163aed40fd6bd0f885f3d6201583bdc062044792d2b0ea8c0757ce00a6d4f0e2

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20/07/2024, 00:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e50674fc2ca3eff46bed2e9cc3a11e1_JaffaCakes118.exe
Size

134KB
MD5

5e50674fc2ca3eff46bed2e9cc3a11e1
SHA1

1c8252cdd0a204cbeb5534c0a3b6dd82716895af
SHA256

163aed40fd6bd0f885f3d6201583bdc062044792d2b0ea8c0757ce00a6d4f0e2
SHA512

7e2f769583eb45cf16ae41fa61280de2f798594f2710d524b8de047b7445f2c00a1d7bfd81b55e9d9e931cf984cfe8d6ad1d80bf73239ca08a92eba1d81f25ca
SSDEEP

1536:jSqyQc5gsfh84Xpuu0rDhaltXkXo8UTaSzrbuip5hVNlwmWhyE1yoQgSE:MtRy4srDEioFaSiip5hVrwXTvS

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2716	DocumentsSERVER.EXE
2728	svchost.exe
2660	DocumentsSERVER.EXE

Loads dropped DLL 4 IoCs

pid	Process
1916	5e50674fc2ca3eff46bed2e9cc3a11e1_JaffaCakes118.exe
1916	5e50674fc2ca3eff46bed2e9cc3a11e1_JaffaCakes118.exe
2728	svchost.exe
2728	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Proactive Windows Security Explorer = "C:\\Windows\\svchost.exe"	5e50674fc2ca3eff46bed2e9cc3a11e1_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Proactive Windows Security Explorer = "C:\\Windows\\svchost.exe"	svchost.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	svchost.exe
File opened for modification	C:\autorun.inf	svchost.exe
File created	F:\autorun.inf	svchost.exe
File opened for modification	F:\autorun.inf	svchost.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\winmx\shared\Keygen.exe	svchost.exe
File created	C:\Program Files (x86)\emule\incoming\Serial.txt.exe	svchost.exe
File created	C:\Program Files (x86)\edonkey2000\incoming\My Photo.JPG.exe	svchost.exe
File created	C:\Program Files (x86)\tesla\files\Windows Activision.exe	svchost.exe
File created	C:\Program Files (x86)\winmx\shared\Game.com	svchost.exe
File created	C:\Program Files (x86)\kazaa lite\my shared folder\Crack.exe	svchost.exe
File created	C:\Program Files (x86)\bearshare\shared\Keygen.exe	svchost.exe
File created	C:\Program Files (x86)\tesla\files\Keygen.exe	svchost.exe
File created	C:\Program Files (x86)\kazaa lite\my shared folder\Serial.txt.exe	svchost.exe
File created	C:\Program Files (x86)\kazaa lite\my shared folder\Windows Activision.exe	svchost.exe
File created	C:\Program Files (x86)\limewire\shared\Game.com	svchost.exe
File created	C:\Program Files (x86)\winmx\shared\Crack.exe	svchost.exe
File created	C:\Program Files (x86)\morpheus\my shared folder\Windows Activision.exe	svchost.exe
File created	C:\Program Files (x86)\morpheus\my shared folder\Game.com	svchost.exe
File created	C:\Program Files (x86)\kazaa lite k++\my shared folder\Crack.exe	svchost.exe
File created	C:\Program Files (x86)\morpheus\my shared folder\My Photo.JPG.exe	svchost.exe
File created	C:\Program Files (x86)\edonkey2000\incoming\Game.com	svchost.exe
File created	C:\Program Files (x86)\kazaa\my shared folder\Serial.txt.exe	svchost.exe
File created	C:\Program Files (x86)\grokster\my grokster\Serial.txt.exe	svchost.exe
File created	C:\Program Files (x86)\edonkey2000\incoming\Serial.txt.exe	svchost.exe
File created	C:\Program Files (x86)\icq\shared folder\Windows Activision.exe	svchost.exe
File created	C:\Program Files (x86)\kazaa lite k++\my shared folder\Game.com	svchost.exe
File created	C:\Program Files (x86)\bearshare\shared\Crack.exe	svchost.exe
File created	C:\Program Files (x86)\emule\incoming\Crack.exe	svchost.exe
File created	C:\Program Files (x86)\icq\shared folder\Serial.txt.exe	svchost.exe
File created	C:\Program Files (x86)\emule\incoming\Windows Activision.exe	svchost.exe
File created	C:\Program Files (x86)\icq\shared folder\Game.com	svchost.exe
File created	C:\Program Files (x86)\limewire\shared\My Photo.JPG.exe	svchost.exe
File created	C:\Program Files (x86)\winmx\shared\My Photo.JPG.exe	svchost.exe
File created	C:\Program Files (x86)\kazaa lite k++\my shared folder\Windows Activision.exe	svchost.exe
File created	C:\Program Files (x86)\limewire\shared\Windows Activision.exe	svchost.exe
File created	C:\Program Files (x86)\limewire\shared\Crack.exe	svchost.exe
File created	C:\Program Files (x86)\edonkey2000\incoming\Keygen.exe	svchost.exe
File created	C:\Program Files (x86)\grokster\my grokster\My Photo.JPG.exe	svchost.exe
File created	C:\Program Files (x86)\bearshare\shared\Windows Activision.exe	svchost.exe
File created	C:\Program Files (x86)\winmx\shared\Serial.txt.exe	svchost.exe
File created	C:\Program Files (x86)\emule\incoming\My Photo.JPG.exe	svchost.exe
File created	C:\Program Files (x86)\kazaa\my shared folder\My Photo.JPG.exe	svchost.exe
File created	C:\Program Files (x86)\kazaa lite\my shared folder\My Photo.JPG.exe	svchost.exe
File created	C:\Program Files (x86)\emule\incoming\Keygen.exe	svchost.exe
File created	C:\Program Files (x86)\kazaa lite\my shared folder\Game.com	svchost.exe
File created	C:\Program Files (x86)\kazaa\my shared folder\Keygen.exe	svchost.exe
File created	C:\Program Files (x86)\tesla\files\Serial.txt.exe	svchost.exe
File created	C:\Program Files (x86)\tesla\files\My Photo.JPG.exe	svchost.exe
File created	C:\Program Files (x86)\kazaa\my shared folder\Game.com	svchost.exe
File created	C:\Program Files (x86)\kazaa\my shared folder\Crack.exe	svchost.exe
File created	C:\Program Files (x86)\morpheus\my shared folder\Crack.exe	svchost.exe
File created	C:\Program Files (x86)\morpheus\my shared folder\Keygen.exe	svchost.exe
File created	C:\Program Files (x86)\bearshare\shared\Serial.txt.exe	svchost.exe
File created	C:\Program Files (x86)\morpheus\my shared folder\Serial.txt.exe	svchost.exe
File created	C:\Program Files (x86)\kazaa lite k++\my shared folder\My Photo.JPG.exe	svchost.exe
File created	C:\Program Files (x86)\edonkey2000\incoming\Windows Activision.exe	svchost.exe
File created	C:\Program Files (x86)\edonkey2000\incoming\Crack.exe	svchost.exe
File created	C:\Program Files (x86)\icq\shared folder\Crack.exe	svchost.exe
File created	C:\Program Files (x86)\tesla\files\Crack.exe	svchost.exe
File created	C:\Program Files (x86)\kazaa lite\my shared folder\Keygen.exe	svchost.exe
File created	C:\Program Files (x86)\limewire\shared\Serial.txt.exe	svchost.exe
File created	C:\Program Files (x86)\emule\incoming\Game.com	svchost.exe
File created	C:\Program Files (x86)\kazaa\my shared folder\Windows Activision.exe	svchost.exe
File created	C:\Program Files (x86)\tesla\files\Game.com	svchost.exe
File created	C:\Program Files (x86)\grokster\my grokster\Keygen.exe	svchost.exe
File created	C:\Program Files (x86)\limewire\shared\Keygen.exe	svchost.exe
File created	C:\Program Files (x86)\bearshare\shared\My Photo.JPG.exe	svchost.exe
File created	C:\Program Files (x86)\grokster\my grokster\Windows Activision.exe	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	5e50674fc2ca3eff46bed2e9cc3a11e1_JaffaCakes118.exe
File opened for modification	C:\Windows\svchost.exe	5e50674fc2ca3eff46bed2e9cc3a11e1_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2716	DocumentsSERVER.EXE
2716	DocumentsSERVER.EXE
2660	DocumentsSERVER.EXE
2660	DocumentsSERVER.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 2716	1916	5e50674fc2ca3eff46bed2e9cc3a11e1_JaffaCakes118.exe	31
PID 1916 wrote to memory of 2716	1916	5e50674fc2ca3eff46bed2e9cc3a11e1_JaffaCakes118.exe	31
PID 1916 wrote to memory of 2716	1916	5e50674fc2ca3eff46bed2e9cc3a11e1_JaffaCakes118.exe	31
PID 1916 wrote to memory of 2716	1916	5e50674fc2ca3eff46bed2e9cc3a11e1_JaffaCakes118.exe	31
PID 1916 wrote to memory of 2728	1916	5e50674fc2ca3eff46bed2e9cc3a11e1_JaffaCakes118.exe	32
PID 1916 wrote to memory of 2728	1916	5e50674fc2ca3eff46bed2e9cc3a11e1_JaffaCakes118.exe	32
PID 1916 wrote to memory of 2728	1916	5e50674fc2ca3eff46bed2e9cc3a11e1_JaffaCakes118.exe	32
PID 1916 wrote to memory of 2728	1916	5e50674fc2ca3eff46bed2e9cc3a11e1_JaffaCakes118.exe	32
PID 2728 wrote to memory of 2660	2728	svchost.exe	33
PID 2728 wrote to memory of 2660	2728	svchost.exe	33
PID 2728 wrote to memory of 2660	2728	svchost.exe	33
PID 2728 wrote to memory of 2660	2728	svchost.exe	33
PID 2716 wrote to memory of 1360	2716	DocumentsSERVER.EXE	21
PID 2716 wrote to memory of 1360	2716	DocumentsSERVER.EXE	21
PID 2716 wrote to memory of 1360	2716	DocumentsSERVER.EXE	21
PID 2716 wrote to memory of 1360	2716	DocumentsSERVER.EXE	21
PID 2660 wrote to memory of 1360	2660	DocumentsSERVER.EXE	21
PID 2660 wrote to memory of 1360	2660	DocumentsSERVER.EXE	21
PID 2660 wrote to memory of 1360	2660	DocumentsSERVER.EXE	21
PID 2660 wrote to memory of 1360	2660	DocumentsSERVER.EXE	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1360
- C:\Users\Admin\AppData\Local\Temp\5e50674fc2ca3eff46bed2e9cc3a11e1_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\5e50674fc2ca3eff46bed2e9cc3a11e1_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Users\Admin\DocumentsSERVER.EXE
    "C:\Users\Admin\DocumentsSERVER.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2716
- - C:\Windows\svchost.exe
    "C:\Windows\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Enumerates connected drives
    - Drops autorun.inf file
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Users\Admin\DocumentsSERVER.EXE
      "C:\Users\Admin\DocumentsSERVER.EXE"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\DocumentsMSG

Filesize
25B

MD5
cc06342cb0ace7abe917191cf4d52689

SHA1
0b762d77d20896f7721c3592477e6ddbb7b3fa70

SHA256
deaa10e000c4d758c5cb8e476c3122c0e904c46cfcb50819454e44ed8de8991e

SHA512
b943f7fe58bc333dd1ababdfea63de0420176e4727d15fac631cf045f6146fb73f2f68e7c6ed446becd25ebe7a353f284e13fdcace11db2d675595d445e7287a

Download Submit
C:\Users\Admin\DocumentsURL

Filesize
39B

MD5
67235f540ada2c2e6832c1debb5d536c

SHA1
e5f70c2074623a863b2dc3ef9cd83642d7a2ab6a

SHA256
29bd5b90368a01a560a525c156ee07580cd4642e1f71728d04437fa52982d1cd

SHA512
e5aab95437ca53a294eb10aa901b3be6683552b0365ff20ffbd1faa325095aea59e5c92d2c8b8a1a3558f2eb13dcb9d6fbf448d962de25d374d89b191d9faeea

Download Submit
C:\Windows\svchost.exe

Filesize
134KB

MD5
5e50674fc2ca3eff46bed2e9cc3a11e1

SHA1
1c8252cdd0a204cbeb5534c0a3b6dd82716895af

SHA256
163aed40fd6bd0f885f3d6201583bdc062044792d2b0ea8c0757ce00a6d4f0e2

SHA512
7e2f769583eb45cf16ae41fa61280de2f798594f2710d524b8de047b7445f2c00a1d7bfd81b55e9d9e931cf984cfe8d6ad1d80bf73239ca08a92eba1d81f25ca

Download Submit
\Users\Admin\DocumentsSERVER.EXE

Filesize
33KB

MD5
6500980b9874022352f7a11c3b45ea4c

SHA1
1ff410ae32eed7af834f11c9901a03bdbafe93b2

SHA256
daecb4df367c14fd5ed31dd5db8aa33c3969ca9e4af6fe4da1826e2a8864ef02

SHA512
432fad3e75c1a01033d8e311cc4d275c5a041cb7350d1f5fd28c4a8240b290b089ef377f117f9aa1979515db001c161ab76c389c0be7fe7ce381e80945e48a59

Download Submit
memory/1360-42-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/1360-39-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1916-22-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1916-4-0x0000000000430000-0x0000000000439000-memory.dmp

Filesize
36KB

Download
memory/2660-31-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2716-51-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2728-29-0x00000000002F0000-0x00000000002F9000-memory.dmp

Filesize
36KB

Download
memory/2728-30-0x00000000002F0000-0x00000000002F9000-memory.dmp

Filesize
36KB

Download
memory/2728-64-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download