2e94a9e5bc50fbf0116cad613fd2311834b49ef61dc68864320bb892bfbf36d0

Analysis

max time kernel
27s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 03:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3bda594b9f74d91b68cd8928101d3837_JaffaCakes118.exe
Size

60KB
MD5

3bda594b9f74d91b68cd8928101d3837
SHA1

319152570f8f8afe7fae78829345c5c1a0c96119
SHA256

2e94a9e5bc50fbf0116cad613fd2311834b49ef61dc68864320bb892bfbf36d0
SHA512

75bf17ac5cfdbf8349d0eb4b445db9f9a6b3340173c465caf16bdbc2244b22ea61f8f65620cb02d78746ee9dd1eefd52ff21d3c8705b22c13b8ec0eef4d3cf87
SSDEEP

1536:PmsoBCOLT3Nvqyt2KLLtIJWVStm1wDOJznouy8:PkpN7tjLWJWRYOpout

Score

8^/10

persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\esdatp\StubPath = "C:\\Windows\\system32\\esdatp.exe"	batchfile.bat
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\lyeumtq	spba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\lyeumtq\StubPath = "C:\\Windows\\system32\\lyeumtq.exe"	spba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\tubnjw	avdvt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\tubnjw\StubPath = "C:\\Windows\\system32\\tubnjw.exe"	avdvt.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\tetvvnem	iryn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\tetvvnem\StubPath = "C:\\Windows\\system32\\tetvvnem.exe"	iryn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\esdatp	batchfile.bat

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\services	batchfile.bat
File opened for modification	C:\Windows\system32\drivers\etc\services	spba.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	avdvt.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	iryn.exe

Executes dropped EXE 6 IoCs

pid	Process
2332	b2e.exe
2200	batchfile.bat
2744	spba.exe
1304	avdvt.exe
2236	iryn.exe
2584	ibrve.exe

