1c666eccfe50dc191a32e5c77229fc791e89fa6e5d1ebf235a1c13d5a2225030

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20/07/2024, 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe
Size

182KB
MD5

601b85cd6d088bd86d9d21e8f54a2fed
SHA1

8cb4059305ae688fdc02e296f445a02784e01108
SHA256

1c666eccfe50dc191a32e5c77229fc791e89fa6e5d1ebf235a1c13d5a2225030
SHA512

4e035b1227de2eef0b4f5f0ef6ff6c78964c6303c2fd5ad6e7b85b41bcf1b733aafe403bcea2466d46269946b4ec5365269b59a6615236915d056d834b994032
SSDEEP

3072:aLbPRzNoP80lMaV5Q93DKAJjjH6bJjtpivAk12Ln/2IeWXE5MV6CWiqD89SfIIUy:+MP80lzLW3DJJP6bJjjoH1o/2lW020CS

Score

7^/10

aspackv2 persistence

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0007000000018b3e-32.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
2688	taskimg.exe

Loads dropped DLL 2 IoCs

pid	Process
2104	cmd.exe
2104	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\taskmrg.exe = "C:\\Windows\\system32\\taskimg.exe"	601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\active_url.dll	601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\taskimg.exe	601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\taskimg.exe	601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winsys.bat	601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\active_url.dll	taskimg.exe
File created	C:\Windows\SysWOW64\active_url.dll	taskimg.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2812	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 2104	2556	601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2104	2556	601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2104	2556	601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2104	2556	601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe	30
PID 2104 wrote to memory of 2812	2104	cmd.exe	32
PID 2104 wrote to memory of 2812	2104	cmd.exe	32
PID 2104 wrote to memory of 2812	2104	cmd.exe	32
PID 2104 wrote to memory of 2812	2104	cmd.exe	32
PID 2104 wrote to memory of 2688	2104	cmd.exe	33
PID 2104 wrote to memory of 2688	2104	cmd.exe	33
PID 2104 wrote to memory of 2688	2104	cmd.exe	33
PID 2104 wrote to memory of 2688	2104	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\winsys.bat
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost
    3⤵
    - Runs ping.exe
    PID:2812
- - C:\Windows\SysWOW64\taskimg.exe
    C:\Windows\system32\taskimg.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A9311A43BB35D90CA31DB0B353DC2084

Filesize
503B

MD5
2ed7ba52dde93dbc327035f6c6c7dbd3

SHA1
e6e98c6c74d0abfe96d630c52740e0817d335c47

SHA256
9dab07e4e900aaa46e1ec20563a6a1bd44911e6e42a15db49295892c797fdf10

SHA512
d161ee2d4718665c36b3b299e089f21908fe6c7b14e87e5b49e139cb73a5c8fbbe294c24b731812f06fa78e641741b06e24e33be2edd0772ff4ecf9180582192

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B739B29E00001B3AAE62EC8865A3C7C2

Filesize
504B

MD5
e38d8b1a26aad6db08ae45fd0a90d10a

SHA1
e8e6684dc7d685cd34a40ca129eece51505a0cf6

SHA256
1c1ec960d19541b732b6cc767b7f7cfe66163c83f5e2fc4652dc773b7192ad4a

SHA512
c0cede8e29d942236750b30b9c487566fa310c1dde82d7e5aac6144f82108048fa3991e2277eb4cd23af40cd09b3989ae849d13497971cd0089c6e5874380337

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
cc656c5d3676eb16f17a07c138e5ddf5

SHA1
c5621f8466800ff969e1e1d62eb105f17b6e0fd8

SHA256
a3ee5706c483d516b84b13e90a767d172768d82670a58b0656d6c3951c44981f

SHA512
ce6090d7f41bf1929b572b839645b36a6256cf1de6df15d868438708036e39dff2bf092988c264086df03973d68c69e411af8d5eab67bf474e1b650a96acf1f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A9311A43BB35D90CA31DB0B353DC2084

Filesize
548B

MD5
c08fea725f64a3111a6a4e87b550824a

SHA1
84cb3b559ca2b8fb3e52d3abe2f0e8883017a331

SHA256
7156f951ce32dfa16ed5c4a6b6ec7f4749949faa2ecfa90ea6c70cd34a5979e3

SHA512
117240ea4cd96dedae89426776458df21bc544f168e1b7c9a903729f3e547b0f465684fc9ada5ff15432b0480d1c30ccc2e8dc3b146d80e9dd229fcab4f98193

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B739B29E00001B3AAE62EC8865A3C7C2

Filesize
550B

MD5
f6b87a978adb8a1eb126dfc004687f04

SHA1
90d1e0b6672ba3dae67f99518ac7ea6f724ecffd

SHA256
3f321229a4c8e166fca385a0036b6920cfaafc4716b2e559c0b53c833738215b

SHA512
fee3f87d0d5729550cef0356f397f055f316abd53cad76100c1808b655f583a7502592a56799a9a7d35f84bb18f6c333cad30c38a4e1b8827fe87c68a353d831

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NFAY0EOS\revisador[1].htm

Filesize
322B

MD5
a62b0493438fd61d0cde8dffc3a8616e

SHA1
07b00bdf8e858c6c3fc06554f6c5fd4955c5ab43

SHA256
9820da6718489adaa1ab2ada6f043af32870a720f7589d6e44252d9a8001d7fc

SHA512
a10c56ed5ab7c372140fb52d245d034d772328dc6649ebe45e86a4cf7c887e39b5d2fc26455a080891d81769d444cf2348e621edc0a07b2cfb482e979d1cbf88

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6410.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\SysWOW64\active_url.dll

Filesize
34KB

MD5
bf23b8211a7154788bbafcd6bb19c027

SHA1
61cfa125b60203502b95778e2459da3b771acfd2

SHA256
b55b066aa7acddfd4dc39411927ba020afb1e8abe7df56c4aa50d1c841c7cdcc

SHA512
cb41eeae5701c9f28270bb0f979c03619bd31c8a7cd90d985650008578ed50a3407cd9b54abfb419217e018b442d0102d035ade93e301f6d3fc6d48e6a0400c5

Download Submit
C:\Windows\SysWOW64\winsys.bat

Filesize
73B

MD5
cc498e91d17130bb2da47fa2c635f09e

SHA1
e01d7c7a67f50ebb7da552fc27a6555af253f61b

SHA256
709b45ebdc8e80db1d3df44e0335004cc8f43be7482010ee0732ecf923ec172e

SHA512
32cf292949760129a6767ddaeaac2b8595e682903883963c7a9e6da0b9269035f235164fb5cfc61a9e32b74a0beb57b0123ed350679923b4021b1838b8b414ce

Download Submit
\Windows\SysWOW64\taskimg.exe

Filesize
182KB

MD5
601b85cd6d088bd86d9d21e8f54a2fed

SHA1
8cb4059305ae688fdc02e296f445a02784e01108

SHA256
1c666eccfe50dc191a32e5c77229fc791e89fa6e5d1ebf235a1c13d5a2225030

SHA512
4e035b1227de2eef0b4f5f0ef6ff6c78964c6303c2fd5ad6e7b85b41bcf1b733aafe403bcea2466d46269946b4ec5365269b59a6615236915d056d834b994032

Download Submit
memory/2556-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2556-30-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2688-36-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2688-60-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads