d260877865ebd1bba5e3ff96cf6da98dc7fd1e2f2bb915fdcc1c0b5ad79b303d

Analysis

max time kernel
146s
max time network
154s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22-07-2024 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe
Size

241KB
MD5

64e77fea7691cb2b80e910c313d669a7
SHA1

578199a7e14949d7b7365f609075917099fab176
SHA256

d260877865ebd1bba5e3ff96cf6da98dc7fd1e2f2bb915fdcc1c0b5ad79b303d
SHA512

5058ed74b1acdfc987b2b8bd31e641affbbea5ea3b89cbf066d934e20d006d370bfddd2d489ed8a06ccd6bc3dbd51a1af1108529d468f4429873ffca02555c82
SSDEEP

6144:8+NB/XILQ09WilJK4yz57r5Z/xYpIAlVp/eoqzEDJRXL:dr/YNl+Z/xYpxTvqY7

Score

8^/10

persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{90KGSS2W-MHN3-XRNE-I8GX-6VLNEVGS9RRP}	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90KGSS2W-MHN3-XRNE-I8GX-6VLNEVGS9RRP}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wcheck32.exe"	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Active Setup\Installed Components\{90KGSS2W-MHN3-XRNE-I8GX-6VLNEVGS9RRP}	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Active Setup\Installed Components\{90KGSS2W-MHN3-XRNE-I8GX-6VLNEVGS9RRP}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wcheck32.exe"	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{90KGSS2W-MHN3-XRNE-I8GX-6VLNEVGS9RRP}	Wcheck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90KGSS2W-MHN3-XRNE-I8GX-6VLNEVGS9RRP}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wcheck32.exe"	Wcheck32.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Active Setup\Installed Components\{90KGSS2W-MHN3-XRNE-I8GX-6VLNEVGS9RRP}	Wcheck32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Active Setup\Installed Components\{90KGSS2W-MHN3-XRNE-I8GX-6VLNEVGS9RRP}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wcheck32.exe"	Wcheck32.exe

Executes dropped EXE 2 IoCs

pid	Process
2720	Wcheck32.exe
2640	Wcheck32.exe

Loads dropped DLL 3 IoCs

pid	Process
2704	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe
2704	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe
2720	Wcheck32.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3012-0-0x0000000000400000-0x0000000000545000-memory.dmp	upx
behavioral1/files/0x002a000000018b03-14.dat	upx
behavioral1/memory/3012-31-0x0000000000400000-0x0000000000545000-memory.dmp	upx
behavioral1/memory/2720-34-0x0000000002990000-0x0000000002AD5000-memory.dmp	upx
behavioral1/memory/2720-53-0x0000000000400000-0x0000000000545000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Y634JqmzeIA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wcheck32.exe"	Wcheck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\F86Fu3icbJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wcheck32.exe"	Wcheck32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Y634JqmzeIA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wcheck32.exe"	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\F86Fu3icbJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wcheck32.exe"	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Wcheck32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	Wcheck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3012 set thread context of 2704	3012	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe	29
PID 2720 set thread context of 2640	2720	Wcheck32.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3012	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe
3012	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe
2720	Wcheck32.exe
2720	Wcheck32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3012	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe
2704	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe
2720	Wcheck32.exe
2640	Wcheck32.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2704	3012	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe	29
PID 3012 wrote to memory of 2704	3012	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe	29
PID 3012 wrote to memory of 2704	3012	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe	29
PID 3012 wrote to memory of 2704	3012	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe	29
PID 3012 wrote to memory of 2704	3012	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe	29
PID 3012 wrote to memory of 2704	3012	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe	29
PID 3012 wrote to memory of 2704	3012	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe	29
PID 3012 wrote to memory of 2704	3012	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe	29
PID 3012 wrote to memory of 2704	3012	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe	29
PID 2704 wrote to memory of 2720	2704	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe	30
PID 2704 wrote to memory of 2720	2704	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe	30
PID 2704 wrote to memory of 2720	2704	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe	30
PID 2704 wrote to memory of 2720	2704	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe	30
PID 3012 wrote to memory of 2408	3012	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe	31
PID 3012 wrote to memory of 2408	3012	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe	31
PID 3012 wrote to memory of 2408	3012	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe	31
PID 3012 wrote to memory of 2408	3012	64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe	31
PID 2720 wrote to memory of 2640	2720	Wcheck32.exe	33
PID 2720 wrote to memory of 2640	2720	Wcheck32.exe	33
PID 2720 wrote to memory of 2640	2720	Wcheck32.exe	33
PID 2720 wrote to memory of 2640	2720	Wcheck32.exe	33
PID 2720 wrote to memory of 2640	2720	Wcheck32.exe	33
PID 2720 wrote to memory of 2640	2720	Wcheck32.exe	33
PID 2720 wrote to memory of 2640	2720	Wcheck32.exe	33
PID 2720 wrote to memory of 2640	2720	Wcheck32.exe	33
PID 2720 wrote to memory of 2640	2720	Wcheck32.exe	33
PID 2720 wrote to memory of 2656	2720	Wcheck32.exe	34
PID 2720 wrote to memory of 2656	2720	Wcheck32.exe	34
PID 2720 wrote to memory of 2656	2720	Wcheck32.exe	34
PID 2720 wrote to memory of 2656	2720	Wcheck32.exe	34

C:\Users\Admin\AppData\Local\Temp\64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\64e77fea7691cb2b80e910c313d669a7_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Users\Admin\AppData\Local\Temp\Wcheck32.exe
    C:\Users\Admin\AppData\Local\Temp\Wcheck32.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Users\Admin\AppData\Local\Temp\Wcheck32.exe
      "C:\Users\Admin\AppData\Local\Temp\Wcheck32.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2640
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\TLpTBL.bat" "
      4⤵
      PID:2656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\TLpTBL.bat" "
  2⤵
  PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TLpTBL.bat

Filesize
217B

MD5
5fde17d4da319a119f808c17428ec4bc

SHA1
d2daf3f16ab9739e8f3683379842039dcfe3ac50

SHA256
05580cf2e2acb47c4f1d5ad80b52891c7fa653f2d4c871672ef2e662b68d8c09

SHA512
fef885038ae696cd955b745a6465fc9ad44479acb8d25436873fbfd48ca7d2dea22076db5b2cfbe4988be61a84abcaf2c293aaebf9e1409c817dfd8619630989

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLpTBL.bat

Filesize
179B

MD5
7ff15068d3a319265d84eb524007c80f

SHA1
b4e4568000fb4aab910832065bc991f05d8d2b5b

SHA256
a7a110d053ae27e4cd7ae0642f0eb41de4fb98d26efe28c19aa9283d614b7a98

SHA512
f98dda2f84cf95b891b71e4d3310c6ac0a7fd63f22d3f5fbf2fb5058d84dd62d3410fb22ddb74fd3f10f3f2ce815d03eb0d15b02f6f079d88390b3f5fab846bc

Download Submit
\Users\Admin\AppData\Local\Temp\Wcheck32.exe

Filesize
241KB

MD5
64e77fea7691cb2b80e910c313d669a7

SHA1
578199a7e14949d7b7365f609075917099fab176

SHA256
d260877865ebd1bba5e3ff96cf6da98dc7fd1e2f2bb915fdcc1c0b5ad79b303d

SHA512
5058ed74b1acdfc987b2b8bd31e641affbbea5ea3b89cbf066d934e20d006d370bfddd2d489ed8a06ccd6bc3dbd51a1af1108529d468f4429873ffca02555c82

Download Submit
memory/2640-56-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2640-54-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2704-52-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2704-5-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2704-3-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2704-50-0x0000000000420000-0x00000000005A1000-memory.dmp

Filesize
1.5MB

Download
memory/2720-53-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/2720-34-0x0000000002990000-0x0000000002AD5000-memory.dmp

Filesize
1.3MB

Download
memory/3012-0-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/3012-31-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/3012-6-0x0000000002AC0000-0x0000000002C05000-memory.dmp

Filesize
1.3MB

Download