42984c7cc0d29d8f1c40aac517463c991f4b90e1cb196c822a57d492dc0f3665

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
16/07/2024, 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe
Size

68KB
MD5

4cf07f0e00efc17fd43c685f2658c768
SHA1

87403314fa15b5b7c779d2b0131df6fb2958c994
SHA256

42984c7cc0d29d8f1c40aac517463c991f4b90e1cb196c822a57d492dc0f3665
SHA512

bdbb08a6442defcd15442b69e15d505defffd06743c5d7e6da868fb12e4acc35953a7fa7e14fc5aca4e6536e6495f91887e9744d19a2b4026512fc18ef3db395
SSDEEP

768:6y/Asc3Q8Y97tPgADzMgNVcBE7KN0rWGdv/qhjOK0oUW8AOktxd1IdGvnS93k/:UA8utPg0VcBEKN4WKKQK0opdOkLdiW

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2800	cmd.exe

Executes dropped EXE 14 IoCs

pid	Process
2796	lssas.exe
2652	lssas.exe
2416	Isass.exe
2648	Isass.exe
1692	logon.exe
1936	logon.exe
688	firewall.exe
1032	firewall.exe
2392	lssas.exe
492	lssas.exe
748	spooIsv.exe
3004	spooIsv.exe
2832	winamp.exe
2792	winamp.exe

Loads dropped DLL 15 IoCs

pid	Process
2784	4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe
2784	4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe
2796	lssas.exe
2652	lssas.exe
2652	lssas.exe
2648	Isass.exe
2648	Isass.exe
1936	logon.exe
1936	logon.exe
1032	firewall.exe
1032	firewall.exe
492	lssas.exe
492	lssas.exe
3004	spooIsv.exe
3004	spooIsv.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Isass.exe	lssas.exe
File created	C:\Windows\SysWOW64\eawd.bat	lssas.exe
File created	C:\Windows\SysWOW64\uvjym.bat	logon.exe
File opened for modification	C:\Windows\SysWOW64\spooIsv.exe	lssas.exe
File created	C:\Windows\SysWOW64\winamp.exe	spooIsv.exe
File created	C:\Windows\SysWOW64\vhubv.bat	spooIsv.exe
File opened for modification	C:\Windows\SysWOW64\lssas.exe	4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\logon.exe	Isass.exe
File opened for modification	C:\Windows\SysWOW64\lssas.exe	firewall.exe
File created	C:\Windows\SysWOW64\spooIsv.exe	lssas.exe
File created	C:\Windows\SysWOW64\lssas.exe	4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Isass.exe	lssas.exe
File created	C:\Windows\SysWOW64\firewall.exe	logon.exe
File created	C:\Windows\SysWOW64\wmseqoiq.bat	lssas.exe
File created	C:\Windows\SysWOW64\phnoxra.bat	firewall.exe
File opened for modification	C:\Windows\SysWOW64\winamp.exe	spooIsv.exe
File opened for modification	C:\Windows\SysWOW64\logon.exe	Isass.exe
File created	C:\Windows\SysWOW64\ewpkcef.bat	Isass.exe
File opened for modification	C:\Windows\SysWOW64\firewall.exe	logon.exe
File created	C:\Windows\SysWOW64\lssas.exe	firewall.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 592 set thread context of 2784	592	4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe	29
PID 2796 set thread context of 2652	2796	lssas.exe	33
PID 2416 set thread context of 2648	2416	Isass.exe	37
PID 1692 set thread context of 1936	1692	logon.exe	41
PID 688 set thread context of 1032	688	firewall.exe	45
PID 2392 set thread context of 492	2392	lssas.exe	49
PID 748 set thread context of 3004	748	spooIsv.exe	53
PID 2832 set thread context of 2792	2832	winamp.exe	57

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 592 wrote to memory of 2784	592	4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe	29
PID 592 wrote to memory of 2784	592	4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe	29
PID 592 wrote to memory of 2784	592	4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe	29
PID 592 wrote to memory of 2784	592	4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe	29
PID 592 wrote to memory of 2784	592	4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe	29
PID 592 wrote to memory of 2784	592	4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe	29
PID 2784 wrote to memory of 2800	2784	4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe	30
PID 2784 wrote to memory of 2800	2784	4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe	30
PID 2784 wrote to memory of 2800	2784	4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe	30
PID 2784 wrote to memory of 2800	2784	4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe	30
PID 2784 wrote to memory of 2796	2784	4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe	32
PID 2784 wrote to memory of 2796	2784	4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe	32
PID 2784 wrote to memory of 2796	2784	4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe	32
PID 2784 wrote to memory of 2796	2784	4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe	32
PID 2796 wrote to memory of 2652	2796	lssas.exe	33
PID 2796 wrote to memory of 2652	2796	lssas.exe	33
PID 2796 wrote to memory of 2652	2796	lssas.exe	33
PID 2796 wrote to memory of 2652	2796	lssas.exe	33
PID 2796 wrote to memory of 2652	2796	lssas.exe	33
PID 2796 wrote to memory of 2652	2796	lssas.exe	33
PID 2652 wrote to memory of 1524	2652	lssas.exe	34
PID 2652 wrote to memory of 1524	2652	lssas.exe	34
PID 2652 wrote to memory of 1524	2652	lssas.exe	34
PID 2652 wrote to memory of 1524	2652	lssas.exe	34
PID 2652 wrote to memory of 2416	2652	lssas.exe	36
PID 2652 wrote to memory of 2416	2652	lssas.exe	36
PID 2652 wrote to memory of 2416	2652	lssas.exe	36
PID 2652 wrote to memory of 2416	2652	lssas.exe	36
PID 2416 wrote to memory of 2648	2416	Isass.exe	37
PID 2416 wrote to memory of 2648	2416	Isass.exe	37
PID 2416 wrote to memory of 2648	2416	Isass.exe	37
PID 2416 wrote to memory of 2648	2416	Isass.exe	37
PID 2416 wrote to memory of 2648	2416	Isass.exe	37
PID 2416 wrote to memory of 2648	2416	Isass.exe	37
PID 2648 wrote to memory of 1612	2648	Isass.exe	38
PID 2648 wrote to memory of 1612	2648	Isass.exe	38
PID 2648 wrote to memory of 1612	2648	Isass.exe	38
PID 2648 wrote to memory of 1612	2648	Isass.exe	38
PID 2648 wrote to memory of 1692	2648	Isass.exe	40
PID 2648 wrote to memory of 1692	2648	Isass.exe	40
PID 2648 wrote to memory of 1692	2648	Isass.exe	40
PID 2648 wrote to memory of 1692	2648	Isass.exe	40
PID 1692 wrote to memory of 1936	1692	logon.exe	41
PID 1692 wrote to memory of 1936	1692	logon.exe	41
PID 1692 wrote to memory of 1936	1692	logon.exe	41
PID 1692 wrote to memory of 1936	1692	logon.exe	41
PID 1692 wrote to memory of 1936	1692	logon.exe	41
PID 1692 wrote to memory of 1936	1692	logon.exe	41
PID 1936 wrote to memory of 2084	1936	logon.exe	42
PID 1936 wrote to memory of 2084	1936	logon.exe	42
PID 1936 wrote to memory of 2084	1936	logon.exe	42
PID 1936 wrote to memory of 2084	1936	logon.exe	42
PID 1936 wrote to memory of 688	1936	logon.exe	44
PID 1936 wrote to memory of 688	1936	logon.exe	44
PID 1936 wrote to memory of 688	1936	logon.exe	44
PID 1936 wrote to memory of 688	1936	logon.exe	44
PID 688 wrote to memory of 1032	688	firewall.exe	45
PID 688 wrote to memory of 1032	688	firewall.exe	45
PID 688 wrote to memory of 1032	688	firewall.exe	45
PID 688 wrote to memory of 1032	688	firewall.exe	45
PID 688 wrote to memory of 1032	688	firewall.exe	45
PID 688 wrote to memory of 1032	688	firewall.exe	45
PID 1032 wrote to memory of 1668	1032	firewall.exe	46
PID 1032 wrote to memory of 1668	1032	firewall.exe	46

C:\Users\Admin\AppData\Local\Temp\4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:592
- C:\Users\Admin\AppData\Local\Temp\4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\giqqfbo.bat" "
    3⤵
    - Deletes itself
    PID:2800
- - C:\Windows\SysWOW64\lssas.exe
    C:\Windows\system32\lssas.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\SysWOW64\lssas.exe
      C:\Windows\SysWOW64\lssas.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\SysWOW64\eawd.bat" "
        5⤵
        
        PID:1524
    - - C:\Windows\SysWOW64\Isass.exe
        
        C:\Windows\system32\Isass.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2416
      - C:\Windows\SysWOW64\Isass.exe
        
        C:\Windows\SysWOW64\Isass.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\SysWOW64\ewpkcef.bat" "
        7⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\logon.exe
        
        C:\Windows\system32\logon.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\logon.exe
        
        C:\Windows\SysWOW64\logon.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\SysWOW64\uvjym.bat" "
        9⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\firewall.exe
        
        C:\Windows\system32\firewall.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Windows\SysWOW64\firewall.exe
        
        C:\Windows\SysWOW64\firewall.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\SysWOW64\phnoxra.bat" "
        11⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\lssas.exe
        
        C:\Windows\system32\lssas.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2392
        
        C:\Windows\SysWOW64\lssas.exe
        
        C:\Windows\SysWOW64\lssas.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\SysWOW64\wmseqoiq.bat" "
        13⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\spooIsv.exe
        
        C:\Windows\system32\spooIsv.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:748
        
        C:\Windows\SysWOW64\spooIsv.exe
        
        C:\Windows\SysWOW64\spooIsv.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\SysWOW64\vhubv.bat" "
        15⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\winamp.exe
        
        C:\Windows\system32\winamp.exe
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2832
        
        C:\Windows\SysWOW64\winamp.exe
        
        C:\Windows\SysWOW64\winamp.exe
        16⤵
        Executes dropped EXE
        
        PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\giqqfbo.bat

Filesize
243B

MD5
1daed5a967657ee9a169499a9eccfe72

SHA1
4e52bf4300f278c65e5d7703f2a6e9f7c23589ca

SHA256
87c97f6af8b0ccfbebc0ff3eeacf2283a8821f074638c238537fd376c28caf60

SHA512
c60fdbbc0f45f5e62bb27b3d496a467d41309cb6387b47f75a0613b87871c15c47e69c4f234248e6e9720aa257410608b302ce925cd3a6447e4c66c97c46c63f

Download Submit
C:\Windows\SysWOW64\eawd.bat

Filesize
117B

MD5
e8585d47bc61e1578b754f2ce2d8d45b

SHA1
e81ebab7b3fe097b1d2c84213fa569772636385a

SHA256
7c38dce26178669bbb4432fc78cd793ca73580a5075bedde0be09a59f8c4574f

SHA512
b44b96620ce339ac2bfb99728f3c5a2988c41a3880f6aa9f3346d45b7bb2bd99badd05933847f3d1afb37feb961f344a917c2efce33cfa36bd8aa83191b0a3d6

Download Submit
C:\Windows\SysWOW64\ewpkcef.bat

Filesize
120B

MD5
c98c116161bed6b134ff6ed70c43cf3e

SHA1
d20469ac8af08effbdcc137016fbd81be98a16f1

SHA256
346ed745f00fd635bb2cec89b2505b630f458b035e41ac71a0d75c15fd7776c1

SHA512
1d9c88c3601615247266b1970ecef1a6c2060038295a57c86854d3089fe63b1b3adc3f7934cb18b806dcebfde9e4de7b8cafb52b378eb2159439efb3bd5530a0

Download Submit
C:\Windows\SysWOW64\lssas.exe

Filesize
68KB

MD5
4cf07f0e00efc17fd43c685f2658c768

SHA1
87403314fa15b5b7c779d2b0131df6fb2958c994

SHA256
42984c7cc0d29d8f1c40aac517463c991f4b90e1cb196c822a57d492dc0f3665

SHA512
bdbb08a6442defcd15442b69e15d505defffd06743c5d7e6da868fb12e4acc35953a7fa7e14fc5aca4e6536e6495f91887e9744d19a2b4026512fc18ef3db395

Download Submit
C:\Windows\SysWOW64\phnoxra.bat

Filesize
129B

MD5
82deffcfc9614af2f42dbdd53e81d1a0

SHA1
814ed57997d211ef58f6df5681a36f7b47193c5a

SHA256
5e67ad9295aad3f4562b21d840d196274471d26324d87a40eaba3585ea9b8d8c

SHA512
d6240ddbbbe478888237e6832547b1b390a55a8268ffc788c4316e2be8af4bc3fdebd54b9573114838ae08c78eafb3373911575076be6a0a62650e0d6f22e64a

Download Submit
C:\Windows\SysWOW64\uvjym.bat

Filesize
118B

MD5
a0c6cf1da978ea30c588b2fb1eec0640

SHA1
2b3234f2b841585415163f934eafb4ed073cf38d

SHA256
36b4ac17d1e1f1ac5a924b54947748d258d9e4bd59dc84966ed6255fe2c9530b

SHA512
668ffb9145bb7cfacfb5e0a1723a939809dbde3e0b139c1312f3066687dab20feeb30bb1ec02847af5f57bd6514ebcefe96f24b287f2941657aa81ef90dbefb0

Download Submit
C:\Windows\SysWOW64\vhubv.bat

Filesize
124B

MD5
60a603f3a0b8c92ce42bb3f2cc25559d

SHA1
d99c8af81c16b4ffe05fbfe304a7fd4226648b29

SHA256
0bbfdb720aa3e7e6260de3c4b3d6aee5e3dc778d70e4445aa50747808c91565c

SHA512
a9e33f24e2caa468ba56c1e77d9428fae5163375680190e34ec5c7ac574cb97e6ad3de38defc67b82a0bb6066ac434dcd4c43bdcf60297915932a85f217cfc09

Download Submit
C:\Windows\SysWOW64\wmseqoiq.bat

Filesize
121B

MD5
505340b52dc0ba479c3a14ec6cc3212e

SHA1
3db4e595ffc17cae826cac3703b09b1f54421062

SHA256
3b483bbb3907bfd8bde839df0f508869c539265c8645d51c71cc1dcc8458bbab

SHA512
d7bd55338da375e8d3898fe63124fb807f0c2df907aa8607b3e8fcf4d44e7ed54b0ce0a0693a95db93df612b97e9256319f865a461f110183df94d826c3b2f2b

Download Submit
memory/592-0-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/592-6-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/688-135-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/688-129-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/748-194-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/748-187-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/1692-107-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/1692-99-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2392-157-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2392-165-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2416-68-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2416-76-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2648-95-0x00000000005C0000-0x00000000005D4000-memory.dmp

Filesize
80KB

Download
memory/2648-97-0x00000000005C0000-0x00000000005D4000-memory.dmp

Filesize
80KB

Download
memory/2652-67-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2652-65-0x0000000002A80000-0x0000000002A94000-memory.dmp

Filesize
80KB

Download
memory/2652-66-0x0000000002A80000-0x0000000002A94000-memory.dmp

Filesize
80KB

Download
memory/2652-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2784-10-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2784-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2784-29-0x0000000000530000-0x0000000000544000-memory.dmp

Filesize
80KB

Download
memory/2784-30-0x0000000000530000-0x0000000000544000-memory.dmp

Filesize
80KB

Download
memory/2784-9-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2784-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2784-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2784-5-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2784-1-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2796-32-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2796-42-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2832-215-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2832-222-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download