414e4d39e56b8cb4b199df340bea53bc3f220e25a7627e723a1f0a974a0858d2

Analysis

max time kernel
141s
max time network
125s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-07-2024 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

647cd4b2c8ea1693bea9efb6b1a575e8_JaffaCakes118.exe
Size

6.8MB
MD5

647cd4b2c8ea1693bea9efb6b1a575e8
SHA1

0115273d2fac09ab3612d9f130f9b6ec0c86b5f9
SHA256

414e4d39e56b8cb4b199df340bea53bc3f220e25a7627e723a1f0a974a0858d2
SHA512

6828c8a58da6625783ba10609a710e6efa4aac8174e986c846e461a9740e9ce01be64f2a5783e2e77d9c60b3c07376ff666cb13ee8bd81c5dd7708e04a3689fe
SSDEEP

98304:OwMLUXzJzBQAfT7JVfmyfg5Q+4a/RsvtrkijMb/L3SZq0P1EY4pGFXNBnI/xCrCe:OwMLUj0KVk+EOrkiAjTsP1jeMo/xoNbt

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
676	bm_installer.exe

Loads dropped DLL 5 IoCs

pid	Process
2084	647cd4b2c8ea1693bea9efb6b1a575e8_JaffaCakes118.exe
676	bm_installer.exe
676	bm_installer.exe
676	bm_installer.exe
676	bm_installer.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ESET\NOD\CurrentVersion\Info	bm_installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 7 IoCs

evasion

pid	Process
2760	taskkill.exe
2692	taskkill.exe
2840	taskkill.exe
2696	taskkill.exe
2572	taskkill.exe
2196	taskkill.exe
2640	taskkill.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\bm_installer.exe\IsHostApp	bm_installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\647cd4b2c8ea1693bea9efb6b1a575e8_JaffaCakes118.exe	647cd4b2c8ea1693bea9efb6b1a575e8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\647cd4b2c8ea1693bea9efb6b1a575e8_JaffaCakes118.exe\IsHostApp	647cd4b2c8ea1693bea9efb6b1a575e8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\bm_installer.exe	bm_installer.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2640	taskkill.exe
Token: SeDebugPrivilege	2760	taskkill.exe
Token: SeDebugPrivilege	2692	taskkill.exe
Token: SeDebugPrivilege	2840	taskkill.exe
Token: SeDebugPrivilege	2696	taskkill.exe
Token: SeDebugPrivilege	2572	taskkill.exe
Token: SeDebugPrivilege	2196	taskkill.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2084	647cd4b2c8ea1693bea9efb6b1a575e8_JaffaCakes118.exe
676	bm_installer.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 676	2084	647cd4b2c8ea1693bea9efb6b1a575e8_JaffaCakes118.exe	30
PID 2084 wrote to memory of 676	2084	647cd4b2c8ea1693bea9efb6b1a575e8_JaffaCakes118.exe	30
PID 2084 wrote to memory of 676	2084	647cd4b2c8ea1693bea9efb6b1a575e8_JaffaCakes118.exe	30
PID 2084 wrote to memory of 676	2084	647cd4b2c8ea1693bea9efb6b1a575e8_JaffaCakes118.exe	30
PID 2084 wrote to memory of 676	2084	647cd4b2c8ea1693bea9efb6b1a575e8_JaffaCakes118.exe	30
PID 2084 wrote to memory of 676	2084	647cd4b2c8ea1693bea9efb6b1a575e8_JaffaCakes118.exe	30
PID 2084 wrote to memory of 676	2084	647cd4b2c8ea1693bea9efb6b1a575e8_JaffaCakes118.exe	30
PID 676 wrote to memory of 2640	676	bm_installer.exe	31
PID 676 wrote to memory of 2640	676	bm_installer.exe	31
PID 676 wrote to memory of 2640	676	bm_installer.exe	31
PID 676 wrote to memory of 2640	676	bm_installer.exe	31
PID 676 wrote to memory of 2760	676	bm_installer.exe	34
PID 676 wrote to memory of 2760	676	bm_installer.exe	34
PID 676 wrote to memory of 2760	676	bm_installer.exe	34
PID 676 wrote to memory of 2760	676	bm_installer.exe	34
PID 676 wrote to memory of 2692	676	bm_installer.exe	36
PID 676 wrote to memory of 2692	676	bm_installer.exe	36
PID 676 wrote to memory of 2692	676	bm_installer.exe	36
PID 676 wrote to memory of 2692	676	bm_installer.exe	36
PID 676 wrote to memory of 2840	676	bm_installer.exe	38
PID 676 wrote to memory of 2840	676	bm_installer.exe	38
PID 676 wrote to memory of 2840	676	bm_installer.exe	38
PID 676 wrote to memory of 2840	676	bm_installer.exe	38
PID 676 wrote to memory of 2696	676	bm_installer.exe	40
PID 676 wrote to memory of 2696	676	bm_installer.exe	40
PID 676 wrote to memory of 2696	676	bm_installer.exe	40
PID 676 wrote to memory of 2696	676	bm_installer.exe	40
PID 676 wrote to memory of 2572	676	bm_installer.exe	42
PID 676 wrote to memory of 2572	676	bm_installer.exe	42
PID 676 wrote to memory of 2572	676	bm_installer.exe	42
PID 676 wrote to memory of 2572	676	bm_installer.exe	42
PID 676 wrote to memory of 2196	676	bm_installer.exe	44
PID 676 wrote to memory of 2196	676	bm_installer.exe	44
PID 676 wrote to memory of 2196	676	bm_installer.exe	44
PID 676 wrote to memory of 2196	676	bm_installer.exe	44

C:\Users\Admin\AppData\Local\Temp\647cd4b2c8ea1693bea9efb6b1a575e8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\647cd4b2c8ea1693bea9efb6b1a575e8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\mia3F7.tmp\bm_installer.exe
  .\bm_installer.exe /m="C:\Users\Admin\AppData\Local\Temp\647CD4~1.EXE" /k=""
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:676
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM RegistryBooster.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2640
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM registrybooster.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM rbmoniter.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2692
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM rbnotifier.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2840
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM move_serial.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2696
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM rb_move_serial.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2572
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM rb_track_install.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mia1\index.GERMAN.htm

Filesize
71KB

MD5
912ccf18969b197e9663ed8c908bc492

SHA1
dec7da7ca2501ce373b6e2de1c0026b8aa5968ec

SHA256
e4149a692acb906b79c32f76b73b03dfb0dd5e1a56b2d9846cdb844a1ece78bf

SHA512
87f5073cbe2c05c958224318e00ca4d8550c0d24fc33e7108d4b45b18cf054cdd1051554d25f34c0a396af5afe4da655d12e329dbc9b6bfa257cab83375364d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mia1\index.SWEDISH.htm

Filesize
72KB

MD5
37b76d89e35c395047bd8123dac7b1c5

SHA1
bf7bf8f12012eef4cf0b686b68945e2b38a26c4c

SHA256
a4858ae91a727f86e876412ef83460198492fd0f134ce7bf3a9160ae6dd47144

SHA512
e939c44059e9bb32e05b46558312d25cec70feefda14065e1a9070f62dd2b29768097d6a3aae5831ff15f8b0691710320cd8209571d32dc446a277e46c0db9e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mia1\mEXEFunc.dll

Filesize
99KB

MD5
f184be47ff281b17d8ac5c702f4ca896

SHA1
10176dc5f11ba3b46380e49036381e86998b2d8b

SHA256
d2446d97172a0199ddc532d901b1a814b2b55f3b243998d2725754610b975312

SHA512
71c679199a28ba4067fe425a606d505ff40bb0ae79043b81c32ec05247ce134f8ac1803f2661da73feea6f23a60bac9e14385297074a6cdfa4bad823bd7d1e45

Download Submit
C:\Users\Admin\AppData\Local\Temp\mia1\shared.translations.Original

Filesize
4KB

MD5
3eda1e97adba23520aebf6189c6d0b8a

SHA1
52c6981db2a41eea964432ece420498a72c78492

SHA256
6bb90d8284af796db4866d3bc73ff768ff29225a269366c53f47a3173170d6b2

SHA512
f6eea09213059b0576e1f9e38d650e5b2e375c7d2785056456faa2def9ef18a377ba7760732a2cf73893c7a9601b31814e9ae85f09ff2661c8386ed831478c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mia1\translations.Original

Filesize
7KB

MD5
fdcab2cce1d5f4260fb8bb69286696f5

SHA1
2a7bf8458cafd81e3f0ee7055304eeca33fa5cd5

SHA256
339a3601b008b2f68c6c8cac432533665d6c4eb57d9f8e9cdd4559404a89ce20

SHA512
bb5c9cd1a9d95685a20b5747a479a4e528ece4107a8c647f61c6d300cfb93f0524c2f0a7fc2e67c28f7d40b00baf76fb36fdcb0cac2add92964302e68abce0f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mia3F7.tmp\bm_installer.msi

Filesize
306KB

MD5
3ac3650b954f61d3bed74292abd921fd

SHA1
bf15e5444ee3f17c85abe0378fde6ba7c5da7ae3

SHA256
759988e32f3be5048d29e9286a69f439fe7111c19bab00519e6412aa72cd7669

SHA512
ecf6167d16db62322b8e8e542e4b2a99b583be289c33676a4959e5df0392c37a1a5f41dd2284d6b7e0e556c4d57c5f490472966f9287fdac44e8b75c67c24513

Download Submit
C:\Users\Admin\AppData\Local\Temp\mia3F7.tmp\bm_installer.res

Filesize
3.9MB

MD5
8b31ff20f88fd7adacf806f32fd39a8e

SHA1
7f89cde6938f8c4dd7b13d9b505d7ca8d4d99b95

SHA256
3a1db3fb4a023d1408e9253d5e56f1c627be732f8fa2270e3c4bc4d9fa0af9b8

SHA512
979570e28b722952107099fc2fc10d98c4a938e9c7f2fa2355cd9a5a41bb27fe4f27d5978f424024ba1b9b96ff7a9d2e7a8ae020c5e986e44d58abcf0bff6655

Download Submit
C:\Users\Admin\AppData\Local\Temp\mia3F7.tmp\mia.lib

Filesize
567KB

MD5
a29ac46646e481476dbdea27740dac0c

SHA1
f5905f4abbe1e1d1f3eff3c5a4c99b4e638e1b1b

SHA256
317ba3c47b5b317fc607321d9ca6cefb1b590ce81a5fc80cea62b4383ac7473a

SHA512
88f4586ff5649726e105905a068d5767355c8fce63e2e885afc16d15ba15397c53b14ee0a4a47552e93686b2c3c4998d377a90980d0508c0eb0b15a9c6695eb8

Download Submit
\Users\Admin\AppData\Local\Temp\mia1\InstallerExtensions.dll

Filesize
59KB

MD5
b5456d957a67e6415d31d364b7655248

SHA1
32d89a7a9a547d6279f0db0bd16f910614c99e3c

SHA256
539462682f1e57d69f9ecddceab44ffba02ca98427b846a98a1ff2c3cb555500

SHA512
89467d46989ed7ef4695a79b4058fb466c78de3d54a5f1ce8783c23bee313954591fc68ce5f0b7403864b78c30e0af8a27d3497d79b07f29aebcbbc8bd34e18e

Download Submit
\Users\Admin\AppData\Local\Temp\mia3F7.tmp\bm_installer.exe

Filesize
2.9MB

MD5
60046b1a0d5904dc003ce64c5d95b953

SHA1
77b734e10e6cefc5f7283835010f2f7971f9ec1e

SHA256
ae794a0af1c8879a1592ddaefcd5ff8ed0d2823c86cfabfc8d35e92f69800e09

SHA512
6690ba788c54bee9892743d636a9e0f1365279614c58f4a2858c67df4d0dcc4a4523af0a04060ab238d1e44e5ca23c872c7e7b93a5508a9dcb0f9fb03bc77c8c

Download Submit
memory/676-150-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/676-350-0x00000000024C0000-0x00000000024E3000-memory.dmp

Filesize
140KB

Download
memory/676-356-0x0000000003BF0000-0x0000000003C03000-memory.dmp

Filesize
76KB

Download
memory/676-353-0x0000000002560000-0x0000000002583000-memory.dmp

Filesize
140KB

Download
memory/676-359-0x0000000000400000-0x00000000006EA000-memory.dmp

Filesize
2.9MB

Download
memory/676-361-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download