97c3eaf231080b3cc8235380363fa67d2b87403812c1c42b17a9f6cfa79514ed

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

420da92844bbd2739f0d9148906899d8_JaffaCakes118.exe
Size

865KB
MD5

420da92844bbd2739f0d9148906899d8
SHA1

17b6c07722b5ec97622229fd83b6f54b71b50ebd
SHA256

97c3eaf231080b3cc8235380363fa67d2b87403812c1c42b17a9f6cfa79514ed
SHA512

eeb1dd35c456dc0a627e9f20bcb8dfe639e9c8a236158b1ec9524e86dc4f09a53697cc266c12332eeb5d48bef78a7a29c5e6add9713f3434fcc4d85bf5c465c9
SSDEEP

24576:7xU6g5A3QC6gG/GeeUH1ewJHLRwKtq4FY1jrsQnY:9U6g5tClNUV3HFht7FJQnY

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2940	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2528	RapidGet.exe

Loads dropped DLL 2 IoCs

pid	Process
264	420da92844bbd2739f0d9148906899d8_JaffaCakes118.exe
2540	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RapidGet = "C:\\Users\\Admin\\AppData\\Roaming\\RapidGet\\RPGManager.exe"	420da92844bbd2739f0d9148906899d8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rpga = "C:\\Users\\Admin\\AppData\\Roaming\\RapidGet\\rpgchk.exe"	420da92844bbd2739f0d9148906899d8_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DownloadUI = "{CE70F673-E2D3-4711-B329-4ADE0E524C6B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\DownloadUI = "{CE70F673-E2D3-4711-B329-4ADE0E524C6B}"	regsvr32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE70F673-E2D3-4711-B329-4ADE0E524C6B}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FEAB3553-F7EC-4685-90E0-C24720015386}\1.0\ = "RPDMgr 1.0 Çü½Ä ¶óÀÌºê·¯¸®"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C974FC52-99FC-4756-8470-5A3AA65FC94D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RPDMgr.RapidGetDownloadMgr.1\ = "RapidGetDownloadMgr Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A7B7E579-C8B7-49FC-B0DF-08958A8F39C3}\1.0\0\win32	RapidGet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RPDMgr.RapidGetDownloadMgr	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F7D8F1CA-D412-4A8C-9D2E-71CEBCA25585}\TypeLib	RapidGet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A7B7E579-C8B7-49FC-B0DF-08958A8F39C3}\1.0	RapidGet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A7B7E579-C8B7-49FC-B0DF-08958A8F39C3}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Roaming\\RapidGet"	RapidGet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E5E9421-F4A8-4ED7-A3C2-E432218B588F}	RapidGet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E5E9421-F4A8-4ED7-A3C2-E432218B588F}\TypeLib\Version = "1.0"	RapidGet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F7D8F1CA-D412-4A8C-9D2E-71CEBCA25585}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	RapidGet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A7B7E579-C8B7-49FC-B0DF-08958A8F39C3}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Roaming\\RapidGet\\RapidGet.tlb"	RapidGet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8E5E9421-F4A8-4ED7-A3C2-E432218B588F}\TypeLib	RapidGet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FEAB3553-F7EC-4685-90E0-C24720015386}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A7B7E579-C8B7-49FC-B0DF-08958A8F39C3}\1.0\FLAGS\ = "0"	RapidGet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8E5E9421-F4A8-4ED7-A3C2-E432218B588F}\TypeLib\Version = "1.0"	RapidGet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C974FC52-99FC-4756-8470-5A3AA65FC94D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RPDMgr.RapidGetDownloadMgr\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A7B7E579-C8B7-49FC-B0DF-08958A8F39C3}	RapidGet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FEAB3553-F7EC-4685-90E0-C24720015386}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A7B7E579-C8B7-49FC-B0DF-08958A8F39C3}\1.0\0	RapidGet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8E5E9421-F4A8-4ED7-A3C2-E432218B588F}\ProxyStubClsid32	RapidGet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RPDMgr.RapidGetDownloadMgr.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE70F673-E2D3-4711-B329-4ADE0E524C6B}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE70F673-E2D3-4711-B329-4ADE0E524C6B}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C974FC52-99FC-4756-8470-5A3AA65FC94D}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RapidGet.RapidGetUrlReceiver\CurVer	RapidGet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F7D8F1CA-D412-4A8C-9D2E-71CEBCA25585}\VersionIndependentProgID\ = "RapidGet.RapidGetUrlReceiver"	RapidGet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B57A4FA0-3077-4184-BC86-B1561EFC08A5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RPDMgr.RapidGetDownloadMgr\ = "RapidGetDownloadMgr Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RPDMgr.RapidGetDownloadMgr\CLSID\ = "{CE70F673-E2D3-4711-B329-4ADE0E524C6B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RapidGet.RapidGetUrlReceiver.1\CLSID	RapidGet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E5E9421-F4A8-4ED7-A3C2-E432218B588F}\ProxyStubClsid32	RapidGet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C974FC52-99FC-4756-8470-5A3AA65FC94D}\TypeLib\ = "{FEAB3553-F7EC-4685-90E0-C24720015386}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F7D8F1CA-D412-4A8C-9D2E-71CEBCA25585}\Programmable	RapidGet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8E5E9421-F4A8-4ED7-A3C2-E432218B588F}\TypeLib\ = "{A7B7E579-C8B7-49FC-B0DF-08958A8F39C3}"	RapidGet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FEAB3553-F7EC-4685-90E0-C24720015386}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Roaming\\RapidGet"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RapidGet.RapidGetUrlReceiver\CLSID	RapidGet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C974FC52-99FC-4756-8470-5A3AA65FC94D}\ = "IRapidGetDownloadMgr"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C974FC52-99FC-4756-8470-5A3AA65FC94D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RapidGet.RapidGetUrlReceiver\ = "RapidGetUrlReceiver Class"	RapidGet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RapidGet.RapidGetUrlReceiver\CLSID\ = "{F7D8F1CA-D412-4A8C-9D2E-71CEBCA25585}"	RapidGet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F7D8F1CA-D412-4A8C-9D2E-71CEBCA25585}\VersionIndependentProgID	RapidGet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E5E9421-F4A8-4ED7-A3C2-E432218B588F}\TypeLib\ = "{A7B7E579-C8B7-49FC-B0DF-08958A8F39C3}"	RapidGet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE70F673-E2D3-4711-B329-4ADE0E524C6B}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C974FC52-99FC-4756-8470-5A3AA65FC94D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C974FC52-99FC-4756-8470-5A3AA65FC94D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RPDMgr.RapidGetDownloadMgr.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE70F673-E2D3-4711-B329-4ADE0E524C6B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C974FC52-99FC-4756-8470-5A3AA65FC94D}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A7B7E579-C8B7-49FC-B0DF-08958A8F39C3}\1.0\ = "RapidGet 1.0 Type Library"	RapidGet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A7B7E579-C8B7-49FC-B0DF-08958A8F39C3}\1.0\HELPDIR	RapidGet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RPDMgr.RapidGetDownloadMgr.1\CLSID\ = "{CE70F673-E2D3-4711-B329-4ADE0E524C6B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RPDMgr.RapidGetDownloadMgr\CurVer\ = "RPDMgr.RapidGetDownloadMgr.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE70F673-E2D3-4711-B329-4ADE0E524C6B}\ = "RapidGetDownloadMgr Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE70F673-E2D3-4711-B329-4ADE0E524C6B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\RapidGet\\RPDMgr.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FEAB3553-F7EC-4685-90E0-C24720015386}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8E5E9421-F4A8-4ED7-A3C2-E432218B588F}\ = "IRapidGetUrlReceiver"	RapidGet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE70F673-E2D3-4711-B329-4ADE0E524C6B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FEAB3553-F7EC-4685-90E0-C24720015386}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RapidGet.RapidGetUrlReceiver\CurVer\ = "RapidGet.RapidGetUrlReceiver.1"	RapidGet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C974FC52-99FC-4756-8470-5A3AA65FC94D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C974FC52-99FC-4756-8470-5A3AA65FC94D}\TypeLib\ = "{FEAB3553-F7EC-4685-90E0-C24720015386}"	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	264	420da92844bbd2739f0d9148906899d8_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 264 wrote to memory of 2528	264	420da92844bbd2739f0d9148906899d8_JaffaCakes118.exe	30
PID 264 wrote to memory of 2528	264	420da92844bbd2739f0d9148906899d8_JaffaCakes118.exe	30
PID 264 wrote to memory of 2528	264	420da92844bbd2739f0d9148906899d8_JaffaCakes118.exe	30
PID 264 wrote to memory of 2528	264	420da92844bbd2739f0d9148906899d8_JaffaCakes118.exe	30
PID 264 wrote to memory of 2540	264	420da92844bbd2739f0d9148906899d8_JaffaCakes118.exe	31
PID 264 wrote to memory of 2540	264	420da92844bbd2739f0d9148906899d8_JaffaCakes118.exe	31
PID 264 wrote to memory of 2540	264	420da92844bbd2739f0d9148906899d8_JaffaCakes118.exe	31
PID 264 wrote to memory of 2540	264	420da92844bbd2739f0d9148906899d8_JaffaCakes118.exe	31
PID 264 wrote to memory of 2540	264	420da92844bbd2739f0d9148906899d8_JaffaCakes118.exe	31
PID 264 wrote to memory of 2540	264	420da92844bbd2739f0d9148906899d8_JaffaCakes118.exe	31
PID 264 wrote to memory of 2540	264	420da92844bbd2739f0d9148906899d8_JaffaCakes118.exe	31
PID 264 wrote to memory of 2940	264	420da92844bbd2739f0d9148906899d8_JaffaCakes118.exe	33
PID 264 wrote to memory of 2940	264	420da92844bbd2739f0d9148906899d8_JaffaCakes118.exe	33
PID 264 wrote to memory of 2940	264	420da92844bbd2739f0d9148906899d8_JaffaCakes118.exe	33
PID 264 wrote to memory of 2940	264	420da92844bbd2739f0d9148906899d8_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\420da92844bbd2739f0d9148906899d8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\420da92844bbd2739f0d9148906899d8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:264
- C:\Users\Admin\AppData\Roaming\RapidGet\RapidGet.exe
  "C:\Users\Admin\AppData\Roaming\RapidGet\RapidGet.exe" /r
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:2528
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Roaming\RapidGet\RPDMgr.dll"
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:2540
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\rpgd.bat" "
  2⤵
  - Deletes itself
  PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rpgd.bat

Filesize
266B

MD5
f54cfece7bfb9a5e1ca5266816a00e2a

SHA1
6d097abf9d5c4e431c82981d09de951dc366c639

SHA256
bfd44c57b547a6df9624f7783e041092a6e15dd122a7f02fcc7127cac3a2476e

SHA512
eec9b85aef9a1d3cc5bfadbb587c429ea859793539254d190d6b616aa444dcff2b73af1bcc029dcead337c008206c0d76e0f6a471f7d236ad1e16b211707be37

Download Submit
C:\Users\Admin\AppData\Roaming\RapidGet\RPDMgr.dll

Filesize
111KB

MD5
ae6a5c99bb0986e24908d6fad5889821

SHA1
fc2618ad6a99364ce15cd48eab8c29a4bea9d9f1

SHA256
67e6ea67ba3e5c7b523947365ad69aeaef06dc1a43dadf43ee5d372c0746542e

SHA512
ae05458a77d6f7a718cb876b7d3146bb72a51611bf87d8e147cf3424f435d0c06009c8762c9a4eb3587b79c82c415e3574388caf5fec265c61fccac983b4c0a0

Download Submit
C:\Users\Admin\AppData\Roaming\RapidGet\RapidGet.tlb

Filesize
2KB

MD5
5ef736e80b473232db05a79093238269

SHA1
7b2218bc78ac54a49903c7917f752df9780e063d

SHA256
f308c8c8459b8f037cd67fdf17e5ca9f86ed9a798cffc8030dba63ae26d2edc5

SHA512
98a0025bea1f9ee62f9d2ce39b9df49fae91909aabe8548e033f64167d800e8d49de9c8c629c5408d82482a6a9918fc8d207ef99d2e9d7389ce8c14c724bc235

Download Submit
\Users\Admin\AppData\Roaming\RapidGet\RapidGet.exe

Filesize
727KB

MD5
a067a36e31506ccb377016692ad81670

SHA1
7c9b445caf21950499d61471fdf01cd0d7521a3f

SHA256
21a4fb016fd7fd4959d4dc03ba7240fd2b8466cd50c60b460c2b0303c94ee293

SHA512
86a4bce6c58fbbf4372368254e77802ef5d31c43b21c62b77eca2c66188989eff274d717a59bc317501843dc6415d109bf80fc7cde46598381f7faaab40410e7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads