1b8b92914d46d0fe519511a763dea159ec94cfcf053aeaa2de95222d16acf1a9

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13-07-2024 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4033c306822317449587d4b5d1c73f11_JaffaCakes118.exe
Size

930KB
MD5

4033c306822317449587d4b5d1c73f11
SHA1

0d449d96a53587952007bb8535d4c7c348636295
SHA256

1b8b92914d46d0fe519511a763dea159ec94cfcf053aeaa2de95222d16acf1a9
SHA512

c7d0a19f29779a82a647b22ad7a7b6809da928bd13062f910c9ee2fef655b0daee6ec32d6573ddb593d8cc71708dfb7a5e06d294f3616d14f757168b82f7225b
SSDEEP

24576:WhZpvyEqq6Xpx/OVuhUGgbigASCglfhN0Sf6/A/bzzdKe:KpvIq6+hGg1rvySaA/HzdKe

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2736	11.EXE

Loads dropped DLL 7 IoCs

pid	Process
2728	4033c306822317449587d4b5d1c73f11_JaffaCakes118.exe
2736	11.EXE
2736	11.EXE
2736	11.EXE
2736	11.EXE
2736	11.EXE
2736	11.EXE

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2728-0-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2728-86-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 38 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\CCleaner\Lang\lang-1052.dll	11.EXE
File created	C:\Program Files (x86)\CCleaner\Lang\lang-1051.dll	11.EXE
File created	C:\Program Files (x86)\CCleaner\Lang\lang-1050.dll	11.EXE
File created	C:\Program Files (x86)\CCleaner\Lang\lang-1045.dll	11.EXE
File created	C:\Program Files (x86)\CCleaner\Lang\lang-2052.dll	11.EXE
File created	C:\Program Files (x86)\CCleaner\Lang\lang-1027.dll	11.EXE
File created	C:\Program Files (x86)\CCleaner\Lang\lang-1025.dll	11.EXE
File created	C:\Program Files (x86)\CCleaner\Lang\lang-1071.dll	11.EXE
File created	C:\Program Files (x86)\CCleaner\uninst.exe	11.EXE
File created	C:\Program Files (x86)\CCleaner\Lang\lang-1031.dll	11.EXE
File created	C:\Program Files (x86)\CCleaner\Lang\lang-1040.dll	11.EXE
File created	C:\Program Files (x86)\CCleaner\Lang\lang-1034.dll	11.EXE
File created	C:\Program Files (x86)\CCleaner\Lang\lang-1063.dll	11.EXE
File created	C:\Program Files (x86)\CCleaner\Lang\lang-1042.dll	11.EXE
File created	C:\Program Files (x86)\CCleaner\Lang\lang-2070.dll	11.EXE
File created	C:\Program Files (x86)\CCleaner\Lang\lang-2074.dll	11.EXE
File created	C:\Program Files (x86)\CCleaner\Lang\lang-1029.dll	11.EXE
File created	C:\Program Files (x86)\CCleaner\Lang\lang-1037.dll	11.EXE
File created	C:\Program Files (x86)\CCleaner\Lang\lang-1049.dll	11.EXE
File created	C:\Program Files (x86)\CCleaner\Lang\lang-1053.dll	11.EXE
File created	C:\Program Files (x86)\CCleaner\Lang\lang-1043.dll	11.EXE
File created	C:\Program Files (x86)\CCleaner\Lang\lang-1030.dll	11.EXE
File created	C:\Program Files (x86)\CCleaner\Lang\lang-1035.dll	11.EXE
File created	C:\Program Files (x86)\CCleaner\Lang\lang-1046.dll	11.EXE
File created	C:\Program Files (x86)\CCleaner\Lang\lang-1048.dll	11.EXE
File created	C:\Program Files (x86)\CCleaner\Lang\lang-1066.dll	11.EXE
File created	C:\Program Files (x86)\CCleaner\Lang\lang-1041.dll	11.EXE
File created	C:\Program Files (x86)\CCleaner\Lang\lang-1036.dll	11.EXE
File created	C:\Program Files (x86)\CCleaner\Lang\lang-1028.dll	11.EXE
File created	C:\Program Files (x86)\CCleaner\Lang\lang-1032.dll	11.EXE
File created	C:\Program Files (x86)\CCleaner\CCleaner.exe	11.EXE
File created	C:\Program Files (x86)\CCleaner\Lang\lang-1038.dll	11.EXE
File created	C:\Program Files (x86)\CCleaner\Lang\lang-1055.dll	11.EXE
File created	C:\Program Files (x86)\CCleaner\Lang\lang-5146.dll	11.EXE
File created	C:\Program Files (x86)\CCleaner\Lang\lang-1044.dll	11.EXE
File created	C:\Program Files (x86)\CCleaner\Lang\lang-1110.dll	11.EXE
File created	C:\Program Files (x86)\CCleaner\Lang\lang-3098.dll	11.EXE
File created	C:\Program Files (x86)\CCleaner\Lang\lang-1026.dll	11.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x00070000000177da-5.dat	nsis_installer_1
behavioral1/files/0x00070000000177da-5.dat	nsis_installer_2
behavioral1/files/0x000500000001a298-80.dat	nsis_installer_1
behavioral1/files/0x000500000001a298-80.dat	nsis_installer_2

