ae6e3c9cf1c29eaecfeb77812a7f157bc87f709efbef44f21d9ecc01e8e4869e

Analysis

max time kernel
132s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
Size

509KB
MD5

687c0c8c5f4a1da320cb904978dc552f
SHA1

aedbeb1d7ac9ea82b8731db5baf008f5f3eaaf9f
SHA256

ae6e3c9cf1c29eaecfeb77812a7f157bc87f709efbef44f21d9ecc01e8e4869e
SHA512

4dfa06de57ccdcbbb8cc65bbeb17e0474a8173bf58197a058795964beeef242584244d81a452a9ed1f2d2e81244d70ddd31162ae3e622095a0746e7d50d281dd
SSDEEP

3072:7+ZvkWp8qX96QfCDpMqrT4GmdVM3bXKCKk3T1a/PTYhA7Jf22QA6Ivv1tH/nSrNF:aZmqt6Qyiy3b6CR10TY8JOArF9S9

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SvcHosts32 = "C:\\Windows\\system32\\svchosts.exe"	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers32\Dark Age of Camelot - Trials of Atlantis Serial Generator.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Hitman 2 No-Cd Crack.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Metal Gear Solid 2 Serial Generator.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Xenus Serial Generator.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Max Payne 2 - The Fall of Max Payne No-Cd Crack.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Adobe Photoshop 8.x Crack.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Quake 4 Serial Generator.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\WS_FTP 5.x Serial Generator.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Quake 3 No-Cd Crack.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\SimCity 4 No-Cd Crack.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Midtown Madness III Serial Generator.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\NBA Live 2003 Serial Generator.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Need for Speed Underground No-Cd Crack.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Winamp 3.x Crack.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Xenus Serial Generator.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\KaZaA Speedup 3.03 Serial Generator.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Internet Download Manager 3.x Serial Generator.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Microangelo 6.x Crack.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Splinter Cell No-Cd Crack.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Adobe Acrobat 5.x Crack.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\NASCAR Racing 2003 No-Cd Crack.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\WindowBlinds 4.x Serial Generator.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\ICUII 5.x.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\MechWarrior V No-Cd Crack.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\UltraEdit-32 10.00b Serial Generator.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Metal Gear Solid Serial Generator.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\UT 2003 Serial Generator.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Midtown Madness 3 Serial Generator.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\DOOM 3 Serial Generator.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\IconPackager 2.x Crack.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\CloneCD 5.0 Crack.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Quake 3 Serial Generator.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Midtown Madness III No-Cd Crack.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Quake 4 No-Cd Crack.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\RealOne Player 2.0 Crack.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Nero Burning ROM 5.5.x Crack.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Microangelo 5.x Serial Generator.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\DOOM 3 Serial Generator.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Ulead PhotoImpact 9.x Serial Generator.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\NetPumper 1.03 Crack.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\mIRC 6.x Crack.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Half-Life II Serial Generator.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Knights of the Temple No-Cd Crack.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Half-Life Serial Generator.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\NASCAR Thunder 2004 No-Cd Crack.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Ulead GIF Animator 5.x Crack.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Age of Wonders II - Shadow Magic No-Cd Crack.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Etherlords II No-Cd Crack.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Tiger Woods PGA TOUR 2002 Serial Generator.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Thief 3 Serial Generator.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\ICUII 5.x.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Kings of War No-Cd Crack.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Splinter Cell Serial Generator.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Command & Conquer Generals Serial Generator.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Ulead GIF Animator 6.x Serial Generator.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\ICUII 5.x.exe.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\FlashFXP 1.4 Crack.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\FlashGet 1.x Serial Generator.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Warcraft III No-Cd Crack.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Thief 2 No-Cd Crack.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Internet Turbo 2003 5.4 Serial Generator.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Metal Gear Solid No-Cd Crack.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\NCAA Football 2004 No-Cd Crack.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Macromedia Flash MX 6.x Crack.exe	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4660 wrote to memory of 3660	4660	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe	96
PID 4660 wrote to memory of 3660	4660	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe	96
PID 4660 wrote to memory of 3660	4660	687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe	96

C:\Users\Admin\AppData\Local\Temp\687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\687c0c8c5f4a1da320cb904978dc552f_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\$$$$$.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\drivers32\Tomb Raider - The Angel of Darkness No-Cd Crack.exe

Filesize
509KB

MD5
687c0c8c5f4a1da320cb904978dc552f

SHA1
aedbeb1d7ac9ea82b8731db5baf008f5f3eaaf9f

SHA256
ae6e3c9cf1c29eaecfeb77812a7f157bc87f709efbef44f21d9ecc01e8e4869e

SHA512
4dfa06de57ccdcbbb8cc65bbeb17e0474a8173bf58197a058795964beeef242584244d81a452a9ed1f2d2e81244d70ddd31162ae3e622095a0746e7d50d281dd

Download Submit
\??\c:\$$$$$.bat

Filesize
228B

MD5
ace72152dccdb3e4ce7eb47b13530b55

SHA1
56df5a5eab7c1ca8803fcb836f0293b709620a6a

SHA256
cb8d808cd1ce083a42f1410d5f8dbedd8c31a54af7b3ed2a54815f603aa5ce7f

SHA512
5d6f259071865f14e7958ac96549c0c0c70cd665877053970d25b286e2b53bf27e53dd64c1b8ca9ccfc6b3cadda3486379711a8cfb616205e9934afa24901606

Download Submit
memory/4660-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4660-701-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4660-821-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads