09fc9b30d73f23d7ed2a487226fccdf4888b34cc2af7c0038b970c27dc524336

Analysis

max time kernel
130s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 17:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6872cd40922fbe2ca8128796cd26fe1f_JaffaCakes118.exe
Size

14KB
MD5

6872cd40922fbe2ca8128796cd26fe1f
SHA1

eea77739c0a97d0ce00390e9ae69525d651b9092
SHA256

09fc9b30d73f23d7ed2a487226fccdf4888b34cc2af7c0038b970c27dc524336
SHA512

5cb3059587bc6e472e8a8e03c42eb3640f740feb4387f1358f870e4a7f6d4a32d0c645839e24a8d06f91b65b07bb5297fe868ec9acd0160edbc6ebc13b52d6c1
SSDEEP

384:f5+u3Nu52KhQcjhLIqsrPFmvQRHpfT/GiTBfPfLEBhaWg3/j:hNnKCchGdGQJMkdPTE3aWgPj

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\dpvvoxmh.dll = "{2876D76C-CAAA-4313-AF97-8D1D9A2A1087}"	6872cd40922fbe2ca8128796cd26fe1f_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
2324	6872cd40922fbe2ca8128796cd26fe1f_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dpvvoxmh.tmp	6872cd40922fbe2ca8128796cd26fe1f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dpvvoxmh.tmp	6872cd40922fbe2ca8128796cd26fe1f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dpvvoxmh.nls	6872cd40922fbe2ca8128796cd26fe1f_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6872cd40922fbe2ca8128796cd26fe1f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2876D76C-CAAA-4313-AF97-8D1D9A2A1087}\InProcServer32	6872cd40922fbe2ca8128796cd26fe1f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2876D76C-CAAA-4313-AF97-8D1D9A2A1087}\InProcServer32\ = "C:\\Windows\\SysWow64\\dpvvoxmh.dll"	6872cd40922fbe2ca8128796cd26fe1f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2876D76C-CAAA-4313-AF97-8D1D9A2A1087}\InProcServer32\ThreadingModel = "Apartment"	6872cd40922fbe2ca8128796cd26fe1f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2876D76C-CAAA-4313-AF97-8D1D9A2A1087}	6872cd40922fbe2ca8128796cd26fe1f_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2324	6872cd40922fbe2ca8128796cd26fe1f_JaffaCakes118.exe
2324	6872cd40922fbe2ca8128796cd26fe1f_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2324	6872cd40922fbe2ca8128796cd26fe1f_JaffaCakes118.exe
2324	6872cd40922fbe2ca8128796cd26fe1f_JaffaCakes118.exe
2324	6872cd40922fbe2ca8128796cd26fe1f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 3232	2324	6872cd40922fbe2ca8128796cd26fe1f_JaffaCakes118.exe	98
PID 2324 wrote to memory of 3232	2324	6872cd40922fbe2ca8128796cd26fe1f_JaffaCakes118.exe	98
PID 2324 wrote to memory of 3232	2324	6872cd40922fbe2ca8128796cd26fe1f_JaffaCakes118.exe	98

C:\Users\Admin\AppData\Local\Temp\6872cd40922fbe2ca8128796cd26fe1f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6872cd40922fbe2ca8128796cd26fe1f_JaffaCakes118.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\BA3.tmp.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BA3.tmp.bat

Filesize
207B

MD5
ad3d96ef8b8fdcddb925ea98d5a6ca37

SHA1
96114eba305b4a4452e0a5d8898bcc7deb0bf0fa

SHA256
6f30607f32805644c6cbfca250f4e7f92bf2cd4026ad9ebf957a5e20f75b49b5

SHA512
5e720176d8b0ac2f498471c679decb276c3e1f7a9176b4e58ba34d655cf64628fd74f0d8ec0e4e015bff3ee259f2cb497ea418e4ba23c7a390dd97705676a839

Download Submit
C:\Windows\SysWOW64\dpvvoxmh.dll

Filesize
537KB

MD5
581b2f84ef738368fb4e18711483286f

SHA1
f67e6d3bc1f364242cf5b1e57fc6dcb65adcd47f

SHA256
277ff5f10bd4a3ac8845797bcf8ab05ced0444512366d138fdd14121d77446f6

SHA512
0e50f33e46ba6d748419dcfeeec781a6ccc21c075bc1c3aae1e28b87b21ffb054f658d7f343ab30febcabaf398cca4e32c508e193cda69e970e815cc46b1e0c2

Download Submit
memory/2324-9-0x0000000020000000-0x0000000020009000-memory.dmp

Filesize
36KB

Download
memory/2324-13-0x0000000020000000-0x0000000020009000-memory.dmp

Filesize
36KB

Download