cfb918dff19f116dc17cd08ca2e9aca1d10eb2b8c5239146045154d614d9c240

Analysis

max time kernel
142s
max time network
131s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d7bbd8f8d2858b947ebbbf5e8366c02_JaffaCakes118.exe
Size

654KB
MD5

5d7bbd8f8d2858b947ebbbf5e8366c02
SHA1

0ebfba42374fea084b32522060a46c14d39e0c4c
SHA256

cfb918dff19f116dc17cd08ca2e9aca1d10eb2b8c5239146045154d614d9c240
SHA512

44cad738aca3660f598b7661b859c96db9e64e60682b86cb64a2f118f97aaa444548fa63ec5201b75220e9b160ddf53ec369859e5d7f241ea85248fb5eb59d1b
SSDEEP

12288:wrmZGB/ZxZ2jcrRKpzqQDaDQx76kvsz3J1R7JiYitaLoSp:wr3VZxZ2C8zqQ+QV6s6Z1N8O

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1004	svcdbpk.exe

Loads dropped DLL 5 IoCs

pid	Process
1588	cmd.exe
2688	rundll32.exe
1004	svcdbpk.exe
1004	svcdbpk.exe
1004	svcdbpk.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1288-7-0x0000000000400000-0x0000000001954000-memory.dmp	upx
behavioral1/memory/1288-59-0x0000000000400000-0x0000000001954000-memory.dmp	upx

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\user\Scripts	attrib.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\user	attrib.exe
File created	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	cmd.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	cmd.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\user\Scripts\Shutdown	attrib.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\user\Scripts\Startup	attrib.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\ime\svcdbpk.exe	cmd.exe
File opened for modification	C:\Windows\Debug\tb.dat	cmd.exe
File created	C:\Windows\ime\scripts.ini	cmd.exe
File opened for modification	C:\Windows\ime\winxp.dat	cmd.exe
File created	C:\Windows\ime\winxp.dat	cmd.exe
File opened for modification	C:\Windows\ime\svcdbpk.exe	cmd.exe
File opened for modification	C:\Windows\ime\de-DE\svcdbpk.ini	svcdbpk.exe
File created	C:\Windows\ime\de-DE\msadotb.htm	svcdbpk.exe
File created	C:\Windows\Debug\error.gg	cmd.exe
File opened for modification	C:\Windows\Debug\win.dat	cmd.exe
File opened for modification	C:\Windows\ime\scripts.ini	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1812	tasklist.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	svcdbpk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2688	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1004	svcdbpk.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1812	tasklist.exe
Token: 33	1004	svcdbpk.exe
Token: SeIncBasePriorityPrivilege	1004	svcdbpk.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1004	svcdbpk.exe
1004	svcdbpk.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 1588	1288	5d7bbd8f8d2858b947ebbbf5e8366c02_JaffaCakes118.exe	30
PID 1288 wrote to memory of 1588	1288	5d7bbd8f8d2858b947ebbbf5e8366c02_JaffaCakes118.exe	30
PID 1288 wrote to memory of 1588	1288	5d7bbd8f8d2858b947ebbbf5e8366c02_JaffaCakes118.exe	30
PID 1288 wrote to memory of 1588	1288	5d7bbd8f8d2858b947ebbbf5e8366c02_JaffaCakes118.exe	30
PID 1588 wrote to memory of 1720	1588	cmd.exe	33
PID 1588 wrote to memory of 1720	1588	cmd.exe	33
PID 1588 wrote to memory of 1720	1588	cmd.exe	33
PID 1588 wrote to memory of 1720	1588	cmd.exe	33
PID 1588 wrote to memory of 2744	1588	cmd.exe	34
PID 1588 wrote to memory of 2744	1588	cmd.exe	34
PID 1588 wrote to memory of 2744	1588	cmd.exe	34
PID 1588 wrote to memory of 2744	1588	cmd.exe	34
PID 1588 wrote to memory of 1812	1588	cmd.exe	35
PID 1588 wrote to memory of 1812	1588	cmd.exe	35
PID 1588 wrote to memory of 1812	1588	cmd.exe	35
PID 1588 wrote to memory of 1812	1588	cmd.exe	35
PID 1588 wrote to memory of 2864	1588	cmd.exe	36
PID 1588 wrote to memory of 2864	1588	cmd.exe	36
PID 1588 wrote to memory of 2864	1588	cmd.exe	36
PID 1588 wrote to memory of 2864	1588	cmd.exe	36
PID 1588 wrote to memory of 2688	1588	cmd.exe	38
PID 1588 wrote to memory of 2688	1588	cmd.exe	38
PID 1588 wrote to memory of 2688	1588	cmd.exe	38
PID 1588 wrote to memory of 2688	1588	cmd.exe	38
PID 1588 wrote to memory of 2688	1588	cmd.exe	38
PID 1588 wrote to memory of 2688	1588	cmd.exe	38
PID 1588 wrote to memory of 2688	1588	cmd.exe	38
PID 1588 wrote to memory of 1004	1588	cmd.exe	39
PID 1588 wrote to memory of 1004	1588	cmd.exe	39
PID 1588 wrote to memory of 1004	1588	cmd.exe	39
PID 1588 wrote to memory of 1004	1588	cmd.exe	39
PID 1588 wrote to memory of 1004	1588	cmd.exe	39
PID 1588 wrote to memory of 1004	1588	cmd.exe	39
PID 1588 wrote to memory of 1004	1588	cmd.exe	39

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1720	attrib.exe

C:\Users\Admin\AppData\Local\Temp\5d7bbd8f8d2858b947ebbbf5e8366c02_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5d7bbd8f8d2858b947ebbbf5e8366c02_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\CC63.tmp\sso.bat" "
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Windows\SysWOW64\attrib.exe
    attrib C:\Windows\system32\GroupPolicy\*.* -r -s -h /s /d
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:1720
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" /v "PendingFileRenameOperations2" /t "REG_MULTI_SZ" /d "\??\C:\Windows\ime0\0\??C:\Windows\ime\0\??\C:\Windows\ime\scripts.ini\0\??\C:\Windows\System32\GroupPolicy\user\Scripts\scripts.ini" /f
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1812
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i "ravmond.exe"
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\ime\winxp.dat,Launch
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:2688
- - C:\Windows\ime\svcdbpk.exe
    C:\Windows\ime\svcdbpk.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CC63.tmp\sso.bat

Filesize
1KB

MD5
87ec8415dca590be1f38a046c1712670

SHA1
1f7e1d8402a896172e166bd140bc2244df3e8dc1

SHA256
7da9f7ec467b93e536f419b762557f04c50f8b830adcc55d407c4832744f376e

SHA512
104cb0980f2f3b7a8b36822326b9fb2e14d4e5e4adfeff12566592c114eae9955ab8f5a498e83f9e212365cf77e6cc0c1d299f8a83dcf5cf63f7e14439a2ca02

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC63.tmp\tb.dat

Filesize
11.1MB

MD5
4eeebb7a457402fa4e3da437e7dc11ac

SHA1
de2fcf2f02efef6685f7368bb6cd059692ad6699

SHA256
d0f3cebf6b7426cce099f8740ef7579f8c0f4b06eb57c07f973ddc661bdd1edd

SHA512
9c6b96f7dce339589633dd34e2b2a82e867c6a639916fbd55f45261a7692d0660fdf630d0f6408550ccdaa7decd55726602f97667ee1e6fa45d92ebc3a8016b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC63.tmp\win.bat

Filesize
1KB

MD5
c48370acb2152b96f50eed42c5e0339b

SHA1
649f98316924a75adc4167df424946d34cd0db19

SHA256
b26417db14dc4acf04e19cbb0fddb22a2b5c427c7a5e586878cd1d1a746678dc

SHA512
2f9c966aca621018d039f030f0d5e147d43ed72c0fffa1586d2400f2baf0019201dd2fc5eead557694387f8ae42b9a3820c188120a4db2161d9485e8d7290219

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC63.tmp\woti.dat

Filesize
10.2MB

MD5
31a8380816d9b69417d17348db759438

SHA1
3caf2fc34c522fb68abfede4af7ae37999079e2e

SHA256
54b86229b3733c64de88e338a00b2a37db1e1d26ea7696a2cab94c2627ceca14

SHA512
753a193ce06633223a7f01b12976f7fe7b943e2a282674da27c88c66af9d9cf6e358531dd197047fb93f2c6337d5215a1f7419cdbed2086b8ba5e12b09411b54

Download Submit
C:\Windows\IME\de-DE\msadotb.htm

Filesize
443B

MD5
394f21b8b73546aa3346878f6e894d09

SHA1
537d99a43b51f7c198c1764ed7a9968658fb13b5

SHA256
2b4c65c614ac358f866bd91ae65a32e2b058cc9e4c91baebaf2adc1016e9d2d3

SHA512
ae988f7e1f4aef4351fd97fc7c6e8d392b3c9a208486358626b9f17390169a8b508e490d5e948085fa60f0036f68b14b2cde63566d8901229228f2e68447dff0

Download Submit
C:\Windows\IME\de-DE\svcdbpk.ini

Filesize
119B

MD5
8bd3fdee824a587a0e27f55607cc117e

SHA1
700a7aea77fb02f6d388d4e79655365567fca6e7

SHA256
3b042cb33ca74212cf549331cf531eb9c2291262a29a5bc4c15eda106be66f8c

SHA512
25d5eabe61e96ec6da978bd1fd3457ef9bb6606a3c0a2447fce08249c320575d0cf5ba1fa28eb3ee700ba967178b7327656d4ca9de8ed82bbcf24e25503b8a99

Download Submit
C:\Windows\IME\scripts.ini

Filesize
44B

MD5
f1ccc9de1b67d00d55abfea224e65b88

SHA1
403e72f73cf9fec96c9410c6e2a4a0d81e1088e4

SHA256
4895be9dd90dbca6ce8ebe08bb8f4445926e8dc8cf6629fb722e63f6b047216b

SHA512
d871c841a0342342ec5969e1389a964516a31531abc38574f5c46e254886bd4867aa71758ad325b7738b47faf34dfd8f684e06770eb8948e69a04d144d18dc41

Download Submit
memory/1004-117-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/1288-7-0x0000000000400000-0x0000000001954000-memory.dmp

Filesize
21.3MB

Download
memory/1288-59-0x0000000000400000-0x0000000001954000-memory.dmp

Filesize
21.3MB

Download
memory/2688-57-0x0000000074300000-0x0000000074419000-memory.dmp

Filesize
1.1MB

Download
memory/2688-119-0x0000000074300000-0x0000000074419000-memory.dmp

Filesize
1.1MB

Download