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Run CCleaner\command	11.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Run CCleaner\command	11.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Open CCleaner...\command	11.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\ = "URL: CCleaner Protocol"	11.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell	11.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\	11.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\command\ = "\"C:\\Program Files (x86)\\CCleaner\\ccleaner.exe\" /%1"	11.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	11.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Run CCleaner	11.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Open CCleaner...\command	11.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\	11.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Run CCleaner\command\ = "C:\\Program Files (x86)\\CCleaner\\ccleaner.exe /AUTO"	11.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Open CCleaner...	11.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch	11.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\URL Protocol	11.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open	11.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\command	11.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	11.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell	11.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Open CCleaner...\command\ = "C:\\Program Files (x86)\\CCleaner\\ccleaner.exe"	11.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2736	2728	4033c306822317449587d4b5d1c73f11_JaffaCakes118.exe	30
PID 2728 wrote to memory of 2736	2728	4033c306822317449587d4b5d1c73f11_JaffaCakes118.exe	30
PID 2728 wrote to memory of 2736	2728	4033c306822317449587d4b5d1c73f11_JaffaCakes118.exe	30
PID 2728 wrote to memory of 2736	2728	4033c306822317449587d4b5d1c73f11_JaffaCakes118.exe	30
PID 2728 wrote to memory of 2736	2728	4033c306822317449587d4b5d1c73f11_JaffaCakes118.exe	30
PID 2728 wrote to memory of 2736	2728	4033c306822317449587d4b5d1c73f11_JaffaCakes118.exe	30
PID 2728 wrote to memory of 2736	2728	4033c306822317449587d4b5d1c73f11_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\4033c306822317449587d4b5d1c73f11_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4033c306822317449587d4b5d1c73f11_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Users\Admin\AppData\Local\Temp\7zS587C.tmp\11.EXE
  .\11.EXE /S
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies registry class
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\CCleaner\uninst.exe

Filesize
111KB

MD5
15ee9ee2163de8f0eb44dc8133ca2e00

SHA1
ae6fafe82739206533ef16a46488bd6eb03f0384

SHA256
6055f3c9d6145a5a4d8d06356eaf36087e8430363430a0c2527f9091aef2e929

SHA512
eb07d5f65577d4038ae7b108f844341f05c4c5934db15ebc4468a830203ee36ca994510b8bca7c57ee88a63f3f900157e97ef7cba25a91a3e0a4917c5bf056dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz5B2D.tmp\ioFile.ini

Filesize
530B

MD5
e8eb777bb68333d1be7b588580d03210

SHA1
83b70ba1f78f75e028fdcf4d1598508513179dab

SHA256
f15c6084ea5e32db0d9df47b63cdeb5f0b4d4b5b83c1892757e68b6f59ca8bbe

SHA512
6e2f6951553118438cb63ea4623acf78d65c17e3af5b9b2d6dbdca6e9f8681b99ecdce58fe66c7af0e1e6951b495c909a42c85adc27c512f8c8afaa4afdba876

Download Submit
\Program Files (x86)\CCleaner\CCleaner.exe

Filesize
1.4MB

MD5
77b5deed233a831c5b7b7307bf523fa5

SHA1
5832387fa4e7fa057c3020be9c2f72ba78022dba

SHA256
54e15970e99aa1d62bb8a4b422855fa8135f20dba88544f1e44300c6f7f9daee

SHA512
d2ef6b3f97eac4b2718a4cd24777d96057823d4e15102af650aa80ec24140c409d1c10cabf4ce2fa03d23304fe60133be1a327a53b5f3eca1a4cf1f3aa2d5961

Download Submit
\Users\Admin\AppData\Local\Temp\7zS587C.tmp\11.EXE

Filesize
899KB

MD5
3ba70a80da5f6a2c1d80c057e746453c

SHA1
c23f9c009efc4bead35416d62ab993b01f0d623d

SHA256
3c7530e569e1baf5a7b7d0ba33951a196812be09c7f712e68494612803d2e6b0

SHA512
92c24c1bdd98a8710a0ec564bb2353b4493a74d97424a84d0165ea6b5d48bbe305683f6d5565bf52c3906a265890a479b69a04edabe0808dfbfeac1094ce6b93

Download Submit
\Users\Admin\AppData\Local\Temp\nsz5B2D.tmp\System.dll

Filesize
10KB

MD5
1a7a1f7fd0acd2ebe7722d56357a56da

SHA1
d6e952df2d3c33b923685087509eda5be1c53bdf

SHA256
3b2f46ecabea3457a0e29847974ced9f26d617449812e485543d28d645cdd060

SHA512
cf02e30108ea7e584b5b01a8347142927973f0b4b25a03020075cafb2badbee4eec3bb7c4c5785928f4d1e86248983904f33c0df363ee5c4c53a973c7beb39aa

Download Submit
memory/2728-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2728-2-0x00000000002D0000-0x00000000002F3000-memory.dmp

Filesize
140KB

Download
memory/2728-1-0x00000000002D0000-0x00000000002F3000-memory.dmp

Filesize
140KB

Download
memory/2728-86-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download