3f4f2cf6a2844efece2286897dd5e8feda908b6377f8d6bb25bd8fac84e13e00

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25/07/2024, 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

708abe50048782def5929bc281362498_JaffaCakes118.exe
Size

77KB
MD5

708abe50048782def5929bc281362498
SHA1

a4bd6a219d317efe3274d84a3f5ea40b84b4ace1
SHA256

3f4f2cf6a2844efece2286897dd5e8feda908b6377f8d6bb25bd8fac84e13e00
SHA512

4e13c6ddfb213486efac01e1c14a1ece20eda2552c0af02a81ce452231d0089bab5c086509593e70c49cbd69d95fe82d8aadce5f8c6817fd8c48c940ad9d427c
SSDEEP

1536:8ujlHwdwzY9FPcVH5P4Zq/Dnr47HrHaL:txm+H5PR/DU7eL

Score

8^/10

discovery evasion execution persistence

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	Rundll32.exe

Loads dropped DLL 3 IoCs

pid	Process
1492	Rundll32.exe
2372	Rundll32.exe
2372	Rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\system32\\system.exe"	Rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\imppngaa.dll	708abe50048782def5929bc281362498_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ffcrngaa.dll	708abe50048782def5929bc281362498_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\RAV\CDriver.sys	Rundll32.exe
File opened for modification	C:\Program Files\RAV\CDriver.Inf	Rundll32.exe

Launches sc.exe 23 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1636	sc.exe
4164	sc.exe
492	sc.exe
3056	sc.exe
32	sc.exe
792	sc.exe
948	sc.exe
1764	sc.exe
1652	sc.exe
4508	sc.exe
4024	sc.exe
2744	sc.exe
3688	sc.exe
3144	sc.exe
436	sc.exe
3180	sc.exe
1104	sc.exe
4628	sc.exe
2732	sc.exe
2740	sc.exe
2884	sc.exe
684	sc.exe
3840	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	708abe50048782def5929bc281362498_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	Rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	Rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	Rundll32.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1492	Rundll32.exe
1492	Rundll32.exe
1492	Rundll32.exe
1492	Rundll32.exe
1492	Rundll32.exe
1492	Rundll32.exe
2372	Rundll32.exe
2372	Rundll32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1520	708abe50048782def5929bc281362498_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 1492	1520	708abe50048782def5929bc281362498_JaffaCakes118.exe	84
PID 1520 wrote to memory of 1492	1520	708abe50048782def5929bc281362498_JaffaCakes118.exe	84
PID 1520 wrote to memory of 1492	1520	708abe50048782def5929bc281362498_JaffaCakes118.exe	84
PID 1492 wrote to memory of 3180	1492	Rundll32.exe	85
PID 1492 wrote to memory of 3180	1492	Rundll32.exe	85
PID 1492 wrote to memory of 3180	1492	Rundll32.exe	85
PID 1492 wrote to memory of 4628	1492	Rundll32.exe	86
PID 1492 wrote to memory of 4628	1492	Rundll32.exe	86
PID 1492 wrote to memory of 4628	1492	Rundll32.exe	86
PID 1492 wrote to memory of 1104	1492	Rundll32.exe	87
PID 1492 wrote to memory of 1104	1492	Rundll32.exe	87
PID 1492 wrote to memory of 1104	1492	Rundll32.exe	87
PID 1492 wrote to memory of 948	1492	Rundll32.exe	88
PID 1492 wrote to memory of 948	1492	Rundll32.exe	88
PID 1492 wrote to memory of 948	1492	Rundll32.exe	88
PID 1492 wrote to memory of 2732	1492	Rundll32.exe	89
PID 1492 wrote to memory of 2732	1492	Rundll32.exe	89
PID 1492 wrote to memory of 2732	1492	Rundll32.exe	89
PID 1492 wrote to memory of 1636	1492	Rundll32.exe	90
PID 1492 wrote to memory of 1636	1492	Rundll32.exe	90
PID 1492 wrote to memory of 1636	1492	Rundll32.exe	90
PID 1492 wrote to memory of 1764	1492	Rundll32.exe	91
PID 1492 wrote to memory of 1764	1492	Rundll32.exe	91
PID 1492 wrote to memory of 1764	1492	Rundll32.exe	91
PID 1492 wrote to memory of 32	1492	Rundll32.exe	92
PID 1492 wrote to memory of 32	1492	Rundll32.exe	92
PID 1492 wrote to memory of 32	1492	Rundll32.exe	92
PID 1492 wrote to memory of 4024	1492	Rundll32.exe	93
PID 1492 wrote to memory of 4024	1492	Rundll32.exe	93
PID 1492 wrote to memory of 4024	1492	Rundll32.exe	93
PID 1492 wrote to memory of 4508	1492	Rundll32.exe	94
PID 1492 wrote to memory of 4508	1492	Rundll32.exe	94
PID 1492 wrote to memory of 4508	1492	Rundll32.exe	94
PID 1492 wrote to memory of 2740	1492	Rundll32.exe	95
PID 1492 wrote to memory of 2740	1492	Rundll32.exe	95
PID 1492 wrote to memory of 2740	1492	Rundll32.exe	95
PID 1492 wrote to memory of 3056	1492	Rundll32.exe	96
PID 1492 wrote to memory of 3056	1492	Rundll32.exe	96
PID 1492 wrote to memory of 3056	1492	Rundll32.exe	96
PID 1492 wrote to memory of 492	1492	Rundll32.exe	97
PID 1492 wrote to memory of 492	1492	Rundll32.exe	97
PID 1492 wrote to memory of 492	1492	Rundll32.exe	97
PID 1492 wrote to memory of 1652	1492	Rundll32.exe	98
PID 1492 wrote to memory of 1652	1492	Rundll32.exe	98
PID 1492 wrote to memory of 1652	1492	Rundll32.exe	98
PID 1492 wrote to memory of 4164	1492	Rundll32.exe	99
PID 1492 wrote to memory of 4164	1492	Rundll32.exe	99
PID 1492 wrote to memory of 4164	1492	Rundll32.exe	99
PID 1492 wrote to memory of 436	1492	Rundll32.exe	101
PID 1492 wrote to memory of 436	1492	Rundll32.exe	101
PID 1492 wrote to memory of 436	1492	Rundll32.exe	101
PID 1492 wrote to memory of 2744	1492	Rundll32.exe	102
PID 1492 wrote to memory of 2744	1492	Rundll32.exe	102
PID 1492 wrote to memory of 2744	1492	Rundll32.exe	102
PID 1492 wrote to memory of 3840	1492	Rundll32.exe	103
PID 1492 wrote to memory of 3840	1492	Rundll32.exe	103
PID 1492 wrote to memory of 3840	1492	Rundll32.exe	103
PID 1492 wrote to memory of 3144	1492	Rundll32.exe	106
PID 1492 wrote to memory of 3144	1492	Rundll32.exe	106
PID 1492 wrote to memory of 3144	1492	Rundll32.exe	106
PID 1492 wrote to memory of 3688	1492	Rundll32.exe	107
PID 1492 wrote to memory of 3688	1492	Rundll32.exe	107
PID 1492 wrote to memory of 3688	1492	Rundll32.exe	107
PID 1492 wrote to memory of 684	1492	Rundll32.exe	108

C:\Users\Admin\AppData\Local\Temp\708abe50048782def5929bc281362498_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\708abe50048782def5929bc281362498_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\SysWOW64\Rundll32.exe
  Rundll32 C:\Windows\system32\imppngaa.dll Execute
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\SysWOW64\sc.exe
    sc stop ZhuDongFangYu
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3180
- - C:\Windows\SysWOW64\sc.exe
    sc delete ZhuDongFangYu
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4628
- - C:\Windows\SysWOW64\sc.exe
    sc stop 360rp
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1104
- - C:\Windows\SysWOW64\sc.exe
    sc delete 360rp
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:948
- - C:\Windows\SysWOW64\sc.exe
    sc stop RsRavMon
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2732
- - C:\Windows\SysWOW64\sc.exe
    sc delete RsRavMon
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1636
- - C:\Windows\SysWOW64\sc.exe
    sc stop McNASvc
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1764
- - C:\Windows\SysWOW64\sc.exe
    sc delete McNASvc
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:32
- - C:\Windows\SysWOW64\sc.exe
    sc stop MpfService
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4024
- - C:\Windows\SysWOW64\sc.exe
    sc delete MpfService
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4508
- - C:\Windows\SysWOW64\sc.exe
    sc stop McProxy
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2740
- - C:\Windows\SysWOW64\sc.exe
    sc delete McProxy
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3056
- - C:\Windows\SysWOW64\sc.exe
    sc stop McShield
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:492
- - C:\Windows\SysWOW64\sc.exe
    sc delete McShield
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1652
- - C:\Windows\SysWOW64\sc.exe
    sc stop McODS
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4164
- - C:\Windows\SysWOW64\sc.exe
    sc delete McODS
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:436
- - C:\Windows\SysWOW64\sc.exe
    sc stop mcmscsvc
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2744
- - C:\Windows\SysWOW64\sc.exe
    sc delete mcmscsvc
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3840
- - C:\Windows\SysWOW64\sc.exe
    sc stop McSysmon
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3144
- - C:\Windows\SysWOW64\sc.exe
    sc delete McSysmon
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3688
- - C:\Windows\SysWOW64\sc.exe
    sc stop ekrn
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:684
- - C:\Windows\SysWOW64\sc.exe
    sc delete ekrn
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2884
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" stop PolicyAgent
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:792
- C:\Windows\SysWOW64\Rundll32.exe
  Rundll32 C:\Windows\system32\ffcrngaa.dll Execute
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\86D3.tmp

Filesize
4.3MB

MD5
6c7cdd25c2cb0073306eb22aebfc663f

SHA1
a1eba8ab49272b9852fe6a543677e8af36271248

SHA256
58280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705

SHA512
17344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6

Download Submit
C:\Windows\SysWOW64\ffcrngaa.dll

Filesize
8KB

MD5
d49e24aaddb6de1d7e04f353197fe210

SHA1
439cd17010d7af7acfdae45e83cea09f338a67dc

SHA256
660bd04c6abdfd1b385abf4a0c79f9eef1007aa2fcd6f7e53b31a3145a062045

SHA512
4079b2afdfd2076ce6931640de70617fc27bcf26d09846de80ff238c312504959a117761f7ccb52ad38914d2392bbac0ac7d3bb8981d55e8d663e00e492a5146

Download Submit
C:\Windows\SysWOW64\imppngaa.dll

Filesize
26KB

MD5
d4e567f4e233ab037c7dc12c924ee5d6

SHA1
c9af7da5c7bae85e248f1f80db5d82dc2f3af6d3

SHA256
e59a90649bf2c03712aa1cf08c93b50a683e05802465672f2f351765e3fd1556

SHA512
ce6e35aa54d428a71746f6a4c38b78273208e0658e1377384c3d5e330c80780dd6770a85dcbf49fc4c08b4f8fbf2933b66b3daa2698c939381ffeb83d9ef2883

Download Submit
memory/1520-6-0x0000000001250000-0x0000000001251000-memory.dmp

Filesize
4KB

Download
memory/1520-43-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download