f01b9be16dfd8d2b76ef771e545f190a534895f5806cc38ac65df9bd3b835609

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6764203a576f8d4a3fc0ca96e7f812f3_JaffaCakes118.exe
Size

167KB
MD5

6764203a576f8d4a3fc0ca96e7f812f3
SHA1

c1f462e21000ff617467c58ba07a41c12734a5c2
SHA256

f01b9be16dfd8d2b76ef771e545f190a534895f5806cc38ac65df9bd3b835609
SHA512

ebc04b801a4c72f2700b89703de693ff1808a69068368976bd3eeea4c0353c7d840b54d33f3a607869370bdf8e2d90563b35df61d1f655af53123acaea355e99
SSDEEP

3072:ad8o1fLGtosAmRRii7syBhTup5fRO1A85XUWiQtoXCc8wAob0U1ZeDVhl2g2rM:ad8oFGKKH7dq2OIpi9S1wAbgQPUg2r

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1704	Recycle.Bin.exe

Loads dropped DLL 2 IoCs

pid	Process
1288	6764203a576f8d4a3fc0ca96e7f812f3_JaffaCakes118.exe
1288	6764203a576f8d4a3fc0ca96e7f812f3_JaffaCakes118.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1288-2-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral1/memory/1704-12-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral1/memory/1704-22-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral1/memory/1704-14-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral1/memory/1704-13-0x0000000000400000-0x0000000000476000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Recycle.Bin.exe = "C:\\Recycle.Bin\\Recycle.Bin.exe"	Recycle.Bin.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\PhishingFilter	Recycle.Bin.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0"	Recycle.Bin.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ShownServiceDownBalloon = "0"	Recycle.Bin.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery	Recycle.Bin.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\ClearBrowsingHistoryOnExit = "0"	Recycle.Bin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1288	6764203a576f8d4a3fc0ca96e7f812f3_JaffaCakes118.exe
1288	6764203a576f8d4a3fc0ca96e7f812f3_JaffaCakes118.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe
1704	Recycle.Bin.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1288	6764203a576f8d4a3fc0ca96e7f812f3_JaffaCakes118.exe
Token: SeDebugPrivilege	1288	6764203a576f8d4a3fc0ca96e7f812f3_JaffaCakes118.exe
Token: SeDebugPrivilege	1288	6764203a576f8d4a3fc0ca96e7f812f3_JaffaCakes118.exe
Token: SeDebugPrivilege	1288	6764203a576f8d4a3fc0ca96e7f812f3_JaffaCakes118.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe
Token: SeDebugPrivilege	1704	Recycle.Bin.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 1196	1288	6764203a576f8d4a3fc0ca96e7f812f3_JaffaCakes118.exe	21
PID 1288 wrote to memory of 392	1288	6764203a576f8d4a3fc0ca96e7f812f3_JaffaCakes118.exe	4
PID 1288 wrote to memory of 432	1288	6764203a576f8d4a3fc0ca96e7f812f3_JaffaCakes118.exe	5
PID 1288 wrote to memory of 492	1288	6764203a576f8d4a3fc0ca96e7f812f3_JaffaCakes118.exe	7
PID 1288 wrote to memory of 500	1288	6764203a576f8d4a3fc0ca96e7f812f3_JaffaCakes118.exe	8
PID 1288 wrote to memory of 600	1288	6764203a576f8d4a3fc0ca96e7f812f3_JaffaCakes118.exe	9
PID 1288 wrote to memory of 676	1288	6764203a576f8d4a3fc0ca96e7f812f3_JaffaCakes118.exe	10
PID 1288 wrote to memory of 760	1288	6764203a576f8d4a3fc0ca96e7f812f3_JaffaCakes118.exe	11
PID 1288 wrote to memory of 804	1288	6764203a576f8d4a3fc0ca96e7f812f3_JaffaCakes118.exe	12
PID 1288 wrote to memory of 840	1288	6764203a576f8d4a3fc0ca96e7f812f3_JaffaCakes118.exe	13
PID 1288 wrote to memory of 964	1288	6764203a576f8d4a3fc0ca96e7f812f3_JaffaCakes118.exe	15
PID 1288 wrote to memory of 272	1288	6764203a576f8d4a3fc0ca96e7f812f3_JaffaCakes118.exe	16
PID 1288 wrote to memory of 352	1288	6764203a576f8d4a3fc0ca96e7f812f3_JaffaCakes118.exe	17
PID 1288 wrote to memory of 1064	1288	6764203a576f8d4a3fc0ca96e7f812f3_JaffaCakes118.exe	18
PID 1288 wrote to memory of 1104	1288	6764203a576f8d4a3fc0ca96e7f812f3_JaffaCakes118.exe	19
PID 1288 wrote to memory of 1172	1288	6764203a576f8d4a3fc0ca96e7f812f3_JaffaCakes118.exe	20
PID 1288 wrote to memory of 1196	1288	6764203a576f8d4a3fc0ca96e7f812f3_JaffaCakes118.exe	21
PID 1288 wrote to memory of 2028	1288	6764203a576f8d4a3fc0ca96e7f812f3_JaffaCakes118.exe	23
PID 1288 wrote to memory of 1396	1288	6764203a576f8d4a3fc0ca96e7f812f3_JaffaCakes118.exe	24
PID 1288 wrote to memory of 1520	1288	6764203a576f8d4a3fc0ca96e7f812f3_JaffaCakes118.exe	25
PID 1288 wrote to memory of 984	1288	6764203a576f8d4a3fc0ca96e7f812f3_JaffaCakes118.exe	26
PID 1288 wrote to memory of 2464	1288	6764203a576f8d4a3fc0ca96e7f812f3_JaffaCakes118.exe	27
PID 1288 wrote to memory of 1704	1288	6764203a576f8d4a3fc0ca96e7f812f3_JaffaCakes118.exe	30
PID 1288 wrote to memory of 1704	1288	6764203a576f8d4a3fc0ca96e7f812f3_JaffaCakes118.exe	30
PID 1288 wrote to memory of 1704	1288	6764203a576f8d4a3fc0ca96e7f812f3_JaffaCakes118.exe	30
PID 1288 wrote to memory of 1704	1288	6764203a576f8d4a3fc0ca96e7f812f3_JaffaCakes118.exe	30
PID 1704 wrote to memory of 1196	1704	Recycle.Bin.exe	21
PID 1704 wrote to memory of 392	1704	Recycle.Bin.exe	4
PID 1704 wrote to memory of 432	1704	Recycle.Bin.exe	5
PID 1704 wrote to memory of 492	1704	Recycle.Bin.exe	7
PID 1704 wrote to memory of 500	1704	Recycle.Bin.exe	8
PID 1704 wrote to memory of 600	1704	Recycle.Bin.exe	9
PID 1704 wrote to memory of 676	1704	Recycle.Bin.exe	10
PID 1704 wrote to memory of 760	1704	Recycle.Bin.exe	11
PID 1704 wrote to memory of 804	1704	Recycle.Bin.exe	12
PID 1704 wrote to memory of 840	1704	Recycle.Bin.exe	13
PID 1704 wrote to memory of 964	1704	Recycle.Bin.exe	15
PID 1704 wrote to memory of 272	1704	Recycle.Bin.exe	16
PID 1704 wrote to memory of 352	1704	Recycle.Bin.exe	17
PID 1704 wrote to memory of 1064	1704	Recycle.Bin.exe	18
PID 1704 wrote to memory of 1104	1704	Recycle.Bin.exe	19
PID 1704 wrote to memory of 1172	1704	Recycle.Bin.exe	20
PID 1704 wrote to memory of 1196	1704	Recycle.Bin.exe	21
PID 1704 wrote to memory of 2028	1704	Recycle.Bin.exe	23
PID 1704 wrote to memory of 1396	1704	Recycle.Bin.exe	24
PID 1704 wrote to memory of 1520	1704	Recycle.Bin.exe	25
PID 1704 wrote to memory of 984	1704	Recycle.Bin.exe	26
PID 1704 wrote to memory of 2464	1704	Recycle.Bin.exe	27
PID 1704 wrote to memory of 1288	1704	Recycle.Bin.exe	29
PID 1704 wrote to memory of 1964	1704	Recycle.Bin.exe	31
PID 1704 wrote to memory of 1476	1704	Recycle.Bin.exe	32

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:392
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:492
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:500

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:600
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:2028
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe
  2⤵
  PID:1520
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
  2⤵
  PID:1476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
1⤵
PID:676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
1⤵
PID:804
- C:\Windows\system32\Dwm.exe
  "C:\Windows\system32\Dwm.exe"
  2⤵
  PID:1172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:840
- C:\Windows\system32\wbem\WMIADAP.EXE
  wmiadap.exe /F /T /R
  2⤵
  PID:1964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
1⤵
PID:272

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:1064

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1104

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\6764203a576f8d4a3fc0ca96e7f812f3_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\6764203a576f8d4a3fc0ca96e7f812f3_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Recycle.Bin\Recycle.Bin.exe
    "C:\Recycle.Bin\Recycle.Bin.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies Internet Explorer Phishing Filter
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1704

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
PID:1396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
1⤵
PID:984

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
1⤵
PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recycle.Bin\config.bin

Filesize
17KB

MD5
703faf46bc54abdcde6eec46512c6759

SHA1
f486f1a49d6cdec01a9dddc51f2bc3e588457059

SHA256
a66978e7e0691b6d13ab535bfe675da33ad68aee656350fe76cf81c0bea703df

SHA512
0526961c2480a5b6f3ccd164797a18a062f7f9b1a4250a7c8251a3e36bce8fc95fe1aaaad81202790c4764961a26491546e1f8e9068fc0c9cbd388615a2b7f47

Download Submit
\Recycle.Bin\Recycle.Bin.exe

Filesize
167KB

MD5
6764203a576f8d4a3fc0ca96e7f812f3

SHA1
c1f462e21000ff617467c58ba07a41c12734a5c2

SHA256
f01b9be16dfd8d2b76ef771e545f190a534895f5806cc38ac65df9bd3b835609

SHA512
ebc04b801a4c72f2700b89703de693ff1808a69068368976bd3eeea4c0353c7d840b54d33f3a607869370bdf8e2d90563b35df61d1f655af53123acaea355e99

Download Submit
memory/1196-71-0x000000000BB60000-0x000000000BBB7000-memory.dmp

Filesize
348KB

Download
memory/1196-17-0x000000000BAD0000-0x000000000BB1D000-memory.dmp

Filesize
308KB

Download
memory/1288-0-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/1288-1-0x0000000001F10000-0x0000000002000000-memory.dmp

Filesize
960KB

Download
memory/1288-2-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1704-12-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1704-22-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1704-14-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1704-20-0x0000000001BA0000-0x0000000001BED000-memory.dmp

Filesize
308KB

Download
memory/1704-13-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download