23119ac962ffbcac92d205d0ad4759be01c6c33b50666b7696130b7dbc546c79

Analysis

max time kernel
140s
max time network
127s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15-07-2024 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b12df6d6f224c8364fe1fa0800fe585_JaffaCakes118.exe
Size

448KB
MD5

4b12df6d6f224c8364fe1fa0800fe585
SHA1

2d475c6bc871a2b39e4a2b8207bb3bb0278127a5
SHA256

23119ac962ffbcac92d205d0ad4759be01c6c33b50666b7696130b7dbc546c79
SHA512

39188a5180220550ea490696fe86c4989e903b1e23bc3139b7a30b6e5feb8219c5bb79bc46986ed13c0e039e15542e7dbe65d957e64886aed280becfe61f2f19
SSDEEP

6144:aiDXUqfmeGqfXDXibVNMAySn/su3G0r0:Nme3yVNMA/sulo

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\windows\\svchost.exe"	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
2080	svchost.exe
2844	dllhost.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe

Drops autorun.inf file 1 TTPs 24 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\i:\Autorun.inf	svchost.exe
File opened for modification	\??\q:\Autorun.inf	svchost.exe
File opened for modification	\??\s:\Autorun.inf	svchost.exe
File opened for modification	\??\v:\Autorun.inf	svchost.exe
File opened for modification	\??\h:\Autorun.inf	svchost.exe
File opened for modification	\??\k:\Autorun.inf	svchost.exe
File opened for modification	\??\m:\Autorun.inf	svchost.exe
File opened for modification	\??\o:\Autorun.inf	svchost.exe
File opened for modification	\??\p:\Autorun.inf	svchost.exe
File opened for modification	\??\t:\Autorun.inf	svchost.exe
File opened for modification	\??\u:\Autorun.inf	svchost.exe
File opened for modification	\??\x:\Autorun.inf	svchost.exe
File opened for modification	\??\g:\Autorun.inf	svchost.exe
File opened for modification	\??\}:\Autorun.inf	svchost.exe
File opened for modification	\??\z:\Autorun.inf	svchost.exe
File opened for modification	\??\l:\Autorun.inf	svchost.exe
File opened for modification	\??\n:\Autorun.inf	svchost.exe
File opened for modification	\??\y:\Autorun.inf	svchost.exe
File opened for modification	\??\{:\Autorun.inf	svchost.exe
File opened for modification	\??\j:\Autorun.inf	svchost.exe
File opened for modification	\??\r:\Autorun.inf	svchost.exe
File opened for modification	\??\w:\Autorun.inf	svchost.exe
File opened for modification	\??\\|:\Autorun.inf	svchost.exe
File opened for modification	\??\e:\Autorun.inf	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\windows\svchost.exe	4b12df6d6f224c8364fe1fa0800fe585_JaffaCakes118.exe
File opened for modification	C:\windows\svchost.exe	4b12df6d6f224c8364fe1fa0800fe585_JaffaCakes118.exe
File opened for modification	C:\windows\dllhost.exe	svchost.exe
File opened for modification	\??\c:\windows\ravfree.exe	dllhost.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 34 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4c00310000000000e45828ac100041646d696e00380008000400efbee4587ba7e45828ac2a00000038000000000003000000000000000000000000000000410064006d0069006e00000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 4c00310000000000e4584ca910204c6f63616c00380008000400efbee4587ba7e4584ca92a000000070200000000020000000000000000000000000000004c006f00630061006c00000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 5200310000000000e4587ba7122041707044617461003c0008000400efbee4587ba7e4587ba72a000000f40100000000020000000000000000000000000000004100700070004400610074006100000016000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 7400310000000000e4587ba71100557365727300600008000400efbeee3a851ae4587ba72a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4a00310000000000ef582a9b102054656d700000360008000400efbee4587ba7ef582a9b2a00000008020000000002000000000000000000000000000000540065006d007000000014000000	explorer.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3032	4b12df6d6f224c8364fe1fa0800fe585_JaffaCakes118.exe
2080	svchost.exe
2844	dllhost.exe
2648	explorer.exe
2648	explorer.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 1276	3032	4b12df6d6f224c8364fe1fa0800fe585_JaffaCakes118.exe	30
PID 3032 wrote to memory of 1276	3032	4b12df6d6f224c8364fe1fa0800fe585_JaffaCakes118.exe	30
PID 3032 wrote to memory of 1276	3032	4b12df6d6f224c8364fe1fa0800fe585_JaffaCakes118.exe	30
PID 3032 wrote to memory of 1276	3032	4b12df6d6f224c8364fe1fa0800fe585_JaffaCakes118.exe	30
PID 3032 wrote to memory of 2080	3032	4b12df6d6f224c8364fe1fa0800fe585_JaffaCakes118.exe	32
PID 3032 wrote to memory of 2080	3032	4b12df6d6f224c8364fe1fa0800fe585_JaffaCakes118.exe	32
PID 3032 wrote to memory of 2080	3032	4b12df6d6f224c8364fe1fa0800fe585_JaffaCakes118.exe	32
PID 3032 wrote to memory of 2080	3032	4b12df6d6f224c8364fe1fa0800fe585_JaffaCakes118.exe	32
PID 2080 wrote to memory of 2664	2080	svchost.exe	33
PID 2080 wrote to memory of 2664	2080	svchost.exe	33
PID 2080 wrote to memory of 2664	2080	svchost.exe	33
PID 2080 wrote to memory of 2664	2080	svchost.exe	33
PID 2080 wrote to memory of 2844	2080	svchost.exe	35
PID 2080 wrote to memory of 2844	2080	svchost.exe	35
PID 2080 wrote to memory of 2844	2080	svchost.exe	35
PID 2080 wrote to memory of 2844	2080	svchost.exe	35
PID 2080 wrote to memory of 3024	2080	svchost.exe	36
PID 2080 wrote to memory of 3024	2080	svchost.exe	36
PID 2080 wrote to memory of 3024	2080	svchost.exe	36
PID 2080 wrote to memory of 3024	2080	svchost.exe	36

C:\Users\Admin\AppData\Local\Temp\4b12df6d6f224c8364fe1fa0800fe585_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4b12df6d6f224c8364fe1fa0800fe585_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:1276
- C:\windows\svchost.exe
  C:\windows\svchost.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c date 1980-01-01
    3⤵
    PID:2664
- - C:\windows\dllhost.exe
    C:\windows\dllhost.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c date 2024-7-15
    3⤵
    PID:3024

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\dllhost.exe

Filesize
372KB

MD5
d562f7073f109d7efd05c790fb5899c2

SHA1
20668afa5117627195092bd00b42777e28e18c1f

SHA256
aa9e5b5716e85d8f7e81bc24d95300e67b595bfa4acec9e316b32256b4d7e364

SHA512
aed3aa12d75d51f0d0241ab66166e8ff9a69287870f920d3bbe09c4215cbe4eef11154d3d25610d6452a6686acde88eb46b9987e88ee2c29f966cf7a9d9d2809

Download Submit
C:\Windows\svchost.exe

Filesize
448KB

MD5
4b12df6d6f224c8364fe1fa0800fe585

SHA1
2d475c6bc871a2b39e4a2b8207bb3bb0278127a5

SHA256
23119ac962ffbcac92d205d0ad4759be01c6c33b50666b7696130b7dbc546c79

SHA512
39188a5180220550ea490696fe86c4989e903b1e23bc3139b7a30b6e5feb8219c5bb79bc46986ed13c0e039e15542e7dbe65d957e64886aed280becfe61f2f19

Download Submit
memory/2648-13-0x0000000003A90000-0x0000000003AA0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads