3a309f51d3e4be8f3581b3e83534e19bfbdb1c002f57356ff84fbe4779a3504e

Analysis

max time kernel
142s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe
Size

158KB
MD5

3b51fab717e281580abca9c62aaa9685
SHA1

74cd77630ace2fa629405f0665f34f1bb86419c1
SHA256

3a309f51d3e4be8f3581b3e83534e19bfbdb1c002f57356ff84fbe4779a3504e
SHA512

41502d14ccb5c65aa72aaea0f91b4f7defe4f1293fed54d1ce9193d77884cb068943560c07f0118fbe0b92de09fab6cf0b2d1e7059ddf2ad9349d41dcee33d3f
SSDEEP

3072:/23lko29IApHuGPdsNjMb5LjZpTSNLjXTp2zEVZNNSdAXb:/do+FuGPds1cLjLSBjDpUEzNNS+L

Score

10^/10

evasion execution persistence upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\2895k76 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rt04lto.exe"	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	rt04lto.exe

Executes dropped EXE 2 IoCs

pid	Process
3284	rt04lto.exe
4600	rt04lto.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2368-0-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/files/0x000800000002346b-5.dat	upx
behavioral2/memory/3284-7-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/2368-16-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/3284-22-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4600-23-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4600-24-0x0000000000400000-0x000000000042A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	Rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\osor.log	rt04lto.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3296	sc.exe
3276	sc.exe
4056	sc.exe
4436	sc.exe
2904	sc.exe
3108	sc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2368	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe
2368	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe
2368	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe
3284	rt04lto.exe
3284	rt04lto.exe
3284	rt04lto.exe
4600	rt04lto.exe
4600	rt04lto.exe
4600	rt04lto.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 4660	2368	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	88
PID 2368 wrote to memory of 4660	2368	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	88
PID 2368 wrote to memory of 4660	2368	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	88
PID 2368 wrote to memory of 4056	2368	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	89
PID 2368 wrote to memory of 4056	2368	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	89
PID 2368 wrote to memory of 4056	2368	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	89
PID 2368 wrote to memory of 2352	2368	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	91
PID 2368 wrote to memory of 2352	2368	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	91
PID 2368 wrote to memory of 2352	2368	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	91
PID 2368 wrote to memory of 4436	2368	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	92
PID 2368 wrote to memory of 4436	2368	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	92
PID 2368 wrote to memory of 4436	2368	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	92
PID 2368 wrote to memory of 3284	2368	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	93
PID 2368 wrote to memory of 3284	2368	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	93
PID 2368 wrote to memory of 3284	2368	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	93
PID 2368 wrote to memory of 956	2368	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	97
PID 2368 wrote to memory of 956	2368	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	97
PID 2368 wrote to memory of 956	2368	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	97
PID 4660 wrote to memory of 4336	4660	net.exe	98
PID 4660 wrote to memory of 4336	4660	net.exe	98
PID 4660 wrote to memory of 4336	4660	net.exe	98
PID 2352 wrote to memory of 1088	2352	net.exe	99
PID 2352 wrote to memory of 1088	2352	net.exe	99
PID 2352 wrote to memory of 1088	2352	net.exe	99
PID 956 wrote to memory of 3888	956	Rundll32.exe	100
PID 956 wrote to memory of 3888	956	Rundll32.exe	100
PID 956 wrote to memory of 3888	956	Rundll32.exe	100
PID 2368 wrote to memory of 456	2368	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	101
PID 2368 wrote to memory of 456	2368	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	101
PID 2368 wrote to memory of 456	2368	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	101
PID 3284 wrote to memory of 2932	3284	rt04lto.exe	103
PID 3284 wrote to memory of 2932	3284	rt04lto.exe	103
PID 3284 wrote to memory of 2932	3284	rt04lto.exe	103
PID 3284 wrote to memory of 2904	3284	rt04lto.exe	104
PID 3284 wrote to memory of 2904	3284	rt04lto.exe	104
PID 3284 wrote to memory of 2904	3284	rt04lto.exe	104
PID 3284 wrote to memory of 1652	3284	rt04lto.exe	105
PID 3284 wrote to memory of 1652	3284	rt04lto.exe	105
PID 3284 wrote to memory of 1652	3284	rt04lto.exe	105
PID 3284 wrote to memory of 3108	3284	rt04lto.exe	106
PID 3284 wrote to memory of 3108	3284	rt04lto.exe	106
PID 3284 wrote to memory of 3108	3284	rt04lto.exe	106
PID 3284 wrote to memory of 4600	3284	rt04lto.exe	107
PID 3284 wrote to memory of 4600	3284	rt04lto.exe	107
PID 3284 wrote to memory of 4600	3284	rt04lto.exe	107
PID 1652 wrote to memory of 1704	1652	net.exe	112
PID 1652 wrote to memory of 1704	1652	net.exe	112
PID 1652 wrote to memory of 1704	1652	net.exe	112
PID 2932 wrote to memory of 1576	2932	net.exe	113
PID 2932 wrote to memory of 1576	2932	net.exe	113
PID 2932 wrote to memory of 1576	2932	net.exe	113
PID 3888 wrote to memory of 3364	3888	runonce.exe	114
PID 3888 wrote to memory of 3364	3888	runonce.exe	114
PID 3888 wrote to memory of 3364	3888	runonce.exe	114
PID 4600 wrote to memory of 1700	4600	rt04lto.exe	115
PID 4600 wrote to memory of 1700	4600	rt04lto.exe	115
PID 4600 wrote to memory of 1700	4600	rt04lto.exe	115
PID 4600 wrote to memory of 3276	4600	rt04lto.exe	116
PID 4600 wrote to memory of 3276	4600	rt04lto.exe	116
PID 4600 wrote to memory of 3276	4600	rt04lto.exe	116
PID 4600 wrote to memory of 4504	4600	rt04lto.exe	117
PID 4600 wrote to memory of 4504	4600	rt04lto.exe	117
PID 4600 wrote to memory of 4504	4600	rt04lto.exe	117
PID 4600 wrote to memory of 3296	4600	rt04lto.exe	118

