8422f5ad80515bcb13519814904e19e9d945b524c3f58aa69ce485ab3d5014a9

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 03:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

726459db4aa9b2b0b67932f4ad438567_JaffaCakes118.exe
Size

118KB
MD5

726459db4aa9b2b0b67932f4ad438567
SHA1

9605f782587daf50ab9adcbcf5db25e9ffce264b
SHA256

8422f5ad80515bcb13519814904e19e9d945b524c3f58aa69ce485ab3d5014a9
SHA512

24914ee350cfd109e8ec38d43be5b687ae5b5f09be28d02ef2403877cf1bda824caa01c1da409d90fe430c217be6bf119a02c6154027927396aa51cf209bf328
SSDEEP

1536:NoTs7VcYy1jEl0C2ocoNc1GKE3g5uGMNT5lZ7aYtmZQRO2WJdLyt0QPMRqQbX76V:OI7VSpElChogGx3qu/NT5liZzytCUb

Score

8^/10

discovery upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hostZ	726459db4aa9b2b0b67932f4ad438567_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2380	cmd.exe

Executes dropped EXE 6 IoCs

pid	Process
3008	ak93rg5a4gsn.exe
1396	ak93rg5a4gsn.exe
1632	ak93rg5a4gsn.exe
2668	ak93rg5a4gsn.exe.exe
2660	prockill64.exe
2576	prockill64.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1712-0-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/1712-17-0x0000000000400000-0x000000000044C000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\ak93rg5a4gsn.exe	726459db4aa9b2b0b67932f4ad438567_JaffaCakes118.exe
File created	C:\Windows\ak93rg5a4gsn.exe.exe	726459db4aa9b2b0b67932f4ad438567_JaffaCakes118.exe
File created	C:\Windows\prockill64.exe	ak93rg5a4gsn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	726459db4aa9b2b0b67932f4ad438567_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ak93rg5a4gsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2860	ipconfig.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{B155BDF8-02F0-451E-9A26-AE317CFD7779} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 010000000000000030f495700fdfda01	ak93rg5a4gsn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	ak93rg5a4gsn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{35786D3C-B075-49B9-88DD-029876E11C01} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000d09293700fdfda01	ak93rg5a4gsn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ak93rg5a4gsn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	ak93rg5a4gsn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	ak93rg5a4gsn.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1632	ak93rg5a4gsn.exe
1632	ak93rg5a4gsn.exe
2668	ak93rg5a4gsn.exe.exe
2668	ak93rg5a4gsn.exe.exe
1632	ak93rg5a4gsn.exe
1632	ak93rg5a4gsn.exe
2668	ak93rg5a4gsn.exe.exe
2668	ak93rg5a4gsn.exe.exe
2660	prockill64.exe
2660	prockill64.exe
2660	prockill64.exe
2660	prockill64.exe
2668	ak93rg5a4gsn.exe.exe
2668	ak93rg5a4gsn.exe.exe
1632	ak93rg5a4gsn.exe
1632	ak93rg5a4gsn.exe
2660	prockill64.exe
2660	prockill64.exe
2660	prockill64.exe
2660	prockill64.exe
1632	ak93rg5a4gsn.exe
1632	ak93rg5a4gsn.exe
2668	ak93rg5a4gsn.exe.exe
2668	ak93rg5a4gsn.exe.exe
2576	prockill64.exe
2576	prockill64.exe
2576	prockill64.exe
2576	prockill64.exe
1632	ak93rg5a4gsn.exe
2668	ak93rg5a4gsn.exe.exe
2668	ak93rg5a4gsn.exe.exe
1632	ak93rg5a4gsn.exe
2668	ak93rg5a4gsn.exe.exe
1632	ak93rg5a4gsn.exe
2668	ak93rg5a4gsn.exe.exe
1632	ak93rg5a4gsn.exe
2660	prockill64.exe
2660	prockill64.exe
1632	ak93rg5a4gsn.exe
1632	ak93rg5a4gsn.exe
2668	ak93rg5a4gsn.exe.exe
2668	ak93rg5a4gsn.exe.exe
2668	ak93rg5a4gsn.exe.exe
1632	ak93rg5a4gsn.exe
2668	ak93rg5a4gsn.exe.exe
1632	ak93rg5a4gsn.exe
2668	ak93rg5a4gsn.exe.exe
2668	ak93rg5a4gsn.exe.exe
1632	ak93rg5a4gsn.exe
1632	ak93rg5a4gsn.exe
2660	prockill64.exe
2660	prockill64.exe
2668	ak93rg5a4gsn.exe.exe
2668	ak93rg5a4gsn.exe.exe
2660	prockill64.exe
2660	prockill64.exe
2576	prockill64.exe
2576	prockill64.exe
1632	ak93rg5a4gsn.exe
1632	ak93rg5a4gsn.exe
2668	ak93rg5a4gsn.exe.exe
2668	ak93rg5a4gsn.exe.exe
1632	ak93rg5a4gsn.exe
1632	ak93rg5a4gsn.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1712	726459db4aa9b2b0b67932f4ad438567_JaffaCakes118.exe
Token: SeDebugPrivilege	2660	prockill64.exe
Token: SeDebugPrivilege	2576	prockill64.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 3008	1712	726459db4aa9b2b0b67932f4ad438567_JaffaCakes118.exe	32
PID 1712 wrote to memory of 3008	1712	726459db4aa9b2b0b67932f4ad438567_JaffaCakes118.exe	32
PID 1712 wrote to memory of 3008	1712	726459db4aa9b2b0b67932f4ad438567_JaffaCakes118.exe	32
PID 1712 wrote to memory of 3008	1712	726459db4aa9b2b0b67932f4ad438567_JaffaCakes118.exe	32
PID 1712 wrote to memory of 2860	1712	726459db4aa9b2b0b67932f4ad438567_JaffaCakes118.exe	33
PID 1712 wrote to memory of 2860	1712	726459db4aa9b2b0b67932f4ad438567_JaffaCakes118.exe	33
PID 1712 wrote to memory of 2860	1712	726459db4aa9b2b0b67932f4ad438567_JaffaCakes118.exe	33
PID 1712 wrote to memory of 2860	1712	726459db4aa9b2b0b67932f4ad438567_JaffaCakes118.exe	33
PID 1712 wrote to memory of 1396	1712	726459db4aa9b2b0b67932f4ad438567_JaffaCakes118.exe	34
PID 1712 wrote to memory of 1396	1712	726459db4aa9b2b0b67932f4ad438567_JaffaCakes118.exe	34
PID 1712 wrote to memory of 1396	1712	726459db4aa9b2b0b67932f4ad438567_JaffaCakes118.exe	34
PID 1712 wrote to memory of 1396	1712	726459db4aa9b2b0b67932f4ad438567_JaffaCakes118.exe	34
PID 1712 wrote to memory of 2380	1712	726459db4aa9b2b0b67932f4ad438567_JaffaCakes118.exe	36
PID 1712 wrote to memory of 2380	1712	726459db4aa9b2b0b67932f4ad438567_JaffaCakes118.exe	36
PID 1712 wrote to memory of 2380	1712	726459db4aa9b2b0b67932f4ad438567_JaffaCakes118.exe	36
PID 1712 wrote to memory of 2380	1712	726459db4aa9b2b0b67932f4ad438567_JaffaCakes118.exe	36
PID 1632 wrote to memory of 2668	1632	ak93rg5a4gsn.exe	38
PID 1632 wrote to memory of 2668	1632	ak93rg5a4gsn.exe	38
PID 1632 wrote to memory of 2668	1632	ak93rg5a4gsn.exe	38
PID 1632 wrote to memory of 2668	1632	ak93rg5a4gsn.exe	38
PID 1632 wrote to memory of 2660	1632	ak93rg5a4gsn.exe	40
PID 1632 wrote to memory of 2660	1632	ak93rg5a4gsn.exe	40
PID 1632 wrote to memory of 2660	1632	ak93rg5a4gsn.exe	40
PID 1632 wrote to memory of 2660	1632	ak93rg5a4gsn.exe	40
PID 2660 wrote to memory of 2576	2660	prockill64.exe	42
PID 2660 wrote to memory of 2576	2660	prockill64.exe	42
PID 2660 wrote to memory of 2576	2660	prockill64.exe	42

C:\Users\Admin\AppData\Local\Temp\726459db4aa9b2b0b67932f4ad438567_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\726459db4aa9b2b0b67932f4ad438567_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\ak93rg5a4gsn.exe
  C:\Windows\ak93rg5a4gsn.exe -install
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2860
- C:\Windows\ak93rg5a4gsn.exe
  C:\Windows\ak93rg5a4gsn.exe -start
  2⤵
  - Executes dropped EXE
  PID:1396
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C ERASE C:\Users\Admin\AppData\Local\Temp\726459~1.EXE
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2380

C:\Windows\ak93rg5a4gsn.exe
C:\Windows\ak93rg5a4gsn.exe -service
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\ak93rg5a4gsn.exe.exe
  "C:\Windows\ak93rg5a4gsn.exe.exe" -restore
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2668
- C:\Windows\prockill64.exe
  "C:\Windows\prockill64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\prockill64.exe
    C:\Windows\prockill64.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ak93rg5a4gsn.exe

Filesize
221KB

MD5
0ff5053d412c4c6cd539ae100cedd0d8

SHA1
3a9953c97e45642f5790139bcf032d81b50e8712

SHA256
7b0972708cfddbf228a69f6af6d7a0a867c69c89a6f66b453c95098b8fc975f9

SHA512
b789d7bd22e94275f90cdd00d2482adf622f94b33ae64682329682daf86dc5a3d2a22ff780d12d7c63927e1eabf9267c38c12437765146cc22101a715f5eea46

Download Submit
C:\Windows\prockill64.exe

Filesize
63KB

MD5
35da1cc096fd4f777a8f6d35a45b6aa2

SHA1
dbdbd62bc326ed4ece06bd38366d4a423db547aa

SHA256
71d3fb4431133f4a480511b787cada73b5b3873e03f37b28f5063c3e61a311e9

SHA512
afe124641664cadeee18c3e857984f37c4968041476285f7b0474d75f93ac98cdd612cdbee233fdd45bda3d7bbfcf276bab21d84dc6a55851a308a2aa538486a

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
7249ab0d4a617e8ef83217593aefde05

SHA1
07ed9b290ea3960941a6bc66146ef571e44f43fd

SHA256
cae8ea2740c510bf4c619092e93f9fc07b568031ca77fca1dc43314e8aeb05f7

SHA512
74e97691ec7e71ed91380881706eac4c06df015bbf936bc570fa6e105f25488817662bbe6b13cc60693b2657ab3fa6db725890f44b7fa7257f059095722c01d9

Download Submit
memory/1632-23-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/1632-21-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/1632-20-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/1632-19-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/1632-18-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/1632-34-0x0000000001060000-0x000000000109B000-memory.dmp

Filesize
236KB

Download
memory/1712-0-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1712-17-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2576-37-0x000000013FFB0000-0x000000013FFC5000-memory.dmp

Filesize
84KB

Download
memory/2660-36-0x000000013FFB0000-0x000000013FFC5000-memory.dmp

Filesize
84KB

Download
memory/2668-35-0x00000000010F0000-0x000000000112B000-memory.dmp

Filesize
236KB

Download