7ca24d5f18061ffa38ca3c7d32016741cdbc79bd5cd95c6489d19b0bc21050a0

Analysis

max time kernel
143s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13-07-2024 22:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

439cd9d374c261bcec36054277770a5d_JaffaCakes118.exe
Size

1.5MB
MD5

439cd9d374c261bcec36054277770a5d
SHA1

fc63307b55bb3c0384cd026694af1f58d7219af5
SHA256

7ca24d5f18061ffa38ca3c7d32016741cdbc79bd5cd95c6489d19b0bc21050a0
SHA512

90b8838426530cae2cce8d557c7cb291557afb908e97e702d96fce3ace645a9a9b8b7e621b1934bf44a58b3ff4b621b1852145bc9009abc4a69e2f019002ff89
SSDEEP

24576:SnEfi53BFihkp3qYJc9+tSb88yFMeePgta6+ZTQ0ZUpMCZeIVbP2vvWGJRQc0h:uPUKVC9Or8UX/+ZTRZDC3jEvWGvs

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2028	Install.exe
1848	DLE.exe

Loads dropped DLL 8 IoCs

pid	Process
2288	439cd9d374c261bcec36054277770a5d_JaffaCakes118.exe
2028	Install.exe
2028	Install.exe
1848	DLE.exe
1848	DLE.exe
1848	DLE.exe
1848	DLE.exe
1848	DLE.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DLE Start = "C:\\Windows\\SysWOW64\\FCJUDU\\DLE.exe"	DLE.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\FCJUDU\	DLE.exe
File created	C:\Windows\SysWOW64\FCJUDU\DLE.004	Install.exe
File created	C:\Windows\SysWOW64\FCJUDU\DLE.001	Install.exe
File created	C:\Windows\SysWOW64\FCJUDU\DLE.002	Install.exe
File created	C:\Windows\SysWOW64\FCJUDU\AKV.exe	Install.exe
File created	C:\Windows\SysWOW64\FCJUDU\DLE.exe	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1848	DLE.exe
1848	DLE.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: 33	2288	439cd9d374c261bcec36054277770a5d_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2288	439cd9d374c261bcec36054277770a5d_JaffaCakes118.exe
Token: 33	2288	439cd9d374c261bcec36054277770a5d_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2288	439cd9d374c261bcec36054277770a5d_JaffaCakes118.exe
Token: 33	2288	439cd9d374c261bcec36054277770a5d_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2288	439cd9d374c261bcec36054277770a5d_JaffaCakes118.exe
Token: 33	2028	Install.exe
Token: SeIncBasePriorityPrivilege	2028	Install.exe
Token: 33	1848	DLE.exe
Token: SeIncBasePriorityPrivilege	1848	DLE.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1848	DLE.exe
1848	DLE.exe
1848	DLE.exe
1848	DLE.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2028	2288	439cd9d374c261bcec36054277770a5d_JaffaCakes118.exe	31
PID 2288 wrote to memory of 2028	2288	439cd9d374c261bcec36054277770a5d_JaffaCakes118.exe	31
PID 2288 wrote to memory of 2028	2288	439cd9d374c261bcec36054277770a5d_JaffaCakes118.exe	31
PID 2288 wrote to memory of 2028	2288	439cd9d374c261bcec36054277770a5d_JaffaCakes118.exe	31
PID 2288 wrote to memory of 2028	2288	439cd9d374c261bcec36054277770a5d_JaffaCakes118.exe	31
PID 2288 wrote to memory of 2028	2288	439cd9d374c261bcec36054277770a5d_JaffaCakes118.exe	31
PID 2288 wrote to memory of 2028	2288	439cd9d374c261bcec36054277770a5d_JaffaCakes118.exe	31
PID 2028 wrote to memory of 1848	2028	Install.exe	32
PID 2028 wrote to memory of 1848	2028	Install.exe	32
PID 2028 wrote to memory of 1848	2028	Install.exe	32
PID 2028 wrote to memory of 1848	2028	Install.exe	32
PID 2028 wrote to memory of 1848	2028	Install.exe	32
PID 2028 wrote to memory of 1848	2028	Install.exe	32
PID 2028 wrote to memory of 1848	2028	Install.exe	32

C:\Users\Admin\AppData\Local\Temp\439cd9d374c261bcec36054277770a5d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\439cd9d374c261bcec36054277770a5d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Windows Security Update\7.1.11.06\2011.12.01T06.42\Virtual\STUBEXE\@APPDATALOCAL@\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Windows Security Update\7.1.11.06\2011.12.01T06.42\Native\STUBEXE\@SYSTEM@\FCJUDU\DLE.exe
    "C:\Windows\system32\FCJUDU\DLE.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\FCJUDU\AKV.exe

Filesize
500KB

MD5
99fa157fd61fd84920f5e7f89afef293

SHA1
3f81cabe4d20c780a5204cc9cac2a21fcae23b76

SHA256
a3b9d5f318280b4a93b8079285d43807dfa3c69b1c58daaadfc8222a6ab01272

SHA512
9d5338a96ebea83094a2b18f41769463f800689cc7df6bd1e11735f9bdc4b6c379e05dcb7e28b28445859994e5d50f5d06514ef2b01fa3e1455ff8f265684b94

Download Submit
C:\Windows\SysWOW64\FCJUDU\DLE.002

Filesize
54KB

MD5
3e87c616fe2effbbc9f5338b2b1dd844

SHA1
fc3322c0f302377796ec21cf2d5e51d3221a0bf7

SHA256
846cddff950f8240e742a9b14a90daf7fd27959d927ca774259360bbaf1d07c0

SHA512
73d5f95378f4b1bce91fb572f40a1537eb41c71bb59814478d7fa0e5c7dbc20335166e8b00bd76572565b1ee837a2313548d186a68e12018bd807182243cd1b4

Download Submit
C:\Windows\SysWOW64\FCJUDU\DLE.004

Filesize
1KB

MD5
261635dd344ce231aaa74c56c2f4333a

SHA1
c38fb9a38f3a85e9345298472df09d301b030d89

SHA256
38d43948c2b826934ddc465ac670bba7f8c35dd275ee88f52bbddee1741b6a69

SHA512
dd9b7200e2bf53ca86e4e8eaa87b01ea9bbf87b8ed9613449ba1eab0894d0c98ec1ec82bf9ab3d16bf3b16000d4841b2bff0a6c5d5b755a89314dcfc873645b1

Download Submit
C:\Windows\SysWOW64\FCJUDU\DLE.exe

Filesize
1.7MB

MD5
b37aad7a36fbbb2d2054e082d590a76c

SHA1
b61e6e9a717c5105541d180ffd5c82ff1909072e

SHA256
11a3b8f8734f5aca98a7a3207464de7038168cabb0588e4bd54dae07cb7cfd32

SHA512
3c8afc6acc308e05247b077cc40e6ffbb9b5903545cc243555191a048e2d9f4fd9c530cb8fc99bfc6d9df7d376ccf0f498e1b78bb9a46e5595f91f2d654e43b1

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\Windows Security Update\7.1.11.06\2011.12.01T06.42\Native\STUBEXE\@SYSTEM@\FCJUDU\DLE.exe

Filesize
17KB

MD5
6abdd9a0943e94b0088898e10b561e4c

SHA1
fdee45f8682ce6df232e6f0231880f0faaf4a25b

SHA256
59a94a8d125f285df793cc8ae052666086d57b9fc48319938bed22effe05ec60

SHA512
f38487d0201cc12908f0e17e164af788bc8537b7812704664c946174e325d2fbf84b4033ac6ba8efbb0ed7df9310944ad74ee0104b795bc8f103934c9d3192c1

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\Windows Security Update\7.1.11.06\2011.12.01T06.42\Virtual\STUBEXE\@APPDATALOCAL@\Temp\Install.exe

Filesize
17KB

MD5
c2a2f8028b08e2aec4c664822f3bb011

SHA1
b4401869718a56fc30475d525434ce67150e89ca

SHA256
361b0c49fd76247f85d260f755f1d35ec8c5e764516333d496d89de218208583

SHA512
b7f9ae4042d8f40d26baab87a7b87f713646d1bbffbc5529fc701731c35fcfab145af484cdc63a33ac972a69a048c125696e83a527cb8c6063a86ce242c32189

Download Submit
\Windows\SysWOW64\FCJUDU\DLE.001

Filesize
76KB

MD5
99c4625c590fe266ad78de0fc8869f27

SHA1
ce9eaefd037a1e522bf099817631cd9d9201ebba

SHA256
4a81ec57aac6f8d01e2c2bf26c023365220277fa34397ef40f8251209bda7e7d

SHA512
23dae90b83a373ad36902fae6dbbc85b3726f86830d2e768deab6fc43bb5c60fddb8a8a8a0ebf0dd4a72fed9568c47b32f20e8fdde1efde5cb6cecfed594b55b

Download Submit
memory/2288-49-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-39-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-187-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-265-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-264-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-249-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-234-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-219-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-190-0x0000000077E00000-0x0000000077E01000-memory.dmp

Filesize
4KB

Download
memory/2288-189-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-152-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-101-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-71-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-63-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-61-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-59-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-55-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-53-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-51-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-133-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-45-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-43-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-41-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-167-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-37-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-35-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-31-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-29-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-27-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-25-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-23-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-21-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-19-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-17-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-15-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-13-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-11-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-9-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-7-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-5-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-3-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-1-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-47-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-33-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-0-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download
memory/2288-630-0x0000000000550000-0x00000000005BC000-memory.dmp

Filesize
432KB

Download