Loads dropped DLL 14 IoCs

pid	Process
3060	3bda594b9f74d91b68cd8928101d3837_JaffaCakes118.exe
3060	3bda594b9f74d91b68cd8928101d3837_JaffaCakes118.exe
2332	b2e.exe
2332	b2e.exe
2332	b2e.exe
2332	b2e.exe
2200	batchfile.bat
2200	batchfile.bat
2744	spba.exe
2744	spba.exe
1304	avdvt.exe
1304	avdvt.exe
2236	iryn.exe
2236	iryn.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3060-0-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/3060-10-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/files/0x0008000000014481-16.dat	upx
behavioral1/memory/2332-22-0x0000000002100000-0x000000000212B000-memory.dmp	upx
behavioral1/memory/2200-32-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2744-47-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2200-45-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2744-72-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1304-73-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2236-89-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1304-88-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2584-104-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2236-106-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2584-109-0x0000000000400000-0x000000000042B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RunDLL32 = "C:\\Windows\\system32\\spba.exe"	batchfile.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RunDLL32 = "C:\\Windows\\system32\\avdvt.exe"	spba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RunDLL32 = "C:\\Windows\\system32\\iryn.exe"	avdvt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RunDLL32 = "C:\\Windows\\system32\\ibrve.exe"	iryn.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\spba.exe	batchfile.bat
File created	C:\Windows\SysWOW64\esdatp.exe	batchfile.bat
File opened for modification	C:\Windows\SysWOW64\avdvt.exe	spba.exe
File created	C:\Windows\SysWOW64\iryn.exe	avdvt.exe
File opened for modification	C:\Windows\SysWOW64\iryn.exe	avdvt.exe
File created	C:\Windows\SysWOW64\tetvvnem.exe	iryn.exe
File created	C:\Windows\SysWOW64\spba.exe	batchfile.bat
File created	C:\Windows\SysWOW64\avdvt.exe	spba.exe
File created	C:\Windows\SysWOW64\lyeumtq.exe	spba.exe
File created	C:\Windows\SysWOW64\tubnjw.exe	avdvt.exe
File created	C:\Windows\SysWOW64\ibrve.exe	iryn.exe
File opened for modification	C:\Windows\SysWOW64\ibrve.exe	iryn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	2200	batchfile.bat
Token: SeSystemtimePrivilege	2200	batchfile.bat
Token: SeSystemtimePrivilege	2200	batchfile.bat
Token: SeSystemtimePrivilege	2200	batchfile.bat
Token: SeSystemtimePrivilege	2744	spba.exe
Token: SeSystemtimePrivilege	2744	spba.exe
Token: SeSystemtimePrivilege	2744	spba.exe
Token: SeSystemtimePrivilege	2744	spba.exe
Token: SeSystemtimePrivilege	1304	avdvt.exe
Token: SeSystemtimePrivilege	1304	avdvt.exe
Token: SeSystemtimePrivilege	1304	avdvt.exe
Token: SeSystemtimePrivilege	1304	avdvt.exe
Token: SeSystemtimePrivilege	2236	iryn.exe
Token: SeSystemtimePrivilege	2236	iryn.exe
Token: SeSystemtimePrivilege	2236	iryn.exe
Token: SeSystemtimePrivilege	2236	iryn.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2332	3060	3bda594b9f74d91b68cd8928101d3837_JaffaCakes118.exe	30
PID 3060 wrote to memory of 2332	3060	3bda594b9f74d91b68cd8928101d3837_JaffaCakes118.exe	30
PID 3060 wrote to memory of 2332	3060	3bda594b9f74d91b68cd8928101d3837_JaffaCakes118.exe	30
PID 3060 wrote to memory of 2332	3060	3bda594b9f74d91b68cd8928101d3837_JaffaCakes118.exe	30
PID 2332 wrote to memory of 2200	2332	b2e.exe	31
PID 2332 wrote to memory of 2200	2332	b2e.exe	31
PID 2332 wrote to memory of 2200	2332	b2e.exe	31
PID 2332 wrote to memory of 2200	2332	b2e.exe	31
PID 2200 wrote to memory of 2744	2200	batchfile.bat	32
PID 2200 wrote to memory of 2744	2200	batchfile.bat	32
PID 2200 wrote to memory of 2744	2200	batchfile.bat	32
PID 2200 wrote to memory of 2744	2200	batchfile.bat	32
PID 2332 wrote to memory of 2724	2332	b2e.exe	33
PID 2332 wrote to memory of 2724	2332	b2e.exe	33
PID 2332 wrote to memory of 2724	2332	b2e.exe	33
PID 2332 wrote to memory of 2724	2332	b2e.exe	33
PID 2744 wrote to memory of 1304	2744	spba.exe	35
PID 2744 wrote to memory of 1304	2744	spba.exe	35
PID 2744 wrote to memory of 1304	2744	spba.exe	35
PID 2744 wrote to memory of 1304	2744	spba.exe	35
PID 1304 wrote to memory of 2236	1304	avdvt.exe	36
PID 1304 wrote to memory of 2236	1304	avdvt.exe	36
PID 1304 wrote to memory of 2236	1304	avdvt.exe	36
PID 1304 wrote to memory of 2236	1304	avdvt.exe	36
PID 2236 wrote to memory of 2584	2236	iryn.exe	37
PID 2236 wrote to memory of 2584	2236	iryn.exe	37
PID 2236 wrote to memory of 2584	2236	iryn.exe	37
PID 2236 wrote to memory of 2584	2236	iryn.exe	37

C:\Users\Admin\AppData\Local\Temp\3bda594b9f74d91b68cd8928101d3837_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3bda594b9f74d91b68cd8928101d3837_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Users\Admin\AppData\Local\Temp\A7A5.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\A7A5.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\A7A5.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\3bda594b9f74d91b68cd8928101d3837_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Users\Admin\AppData\Local\Temp\A802.tmp\batchfile.bat
    "C:\Users\Admin\AppData\Local\Temp\A802.tmp\batchfile.bat"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Windows\SysWOW64\spba.exe
      "C:\Windows\system32\spba.exe" 0C:\Users\Admin\AppData\Local\Temp\A802.tmp\batchfile.bat
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\SysWOW64\avdvt.exe
        
        "C:\Windows\system32\avdvt.exe" 0C:\Windows\SysWOW64\spba.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1304
      - C:\Windows\SysWOW64\iryn.exe
        
        "C:\Windows\system32\iryn.exe" 0C:\Windows\SysWOW64\avdvt.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\ibrve.exe
        
        "C:\Windows\system32\ibrve.exe" 0C:\Windows\SysWOW64\iryn.exe
        7⤵
        Executes dropped EXE
        
        PID:2584
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\selfdel0.bat" "
    3⤵
    PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\selfdel0.bat

Filesize
158B

MD5
e8fb811d8a3042dd4da0cf66cc7674bc

SHA1
b1376414ffe25eb5ff0e3c31c694e80c7ae58acf

SHA256
1b78fc5803e691894f89b71dbd6c946365a630a9a86c4595cd62606c23182789

SHA512
9a1c0e76e597ff900299045d0f5b157636e3650a9ed1aad2dbdd30b420f66ad87df28877b9a4bb809ec3d3ac659cb936c519f000b80a0182f5a639df88141594

Download Submit
C:\Windows\system32\drivers\etc\services

Filesize
17KB

MD5
d9e1a01b480d961b7cf0509d597a92d6

SHA1
a6c322bf661502b33ab802de67022dd21ac87d9a

SHA256
b26309dfd89a9cc94481536b4d662941429df79873bb59620f53db939ff5ec29

SHA512
c8653c60d702a29e5bc68cc4dd09baf0d022d6687eb0e3c7731e6a3ebbeaaf17b127bd970fad53140c4155faf70697b631e1b7fd03318d340ae2ee8813e7ad69

Download Submit
\Users\Admin\AppData\Local\Temp\A7A5.tmp\b2e.exe

Filesize
63KB

MD5
51495cd9715541d80e09b5cf47b1bc92

SHA1
a24795e917d3ca66bbc7f6def31447a9ee62b1cb

SHA256
e741ab59f3e13d4da463d8e5756264f266a293c9faf9a15ebdce96bab215d1c6

SHA512
ffe56477d1b513d4b20a33f0ba71d805a0073d6ab1b249d11e3254073b63568cea4d2f2e1ca943132531abc05be6cec5d350f1593068f2eae217aa3ebd4fc9b7

Download Submit
\Users\Admin\AppData\Local\Temp\A802.tmp\batchfile.bat

Filesize
55KB

MD5
f5e0d02aef7c1e449eeb56cd3d39b362

SHA1
4078c3e444da907ac899e4d629339230ff4a6773

SHA256
0eaf6124be27a0aee7a551f4a657b7903b65def69f040b43855135b710073310

SHA512
7e3e837c010856f743962a7d042d4606897bdc62bee33efdd8e2734a3598f23481e87b9d61610968672fae28ff1c39c03b98545cff7d13fa42401b6ee739993d

Download Submit
memory/1304-88-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1304-73-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2200-45-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2200-32-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2236-89-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2236-106-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2236-102-0x0000000000580000-0x00000000005AB000-memory.dmp

Filesize
172KB

Download
memory/2236-103-0x0000000000580000-0x00000000005AB000-memory.dmp

Filesize
172KB

Download
memory/2332-22-0x0000000002100000-0x000000000212B000-memory.dmp

Filesize
172KB

Download
memory/2332-23-0x0000000002100000-0x000000000212B000-memory.dmp

Filesize
172KB

Download
memory/2332-12-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2332-56-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2332-30-0x0000000002100000-0x000000000212B000-memory.dmp

Filesize
172KB

Download
memory/2584-104-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2584-109-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2744-72-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2744-47-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3060-10-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3060-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads