c353b1ec590731d2068bf5e2ec77268660d5d16fdd1cb8fe310373ad2559969f

Analysis

max time kernel
149s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64c42a28e3bb63962e38a0b494ec7a5f_JaffaCakes118.exe
Size

431KB
MD5

64c42a28e3bb63962e38a0b494ec7a5f
SHA1

8ca283726f013555f4e268e4787457e8b54c7210
SHA256

c353b1ec590731d2068bf5e2ec77268660d5d16fdd1cb8fe310373ad2559969f
SHA512

1f1eaf8aa503d37b6901bca61c02ea675e7bad8ab90c17b89103ed2ed96e0af90d27a2081c9d872ac36b7774f0a35e0acfba42164f2e324110ff1cc07a45f364
SSDEEP

6144:3j7gROf/jwywnqZf3wIW0WkD7sNAOnkRCgt+s8z+l9zwSkoj4zl6Nc7yRzs1H75p:TsROf/jwtnkwI1DINAAkRFl5wSk84lx

Score

8^/10

persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8BCADE3-CA74-8734-74D5-77A6BBB04337}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8BCADE3-CA74-8734-74D5-77A6BBB04337}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallShield\\wqq160001\\wqq160001.lnk"	regedit.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0006000000016dec-30.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2780	wuault.dat

Loads dropped DLL 8 IoCs

pid	Process
2688	rundll32.exe
2688	rundll32.exe
2688	rundll32.exe
2688	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016d76-18.dat	upx
behavioral1/memory/2780-21-0x0000000013140000-0x0000000013153000-memory.dmp	upx
behavioral1/memory/2780-29-0x0000000013140000-0x0000000013153000-memory.dmp	upx
behavioral1/files/0x0006000000016dec-30.dat	upx
behavioral1/memory/2688-38-0x00000000001C0000-0x00000000001D1000-memory.dmp	upx
behavioral1/memory/2688-50-0x00000000001C0000-0x00000000001D1000-memory.dmp	upx
behavioral1/memory/2728-57-0x00000000001B0000-0x00000000001C1000-memory.dmp	upx
behavioral1/memory/2728-56-0x00000000001B0000-0x00000000001C1000-memory.dmp	upx
behavioral1/memory/2728-55-0x00000000001B0000-0x00000000001C1000-memory.dmp	upx
behavioral1/memory/2688-60-0x00000000001C0000-0x00000000001D1000-memory.dmp	upx
behavioral1/memory/2728-61-0x00000000001B0000-0x00000000001C1000-memory.dmp	upx
behavioral1/memory/2688-78-0x00000000001C0000-0x00000000001D1000-memory.dmp	upx

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\wuault.dat	64c42a28e3bb63962e38a0b494ec7a5f_JaffaCakes118.exe
File opened for modification	\??\c:\windows\wuault.dat	wuault.dat
File created	\??\c:\windows\Ãû²á.xls	64c42a28e3bb63962e38a0b494ec7a5f_JaffaCakes118.exe
File opened for modification	\??\c:\windows\Ãû²á.xls	64c42a28e3bb63962e38a0b494ec7a5f_JaffaCakes118.exe
File opened for modification	C:\windows\Ãû²á.xls	EXCEL.EXE
File created	\??\c:\windows\wuault.dat	64c42a28e3bb63962e38a0b494ec7a5f_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wab_auto_file\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wab_auto_file\shell\open\command\ = "\"%ProgramFiles(x86)%\\Windows Mail\\wab.exe\" /Import \"%1\""	rundll32.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2504	regedit.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2544	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2544	EXCEL.EXE
2544	EXCEL.EXE
2544	EXCEL.EXE
2544	EXCEL.EXE
2544	EXCEL.EXE

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 2544	1080	64c42a28e3bb63962e38a0b494ec7a5f_JaffaCakes118.exe	30
PID 1080 wrote to memory of 2544	1080	64c42a28e3bb63962e38a0b494ec7a5f_JaffaCakes118.exe	30
PID 1080 wrote to memory of 2544	1080	64c42a28e3bb63962e38a0b494ec7a5f_JaffaCakes118.exe	30
PID 1080 wrote to memory of 2544	1080	64c42a28e3bb63962e38a0b494ec7a5f_JaffaCakes118.exe	30
PID 1080 wrote to memory of 2544	1080	64c42a28e3bb63962e38a0b494ec7a5f_JaffaCakes118.exe	30
PID 1080 wrote to memory of 2544	1080	64c42a28e3bb63962e38a0b494ec7a5f_JaffaCakes118.exe	30
PID 1080 wrote to memory of 2544	1080	64c42a28e3bb63962e38a0b494ec7a5f_JaffaCakes118.exe	30
PID 1080 wrote to memory of 2544	1080	64c42a28e3bb63962e38a0b494ec7a5f_JaffaCakes118.exe	30
PID 1080 wrote to memory of 2544	1080	64c42a28e3bb63962e38a0b494ec7a5f_JaffaCakes118.exe	30
PID 1080 wrote to memory of 2780	1080	64c42a28e3bb63962e38a0b494ec7a5f_JaffaCakes118.exe	31
PID 1080 wrote to memory of 2780	1080	64c42a28e3bb63962e38a0b494ec7a5f_JaffaCakes118.exe	31
PID 1080 wrote to memory of 2780	1080	64c42a28e3bb63962e38a0b494ec7a5f_JaffaCakes118.exe	31
PID 1080 wrote to memory of 2780	1080	64c42a28e3bb63962e38a0b494ec7a5f_JaffaCakes118.exe	31
PID 2780 wrote to memory of 2688	2780	wuault.dat	32
PID 2780 wrote to memory of 2688	2780	wuault.dat	32
PID 2780 wrote to memory of 2688	2780	wuault.dat	32
PID 2780 wrote to memory of 2688	2780	wuault.dat	32
PID 2780 wrote to memory of 2688	2780	wuault.dat	32
PID 2780 wrote to memory of 2688	2780	wuault.dat	32
PID 2780 wrote to memory of 2688	2780	wuault.dat	32
PID 2688 wrote to memory of 2728	2688	rundll32.exe	33
PID 2688 wrote to memory of 2728	2688	rundll32.exe	33
PID 2688 wrote to memory of 2728	2688	rundll32.exe	33
PID 2688 wrote to memory of 2728	2688	rundll32.exe	33
PID 2688 wrote to memory of 2728	2688	rundll32.exe	33
PID 2688 wrote to memory of 2728	2688	rundll32.exe	33
PID 2688 wrote to memory of 2728	2688	rundll32.exe	33
PID 2688 wrote to memory of 280	2688	rundll32.exe	34
PID 2688 wrote to memory of 280	2688	rundll32.exe	34
PID 2688 wrote to memory of 280	2688	rundll32.exe	34
PID 2688 wrote to memory of 280	2688	rundll32.exe	34
PID 280 wrote to memory of 1156	280	cmd.exe	36
PID 280 wrote to memory of 1156	280	cmd.exe	36
PID 280 wrote to memory of 1156	280	cmd.exe	36
PID 280 wrote to memory of 1156	280	cmd.exe	36
PID 280 wrote to memory of 2504	280	cmd.exe	37
PID 280 wrote to memory of 2504	280	cmd.exe	37
PID 280 wrote to memory of 2504	280	cmd.exe	37
PID 280 wrote to memory of 2504	280	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\64c42a28e3bb63962e38a0b494ec7a5f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\64c42a28e3bb63962e38a0b494ec7a5f_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
  2⤵
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2544
- \??\c:\windows\wuault.dat
  c:\windows\wuault.dat
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\syswow64\rundll32.exe
    C:\Windows\syswow64\rundll32.exe C:\Users\Admin\AppData\Roaming\INSTAL~1\WQQ160~1\wab32res.dll,MainWork c:\windows\wuault.dat
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\syswow64\rundll32.exe
      C:\Windows\syswow64\rundll32.exe C:\Users\Admin\AppData\Roaming\INSTAL~1\WQQ160~1\wab32res.dll,ProtectIt 2688
      4⤵
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:2728
  - - C:\Windows\syswow64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Roaming\InstallShield\wqq160001\wqq160001.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:280
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKCU\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8BCADE3-CA74-8734-74D5-77A6BBB04337}" /f
        5⤵
        
        PID:1156
    - - C:\Windows\SysWOW64\regedit.exe
        
        C:\Windows\Regedit.exe /s "C:\Users\Admin\AppData\Roaming\InstallShield\wqq160001\wqq160001.reg"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Runs .reg file with regedit
        
        PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\INSTAL~1\WQQ160~1\wab32res.dll

Filesize
12.5MB

MD5
935b25cf22a39543c988e97582de6d5f

SHA1
a860e6d68cf40df0f29c244435ad9a62c34b13b7

SHA256
02693892c2f7a6dbb5480672ca494df013a5c8e26a91330b067070e52fd8a4de

SHA512
70d84f4e406e8fb7eb7f01c93be12e6f3b10713de3db6ef02c02becf565ec7bad139ddee8409844e03a0bec005b5f9a15fadb4a6e18cd55108758895be912f18

Download Submit
C:\Users\Admin\AppData\Roaming\InstallShield\wqq160001\wqq160001.bat

Filesize
224B

MD5
25675fdc3497c9f555ef130a810a6d10

SHA1
1c047a9572f0e22ea087fbea33481aee26cdd0a7

SHA256
b905cf31f331c77547e73e9483729184bcb6aaa05422f8611c71af4051dbb72d

SHA512
07212bcbdebadb3bf7da7555ac7d36d6710a582bb18e73f5d7cb7e4c3973226e4180b4d651f74b82516a4e3bccfad4696712d49dc8fa5bd9190d95486d0192ff

Download Submit
C:\Users\Admin\AppData\Roaming\InstallShield\wqq160001\wqq160001.reg

Filesize
244B

MD5
7781dcb0d47301c4b355a7767f558006

SHA1
8c21dc64d0d8c2f85b814a5705f949efe6b0a37a

SHA256
13f3ceba0ac24e7cc1d753774e3db5bd2665360c90d931e198fcba9a7ee2d4e7

SHA512
6d7b8de5129f952cbcb96c7ad2a6f783b279701a0c27caff184803cc12287ed01328bdb7dc31e7ff459dc0b46204fdba53748e282950b9cd362e8e136b1b6c0d

Download Submit
C:\Windows\wuault.dat

Filesize
28KB

MD5
0387d922c5026749d75fa239760c4a3c

SHA1
eda340354220363a05d3b220701379144a0e2298

SHA256
1b72ae72ab725e23e6fb968fc14e5836e0cdee8e97feea0a43627ef48327e910

SHA512
41a95951a662e07d8e157d0b002fab40ee531b3a6a0c01a551fc8dfb5351508a37a8f628a4dc4858d1945f94f60a4c57dfba4ed9c035f7e3d9292aa527bcf1fc

Download Submit
C:\windows\Ãû²á.xls

Filesize
23KB

MD5
3ae376b05ad19e80e7b059eb9f080008

SHA1
7efbb91d7f87f68fe24244a3a38edde349d46a7c

SHA256
612cdea77308a9cb53fa897e84a0cb63854004f89fc2c99e853f4dd3d7a42271

SHA512
507c4b60037068a2c166098f6a2ac1bda61715c180bb5a5b8ed98d4be1c39e1ed1b212f77e83cdcc9b58cb2f33a0584ecc9720916534b22446b5a675f1114867

Download Submit
memory/1080-20-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1080-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2544-3-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2544-4-0x000000007295D000-0x0000000072968000-memory.dmp

Filesize
44KB

Download
memory/2544-85-0x000000007295D000-0x0000000072968000-memory.dmp

Filesize
44KB

Download
memory/2544-84-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2544-62-0x000000007295D000-0x0000000072968000-memory.dmp

Filesize
44KB

Download
memory/2688-35-0x00000000001B0000-0x00000000001C1000-memory.dmp

Filesize
68KB

Download
memory/2688-38-0x00000000001C0000-0x00000000001D1000-memory.dmp

Filesize
68KB

Download
memory/2688-50-0x00000000001C0000-0x00000000001D1000-memory.dmp

Filesize
68KB

Download
memory/2688-78-0x00000000001C0000-0x00000000001D1000-memory.dmp

Filesize
68KB

Download
memory/2688-63-0x00000000001B0000-0x00000000001C1000-memory.dmp

Filesize
68KB

Download
memory/2688-64-0x00000000001B0000-0x00000000001C1000-memory.dmp

Filesize
68KB

Download
memory/2688-34-0x00000000001B0000-0x00000000001C1000-memory.dmp

Filesize
68KB

Download
memory/2688-60-0x00000000001C0000-0x00000000001D1000-memory.dmp

Filesize
68KB

Download
memory/2688-65-0x00000000001B0000-0x00000000001C1000-memory.dmp

Filesize
68KB

Download
memory/2688-36-0x00000000001B0000-0x00000000001C1000-memory.dmp

Filesize
68KB

Download
memory/2728-61-0x00000000001B0000-0x00000000001C1000-memory.dmp

Filesize
68KB

Download
memory/2728-55-0x00000000001B0000-0x00000000001C1000-memory.dmp

Filesize
68KB

Download
memory/2728-56-0x00000000001B0000-0x00000000001C1000-memory.dmp

Filesize
68KB

Download
memory/2728-57-0x00000000001B0000-0x00000000001C1000-memory.dmp

Filesize
68KB

Download
memory/2780-29-0x0000000013140000-0x0000000013153000-memory.dmp

Filesize
76KB

Download
memory/2780-21-0x0000000013140000-0x0000000013153000-memory.dmp

Filesize
76KB

Download