C:\Users\Admin\AppData\Local\Temp\3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe"
1⤵
- Adds policy Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\SysWOW64\net.exe
  net.exe stop "Security Center"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4660
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    PID:4336
- C:\Windows\SysWOW64\sc.exe
  sc config wscsvc start= DISABLED
  2⤵
  - Launches sc.exe
  PID:4056
- C:\Windows\SysWOW64\net.exe
  net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:1088
- C:\Windows\SysWOW64\sc.exe
  sc config SharedAccess start= DISABLED
  2⤵
  - Launches sc.exe
  PID:4436
- C:\Users\Admin\AppData\Local\Temp\rt04lto.exe
  C:\Users\Admin\AppData\Local\Temp\rt04lto.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3284
- - C:\Windows\SysWOW64\net.exe
    net.exe stop "Security Center"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Security Center"
      4⤵
      PID:1576
- - C:\Windows\SysWOW64\sc.exe
    sc config wscsvc start= DISABLED
    3⤵
    - Launches sc.exe
    PID:2904
- - C:\Windows\SysWOW64\net.exe
    net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1652
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
      4⤵
      PID:1704
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= DISABLED
    3⤵
    - Launches sc.exe
    PID:3108
- - C:\Users\Admin\AppData\Local\Temp\rt04lto.exe
    C:\Users\Admin\AppData\Local\Temp\rt04lto.exe -d716208E23EF9D708CB3A634430743C392DB8CDBD85E7C70E3559F88E78AED2BAA8D42B3684F8FEA06D19379885BBCBE3DD1EAD451AB1663A3A034E324F30C1B37C35C36C7971E90554158EC9609B959F6B5C410DA415FAFAEA58EE8659ADE7614017DECCF5EB0DBD1FD986D16CAF9ECBC875B68599C21B2C89AB145AE09F66D78492C96012501FCDB1807A2990552DAD26CB7A7AB44E9BCB970C3E616CB2A67B197C116C285C140D2B7C0852F769C759F69D398AECC99128D4D928A7C7834AAC106F8290D19D20DCEC9C0E9408992F67E957E0A57C3151DE42A1CF5FF93F38EFBA062A26E654BA0B9796A7366DA76B28EFDA9CB5DCAF71C5229272FA4CB794FFA84656FC800895210DEA310D0F46C1073999DBE2C6E9C55EF5C28BC348E5C4FEABE79364F7BCA79A6D534A351806B55939EF49F331B363517C4FDAADB6CF6D10D494AD14E539258E1AC0CDEEEF210BD7A083D3B158999FB7B75559FEA0AF73F775F6B2F52371845CB55CD8BC3E3FCA595E93A6F5B3390E6CE9A3481E4FE3FC181D29EF30CA93799A1D7BC944EEEE3691A5443004FBC986F8911C21474B446D7D9F14F1873290F9AC75E2
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4600
  - - C:\Windows\SysWOW64\net.exe
      net.exe stop "Security Center"
      4⤵
      PID:1700
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        5⤵
        
        PID:3600
  - - C:\Windows\SysWOW64\sc.exe
      sc config wscsvc start= DISABLED
      4⤵
      Launches sc.exe
      PID:3276
  - - C:\Windows\SysWOW64\net.exe
      net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
      4⤵
      PID:4504
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
        5⤵
        
        PID:4480
  - - C:\Windows\SysWOW64\sc.exe
      sc config SharedAccess start= DISABLED
      4⤵
      Launches sc.exe
      PID:3296
- C:\Windows\SysWOW64\Rundll32.exe
  Rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Users\Admin\AppData\Local\Temp\mdinstall.inf
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Windows\SysWOW64\runonce.exe
    "C:\Windows\system32\runonce.exe" -r
    3⤵
    - Checks processor information in registry
    - Suspicious use of WriteProcessMemory
    PID:3888
  - - C:\Windows\SysWOW64\grpconv.exe
      "C:\Windows\System32\grpconv.exe" -o
      4⤵
      PID:3364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\g9ngajqf.bat
  2⤵
  PID:456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\g9ngajqf.bat

Filesize
218B

MD5
bc686b5b5dfc9fe33f1b9298988ffea4

SHA1
0f4aa7406da22b81e1e8c0413ede8f4d6077e063

SHA256
134c6b80d275afa3ab4e52fd85b5cfe4e202fd2b52416c64b6b6a435712d9816

SHA512
6b425aad3c7d98083f2e0d0e817939a8617f2a6c89c50a5de942b22945b88a5e80f5fe43425ff2dbdfb83de83b9eb32714070f6abd9d1cdbd5e10f5e97ba6335

Download Submit
C:\Users\Admin\AppData\Local\Temp\mdinstall.inf

Filesize
413B

MD5
ce1f2d7c8e36f3c085a5d281b9ebeb2f

SHA1
bbbfae948d625afe50f66f34282bda3974cfdce5

SHA256
312239a5c6333e6d1e8ba9f0e81856c37347be0f21d194741ae1d25538cd130c

SHA512
89f69b88bdfb391f58abaefbbae7e393571709c0ea6a268794c035200674ad3a8615a65944373559aead87e8d5ab09f334e2b1563c1bde912aa26a485b76357e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rt04lto.exe

Filesize
158KB

MD5
3b51fab717e281580abca9c62aaa9685

SHA1
74cd77630ace2fa629405f0665f34f1bb86419c1

SHA256
3a309f51d3e4be8f3581b3e83534e19bfbdb1c002f57356ff84fbe4779a3504e

SHA512
41502d14ccb5c65aa72aaea0f91b4f7defe4f1293fed54d1ce9193d77884cb068943560c07f0118fbe0b92de09fab6cf0b2d1e7059ddf2ad9349d41dcee33d3f

Download Submit
memory/2368-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2368-16-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3284-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3284-22-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4600-23-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4600-24-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads