d892d750e4e55a63b386b7a2a7767af342eecc282b468d5c1f3c29c4763d567a

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15-07-2024 09:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

492448878a7f702165b019cc71f676c9_JaffaCakes118.exe
Size

99KB
MD5

492448878a7f702165b019cc71f676c9
SHA1

126e8a7ea1f5cddf5a9f4a20a03539291f03474b
SHA256

d892d750e4e55a63b386b7a2a7767af342eecc282b468d5c1f3c29c4763d567a
SHA512

acf6b482585fcf9839af47004d81b4efba9fb68b5bb1fbaeaabe112a65e6e5a77d5488901ac6e633557a76e5d5f4d557d83f98b79aeac6ce35a0796d01b2a7e0
SSDEEP

1536:adzCU+0hp8ocjK5b3jzvQXp9rZkCRn48N/oNL0Cx8YJabmGDf/EIpY0BEdsVhz06:alC278Ozv4hRnZNASCraHDf/Ex0KsGna

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\COMSysApp\ImagePath = "C:\\Program Files\\Common Files\\Microsoft Shared\\vrgeix.exe comsysapp"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\COMSysApp\ImagePath = "C:\\Program Files\\Common Files\\Microsoft Shared\\vrgeix.exe comsysapp"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\COMSysApp\ImagePath = "C:\\Program Files\\Common Files\\Microsoft Shared\\vrgeix.exe comsysapp"	regedit.exe

Deletes itself 1 IoCs

pid	Process
3704	rundll32.exe

Loads dropped DLL 9 IoCs

pid	Process
2072	492448878a7f702165b019cc71f676c9_JaffaCakes118.exe
3644	rundll32.exe
3644	rundll32.exe
3644	rundll32.exe
3644	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\vrgeix.exe	rundll32.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\vrgeix.exe	rundll32.exe
File created	C:\Program Files\Common Files\Microsoft Shared\vrgeix.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs .reg file with regedit 1 IoCs

pid	Process
3672	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2072	492448878a7f702165b019cc71f676c9_JaffaCakes118.exe
2072	492448878a7f702165b019cc71f676c9_JaffaCakes118.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2072	492448878a7f702165b019cc71f676c9_JaffaCakes118.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	3704	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1908	492448878a7f702165b019cc71f676c9_JaffaCakes118.exe
2072	492448878a7f702165b019cc71f676c9_JaffaCakes118.exe
2072	492448878a7f702165b019cc71f676c9_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 2072	1908	492448878a7f702165b019cc71f676c9_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2072	1908	492448878a7f702165b019cc71f676c9_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2072	1908	492448878a7f702165b019cc71f676c9_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2072	1908	492448878a7f702165b019cc71f676c9_JaffaCakes118.exe	30
PID 2072 wrote to memory of 3644	2072	492448878a7f702165b019cc71f676c9_JaffaCakes118.exe	32
PID 2072 wrote to memory of 3644	2072	492448878a7f702165b019cc71f676c9_JaffaCakes118.exe	32
PID 2072 wrote to memory of 3644	2072	492448878a7f702165b019cc71f676c9_JaffaCakes118.exe	32
PID 2072 wrote to memory of 3644	2072	492448878a7f702165b019cc71f676c9_JaffaCakes118.exe	32
PID 2072 wrote to memory of 3644	2072	492448878a7f702165b019cc71f676c9_JaffaCakes118.exe	32
PID 2072 wrote to memory of 3644	2072	492448878a7f702165b019cc71f676c9_JaffaCakes118.exe	32
PID 2072 wrote to memory of 3644	2072	492448878a7f702165b019cc71f676c9_JaffaCakes118.exe	32
PID 3644 wrote to memory of 3672	3644	rundll32.exe	33
PID 3644 wrote to memory of 3672	3644	rundll32.exe	33
PID 3644 wrote to memory of 3672	3644	rundll32.exe	33
PID 3644 wrote to memory of 3672	3644	rundll32.exe	33
PID 3644 wrote to memory of 3704	3644	rundll32.exe	34
PID 3644 wrote to memory of 3704	3644	rundll32.exe	34
PID 3644 wrote to memory of 3704	3644	rundll32.exe	34
PID 3644 wrote to memory of 3704	3644	rundll32.exe	34
PID 3644 wrote to memory of 3704	3644	rundll32.exe	34
PID 3644 wrote to memory of 3704	3644	rundll32.exe	34
PID 3644 wrote to memory of 3704	3644	rundll32.exe	34

C:\Users\Admin\AppData\Local\Temp\492448878a7f702165b019cc71f676c9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\492448878a7f702165b019cc71f676c9_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Users\Admin\AppData\Local\Temp\492448878a7f702165b019cc71f676c9_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\492448878a7f702165b019cc71f676c9_JaffaCakes118.exe" TWO
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\vrgeixreg.dll",polmxhat
    3⤵
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:3644
  - - C:\Windows\SysWOW64\regedit.exe
      regedit.exe -s "C:\Users\Admin\AppData\Local\Temp\vrgeixreg.reg"
      4⤵
      Sets service image path in registry
      Runs .reg file with regedit
      PID:3672
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" "C:\Program Files\Common Files\Microsoft Shared\vrgeix.dll",polmxhat
      4⤵
      Deletes itself
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vrgeixreg.reg

Filesize
1KB

MD5
c23ac01fc7adee94f86afaf5497afd3a

SHA1
d128ff9a9519db48cae29cfd6d328ff57f754717

SHA256
154e85c1f61a1ddb67863887b8b2112cec0714b9aae8fea8988f50c54668a882

SHA512
e2ff2a65d7dbeea8d5a510637d987bcba2a68c227157fcb9da90a20108d11cc9273027a66b06bcca41d170bc9fa9b267ee64d759a3a4550d7a17093a81320eb8

Download Submit
\Users\Admin\AppData\Local\Temp\vrgeix.dll

Filesize
71KB

MD5
1811e01187fc9a9cb41aef08bc4baeaf

SHA1
ed0f71d88651470ff53c7eceefb2bdc1ea34deba

SHA256
a61b1530023d0f8ef41f0dcb8cf8723714c7886c67b6347a2994a1ba71f1a6ab

SHA512
a31dfcf36101404273fac116798404b4ea2c9bb0a78893747e12a6dff07eac221b06340017fb7ebd458ec5be5e2dabe872733621ef2f3e353737e09bc4b661b9

Download Submit