6bede486f098902186630667977203f607dc0046af1ff3eb007104bdaa0015d8

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59cb2ee7fe981360d5d59f1db137fcd2_JaffaCakes118.exe
Size

548KB
MD5

59cb2ee7fe981360d5d59f1db137fcd2
SHA1

997a93b61b532098d501bed3d102215728d7bff8
SHA256

6bede486f098902186630667977203f607dc0046af1ff3eb007104bdaa0015d8
SHA512

570cc815876b4c316dc0cb937e582715d9101a31d46fc45fc528d9a96e5f8730cc1d00511dc4c8b630753f88de878b877ccbfd6c7845b473f0350d959e6d9509
SSDEEP

6144:gQp+JNxNQl47Rdom4QRmzidNbd5jxNCpfH:gi+Xx+0ym4QR1dNb3jxABH

Score

8^/10

evasion execution persistence

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 1 IoCs

pid	Process
2800	543_543.exe

Loads dropped DLL 1 IoCs

pid	Process
2664	rundll32.exe

Boot or Logon Autostart Execution: Time Providers 1 TTPs 5 IoCs

The Windows Time service (W32Time) enables time synchronization across and within domains.

persistence

Time Providers

T1547.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\W32Time\TimeProviders\xyz\DllName = "C:\\CFLog\\\\5NE6K.2"	543_543.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\W32Time\TimeProviders\xyz\Enabled = "1"	543_543.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\W32Time\TimeProviders\xyz\InputProvider = "1"	543_543.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\xyz	543_543.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\W32Time\TimeProviders\xyz	543_543.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2824	sc.exe
2188	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F7C9975-ECA1-4190-B0EB-E37BC5E40893}\LocalServer32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F7C9975-ECA1-4190-B0EB-E37BC5E40893}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F7C9975-ECA1-4190-B0EB-E37BC5E40893}\LocalServer32\ = "="	rundll32.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2800	543_543.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2288	DllHost.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2800	2404	59cb2ee7fe981360d5d59f1db137fcd2_JaffaCakes118.exe	32
PID 2404 wrote to memory of 2800	2404	59cb2ee7fe981360d5d59f1db137fcd2_JaffaCakes118.exe	32
PID 2404 wrote to memory of 2800	2404	59cb2ee7fe981360d5d59f1db137fcd2_JaffaCakes118.exe	32
PID 2404 wrote to memory of 2800	2404	59cb2ee7fe981360d5d59f1db137fcd2_JaffaCakes118.exe	32
PID 2800 wrote to memory of 2664	2800	543_543.exe	33
PID 2800 wrote to memory of 2664	2800	543_543.exe	33
PID 2800 wrote to memory of 2664	2800	543_543.exe	33
PID 2800 wrote to memory of 2664	2800	543_543.exe	33
PID 2800 wrote to memory of 2664	2800	543_543.exe	33
PID 2800 wrote to memory of 2664	2800	543_543.exe	33
PID 2800 wrote to memory of 2664	2800	543_543.exe	33
PID 2800 wrote to memory of 2824	2800	543_543.exe	34
PID 2800 wrote to memory of 2824	2800	543_543.exe	34
PID 2800 wrote to memory of 2824	2800	543_543.exe	34
PID 2800 wrote to memory of 2824	2800	543_543.exe	34
PID 2800 wrote to memory of 2188	2800	543_543.exe	36
PID 2800 wrote to memory of 2188	2800	543_543.exe	36
PID 2800 wrote to memory of 2188	2800	543_543.exe	36
PID 2800 wrote to memory of 2188	2800	543_543.exe	36
PID 2800 wrote to memory of 2916	2800	543_543.exe	37
PID 2800 wrote to memory of 2916	2800	543_543.exe	37
PID 2800 wrote to memory of 2916	2800	543_543.exe	37
PID 2800 wrote to memory of 2916	2800	543_543.exe	37
PID 2916 wrote to memory of 2812	2916	net.exe	40
PID 2916 wrote to memory of 2812	2916	net.exe	40
PID 2916 wrote to memory of 2812	2916	net.exe	40
PID 2916 wrote to memory of 2812	2916	net.exe	40

C:\Users\Admin\AppData\Local\Temp\59cb2ee7fe981360d5d59f1db137fcd2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\59cb2ee7fe981360d5d59f1db137fcd2_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2404
- C:\543_543.exe
  "C:\543_543.exe"
  2⤵
  - Executes dropped EXE
  - Boot or Logon Autostart Execution: Time Providers
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\windows\SysWOW64\rundll32.exe
    C:\windows\system32\rundll32.exe C:\CFLog\\5NE6K.2 itf2
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:2664
- - C:\Windows\SysWOW64\sc.exe
    sc stop w32time
    3⤵
    - Launches sc.exe
    PID:2824
- - C:\Windows\SysWOW64\sc.exe
    sc config w32time start= auto
    3⤵
    - Launches sc.exe
    PID:2188
- - C:\Windows\SysWOW64\net.exe
    net start w32time
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start w32time
      4⤵
      PID:2812

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Time Providers

T1547.003

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Time Providers

T1547.003

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\CFLog\5NE6K.2

Filesize
157KB

MD5
f65ef7213a72120144eb2e842d99fcc6

SHA1
6a88dee31ec2d5d4752e6917e31ece91cc722bd5

SHA256
e6f9b7bb52aa7015ef7d14ecf9957f35fcc4c3d15e99676c463e657267869406

SHA512
f5b8f957d54b3843f9e6bc5566ef84059a28cae0fd4a42b387e6541972db6226eb03a6dfa7d413dc480edc4611c2ed2ce08b569322cbdeddc135523dc8dac0cc

Download Submit
C:\game.jpg

Filesize
20KB

MD5
778679c749fd8e3a927a77837538fcc3

SHA1
bf6d69cab5bdaa6707c2391109475dbed6442160

SHA256
92993c5ee7620dc82a36b7e6e01efa4280f3492f4068204bf5fd7e5aeca7c275

SHA512
7742d0a4f238a0db9e69344587d987762103c3e81f212721636d42c363ed7459735327acc32e7122d38b0142da47c06395dc49ac48422d365b7163877f6cd582

Download Submit
memory/2288-2-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2288-3-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2288-21-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2404-1-0x00000000003E0000-0x00000000003E2000-memory.dmp

Filesize
8KB

Download