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe	29
PID 1288 wrote to memory of 2784	1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe	29
PID 1288 wrote to memory of 1588	1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe	32
PID 1288 wrote to memory of 1588	1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe	32
PID 1288 wrote to memory of 1588	1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe	32
PID 1288 wrote to memory of 1588	1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe	32
PID 1288 wrote to memory of 1620	1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe	33
PID 1288 wrote to memory of 1620	1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe	33
PID 1288 wrote to memory of 1620	1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe	33
PID 1288 wrote to memory of 1620	1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe	33
PID 1288 wrote to memory of 1244	1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe	34
PID 1288 wrote to memory of 1244	1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe	34
PID 1288 wrote to memory of 1244	1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe	34
PID 1288 wrote to memory of 1244	1288	37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\37cdacaa9e3c4dd02945c33ae408545c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1288
- \??\c:\program files (x86)\windows photo viewer\it-it\microsoftoperativo.exe
  "c:\program files (x86)\windows photo viewer\it-it\microsoftoperativo.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2784
- \??\c:\program files (x86)\common files\microsoft shared\office14\office setup controller\office.en-us\officeoffice.exe
  "c:\program files (x86)\common files\microsoft shared\office14\office setup controller\office.en-us\officeoffice.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1588
- \??\c:\program files (x86)\common files\system\ole db\fr-fr\windowssqloledb.exe
  "c:\program files (x86)\common files\system\ole db\fr-fr\windowssqloledb.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1620
- \??\c:\program files (x86)\windows mail\microsoftwindows.exe
  "c:\program files (x86)\windows mail\microsoftwindows.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeOffice.exe

Filesize
167KB

MD5
37cdacaa9e3c4dd02945c33ae408545c

SHA1
c5b69145cbd9ee0f901effaa0886f1c1bca1f313

SHA256
35c3112c7fc91bd013dd72a802b99d6d548c1be56fdcd6c7c69cf2e819bc57ef

SHA512
59e11fce92669d949025c614640907888708563781121d60abb6d3ce0bf83fc3dd3269de126b201fad760aa9f28d5d294280283055feaef9da6b8d950800f8d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qasDF76.tmp

Filesize
8KB

MD5
fd07ac45581d2341b0aabffdfce00826

SHA1
cf446c0f7b1dffd154ff3ccd9c1785255c9edda3

SHA256
ab02ff1d59f2332f5df48d2f31a77e234fa37d46050187ae86e3786463352a78

SHA512
33e826d43c746dc2fdb2ee35cf17488ed2d42b0f29edc9b7c9d72c8c002053cdf930ad441c110c6530191557a3c72aad835d1316245bfcd07671db18853ded46

Download Submit
memory/1244-533-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1288-49-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1288-3-0x0000000000446000-0x000000000044A000-memory.dmp

Filesize
16KB

Download
memory/1288-4-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1588-155-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1588-156-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1588-404-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1620-444-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2784-77-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2784-78-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2784-240-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download