3c39d3e0c71b9900d611406b1c195a3ab9524a9b76ee44ca4e06c778a22eb564

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 10:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b76ceab943bb62e94635d54ec1c1449_JaffaCakes118.exe
Size

84KB
MD5

5b76ceab943bb62e94635d54ec1c1449
SHA1

2c0f767a0078edb9358e4abdffdfa369d1e1e85f
SHA256

3c39d3e0c71b9900d611406b1c195a3ab9524a9b76ee44ca4e06c778a22eb564
SHA512

327de28dee2d2e2facdb14ed6f71f9494c7c3f5dbe2ad738704d3592c552bf6f92e6119c005d2cca712f0f0d19a3595cd5a421b54e852a9a866394d7aee8ef8f
SSDEEP

1536:T6ggfUfojGnRR1J0+6Q230jgBhVulU8KgKFVXljQG6q8+V:T6uxJ0+yBz6jK9XtQ88+V

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
49	2624	rundll32.exe

Server Software Component: Terminal Services DLL 1 TTPs 2 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AppMgmt\Parameters\ServiceDll = "C:\\Progra~1\\%Program Files%\\Wdcp.dll"	laass.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AppMgmt\Parameters\ServiceDll = "C:\\Progra~1\\%Program Files%\\Wdcp.dll"	rundll32.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023443-22.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	5b76ceab943bb62e94635d54ec1c1449_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3880	laass.exe

Loads dropped DLL 2 IoCs

pid	Process
3880	laass.exe
2624	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "file:c:\\windows\\362.VBS"	laass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "file:c:\\windows\\362.VBS"	rundll32.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Progra~1\%Program Files%\Cest.bat	5b76ceab943bb62e94635d54ec1c1449_JaffaCakes118.exe
File created	C:\Progra~1\%Program Files%\~	5b76ceab943bb62e94635d54ec1c1449_JaffaCakes118.exe
File created	C:\Progra~1\%Program Files%\Wdcp.dll	5b76ceab943bb62e94635d54ec1c1449_JaffaCakes118.exe
File opened for modification	C:\Progra~1\%Program Files%\Wdcp.dll	5b76ceab943bb62e94635d54ec1c1449_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\%Program Files%	5b76ceab943bb62e94635d54ec1c1449_JaffaCakes118.exe
File created	C:\Progra~1\%Program Files%\laass.exe	5b76ceab943bb62e94635d54ec1c1449_JaffaCakes118.exe
File created	C:\Progra~1\%Program Files%\363.VBS	5b76ceab943bb62e94635d54ec1c1449_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\windows\best.bat	5b76ceab943bb62e94635d54ec1c1449_JaffaCakes118.exe
File created	C:\windows\362.vbs	5b76ceab943bb62e94635d54ec1c1449_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4240	5b76ceab943bb62e94635d54ec1c1449_JaffaCakes118.exe
4240	5b76ceab943bb62e94635d54ec1c1449_JaffaCakes118.exe
4240	5b76ceab943bb62e94635d54ec1c1449_JaffaCakes118.exe
4240	5b76ceab943bb62e94635d54ec1c1449_JaffaCakes118.exe
4240	5b76ceab943bb62e94635d54ec1c1449_JaffaCakes118.exe
4240	5b76ceab943bb62e94635d54ec1c1449_JaffaCakes118.exe
3880	laass.exe
3880	laass.exe
3880	laass.exe
3880	laass.exe
3880	laass.exe
3880	laass.exe
3880	laass.exe
3880	laass.exe
3880	laass.exe
3880	laass.exe
3880	laass.exe
3880	laass.exe
2624	rundll32.exe
2624	rundll32.exe
3880	laass.exe
3880	laass.exe
2624	rundll32.exe
2624	rundll32.exe
3880	laass.exe
3880	laass.exe
2624	rundll32.exe
2624	rundll32.exe
3880	laass.exe
3880	laass.exe
2624	rundll32.exe
2624	rundll32.exe
3880	laass.exe
3880	laass.exe
2624	rundll32.exe
2624	rundll32.exe
3880	laass.exe
3880	laass.exe
2624	rundll32.exe
2624	rundll32.exe
3880	laass.exe
3880	laass.exe
2624	rundll32.exe
2624	rundll32.exe
3880	laass.exe
3880	laass.exe
2624	rundll32.exe
2624	rundll32.exe
3880	laass.exe
3880	laass.exe
2624	rundll32.exe
2624	rundll32.exe
3880	laass.exe
3880	laass.exe
2624	rundll32.exe
2624	rundll32.exe
3880	laass.exe
3880	laass.exe
2624	rundll32.exe
2624	rundll32.exe
3880	laass.exe
3880	laass.exe
2624	rundll32.exe
2624	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2624	rundll32.exe
3880	laass.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4240	5b76ceab943bb62e94635d54ec1c1449_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 3880	4240	5b76ceab943bb62e94635d54ec1c1449_JaffaCakes118.exe	87
PID 4240 wrote to memory of 3880	4240	5b76ceab943bb62e94635d54ec1c1449_JaffaCakes118.exe	87
PID 4240 wrote to memory of 3880	4240	5b76ceab943bb62e94635d54ec1c1449_JaffaCakes118.exe	87
PID 4240 wrote to memory of 2624	4240	5b76ceab943bb62e94635d54ec1c1449_JaffaCakes118.exe	88
PID 4240 wrote to memory of 2624	4240	5b76ceab943bb62e94635d54ec1c1449_JaffaCakes118.exe	88
PID 4240 wrote to memory of 2624	4240	5b76ceab943bb62e94635d54ec1c1449_JaffaCakes118.exe	88
PID 4240 wrote to memory of 544	4240	5b76ceab943bb62e94635d54ec1c1449_JaffaCakes118.exe	89
PID 4240 wrote to memory of 544	4240	5b76ceab943bb62e94635d54ec1c1449_JaffaCakes118.exe	89
PID 4240 wrote to memory of 544	4240	5b76ceab943bb62e94635d54ec1c1449_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\5b76ceab943bb62e94635d54ec1c1449_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5b76ceab943bb62e94635d54ec1c1449_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Program Files\%Program Files%\laass.exe
  "C:\Program Files\%Program Files%\laass.exe" Wdcp.dll main
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3880
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" Wdcp.dll main
  2⤵
  - Blocklisted process makes network request
  - Server Software Component: Terminal Services DLL
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\5B76CE~1.EXE > nul & rd c:\%Progr~1 > nul
  2⤵
  PID:544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\%Program Files%\Wdcp.dll

Filesize
21.1MB

MD5
4fb7bfe9b0561bb4050916450810cc29

SHA1
abf0f3f5b4c719795282d7479866bac139da516e

SHA256
c419cd8798828b8e07e886c82d3412138962f2145c5f01cc0c7301c252462aac

SHA512
02ce3aa9b554c489e81278a7949894ca5e7f5eaf2ee62e7b7cef5323e4565574c2786fc51ac493f20775f9a9d763fd677496beb7d743b6dd8429485f45385879

Download Submit
C:\Program Files\%Program Files%\laass.exe

Filesize
9KB

MD5
359c541c07a39ab11bb45aad29b2d2ce

SHA1
3c4f277f184ae306a4d0efe1bcb9e03ecabbb9b7

SHA256
6e2378348ebebf5b301744fedb0be396ef4e7e92ad94877da79eed9eb46850d5

SHA512
768050272dd4875a4c2a6a96f6337334c05d1512dfc0cc9ceee883a7c701de5e2e90872a6f9029de5b528b74c07cb8aa61c10f9f9e834f8021e9759136fcfbff

Download Submit
\??\c:\ntldr.sys

Filesize
90B

MD5
2decc7673a337ecad80bbbfed8a524bb

SHA1
7a0ade42fc8d51817572919584e0ef1a3c7bf18c

SHA256
7290f853e512f2c5d401ac03dbcb2e5f0dd6bf27e5dc51b7f476a33ea9d94974

SHA512
8c608695079866acc9c2d4486841688f93cc1e632534058c9ffbb7e95c197a0e4ac6da422ce67a60aca7ccd887df85c3cd225f24d0214b050ffa98cb76145d82

Download Submit
memory/2624-28-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2624-32-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/3880-29-0x0000000010001000-0x0000000010027000-memory.dmp

Filesize
152KB

Download
memory/3880-27-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/3880-31-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/3880-33-0x0000000010001000-0x0000000010027000-memory.dmp

Filesize
152KB

Download
memory/4240-0-0x0000000000400000-0x000000000042ED90-memory.dmp

Filesize
187KB

Download
memory/4240-23-0x0000000000400000-0x000000000042ED90-memory.dmp

Filesize
187KB

Download
memory/4240-24-0x0000000000401000-0x000000000041A000-memory.dmp

Filesize
100KB

Download
memory/4240-1-0x0000000000401000-0x000000000041A000-memory.dmp

Filesize
100KB

Download