5662579ddb65b97309c00c24a5a989bd2319e74246e589eedc2cb46311c606bb

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 03:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7279c73e1ddf0b32d80580b34d5ec081_JaffaCakes118.exe
Size

399KB
MD5

7279c73e1ddf0b32d80580b34d5ec081
SHA1

2ea5d905f0b14a278d0ed75845e2d6326cb5626f
SHA256

5662579ddb65b97309c00c24a5a989bd2319e74246e589eedc2cb46311c606bb
SHA512

f5e3d670b6c172ea3396ef6878ee3600757759c7227a95196ae26ac96e545908b9e373d818ee2fd0a27bca4792b0d8e356f686d2df95549335a4315b78eae391
SSDEEP

768:/1antS8YzXBWx3A62DQjm3zF/pxP+A02mgjSUnJ:/1YUFrcx3APDo0zFHmqSC

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\system32\drivers\etc\hosts	csrss.exe

Executes dropped EXE 1 IoCs

pid	Process
2284	csrss.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\win_cpl = "C:\\windows\\system\\csrss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\kernel = "C:\\windows\\system\\csrss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winNT = "C:\\windows\\system\\csrss.exe"	csrss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\QFile\Upload\keygen.exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\???2 ????.exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\[??] (??) (??) PC ???? ????.SharePC 1.3.exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\????.??AV.¦2007=19?¦= [TipTopX] Tokyo Hunter Vol.1 - Tina, Sherry TAD-5501(.avi).exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\?????.exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\Windows xp ??????.exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\???????3se,crack-inc.exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\??? 4(QUAKE 4) DVD ??&??.exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\??2002 ???.exe	csrss.exe
File created	C:\Program Files\QFile\Upload\Adobe Photoshop Cs2 Activation Crack.exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\????2-??-Crack.exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\??? 8.0 CS(PHOTOSHOP CS)(TDA? ?? ??? ??????? + ????).exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\AV[??][gas] yuna - av?? b105 i?(.avi).exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\gay.exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\?????? 1.15(?????).exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\???? ?? ??,crack-inc.exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\Adobe Photoshop Cs2 Activation Crack.exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\v3_2007_????.exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\(@??)???????.??? ????6.0(??????,??? C++).????? ??????.exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\?? ( XIII )-????(??,??,???).exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\[AVS](??)(no?)(unsensor)(?????)(???)(???)(AAA?)(??AV)Junna Okada - [DVD9] Perfect Style Vol.03 CD1(.avi).exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\[??? ??? ??? 3D] windows vista korean edition.crack.exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\?????_3_?????_No-Cd??.exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\????1(COMMANDOS)??.exe	csrss.exe
File created	C:\Program Files\QFile\Upload\crack8.exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\[??] (??) ????.??? ?? ?? safe fence v1.581.exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\[??] (??) (???????) ???? 3.0 (????).exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\PSP??.exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\WM.Recorder.v10.0.WinALL.Cracked-ViRiLiTY.exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\mp3????.exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\lesbian.exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\[??] [??] WinRAR v3.70 (???) (crack).exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\??????? ??? ??? ????? 64bit(Microsoft Windows Vista Ultimate 64bit).exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\???cs(8.0)_??-??????.exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\??? ????(??).exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\??? ???5.Crack.exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\????????(??10)-pes6 crack.exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\[??] (??) (???) Windows XP Professional ????.exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\???(one piece) ??? 3?-???? ????.avi- 01_________________avi(.avi).exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\???(one piece) ??? 8?-??? ??? ??_________________avi..exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\(?)(??)(c2)???AV?? 04? - [3x4].15;12.asf.exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\WM Recorder 10 & RM Recorder 10 +crack.exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\Tell me (Sampling from `Two of - ????(Wonder Girls)-(.mp3).exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\NOD32 2.70.39 Korean Start Kit v1.4.0.6 Setup.exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\??? 7.0 ??.exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\????? ????? v10.0.4942 ??? ????.exe	csrss.exe
File created	C:\Program Files\QFile\Upload\VistaCrack.exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\mysql-Crack.exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\?? ??? ? - ???-(.mp3).exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\???? ???.exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\???????? ??.exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\FIFA2007 keygen.exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\WinHex 12.65 SR-9(Crack??).exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\Vista ????(OEM Bios Crack).exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\??2007.FIFA2007.???.Keygen&Crack&??????.exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\?? ???(Armed Assault) DVD ??.exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\????.??av.¦2007=00?¦=Magic Banana Mb-077(.avi).exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\??AV nomo«?»-?AV???? ???? - ?? ??,??? ?? ??[?](.avi).exe	csrss.exe
File created	C:\Program Files\QFile\Upload\Alcohol.120.v1.9.6.4719.Retail.Multilangages.Incl-Crack.exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\??? ??? 32?? ?????? ??????.exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\hacking Program.exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\????????(?)?? ?? av 17? super idol - ai nagase ?? ??? ???(?? ?? ?? ?? ?? ?? ??? ?? ?? ?? ?3)(.avi).exe	csrss.exe
File opened for modification	C:\Program Files\QFile\Upload\Microsoft Visual Basic ??????(????)??.exe	csrss.exe
File created	C:\Program Files\QFile\Upload\GTA SanAndreasCrack.exe	csrss.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\windows\system\csrss.exe	7279c73e1ddf0b32d80580b34d5ec081_JaffaCakes118.exe
File opened for modification	C:\windows\system\csrss.exe	7279c73e1ddf0b32d80580b34d5ec081_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7279c73e1ddf0b32d80580b34d5ec081_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3308	7279c73e1ddf0b32d80580b34d5ec081_JaffaCakes118.exe
2284	csrss.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3308 wrote to memory of 2284	3308	7279c73e1ddf0b32d80580b34d5ec081_JaffaCakes118.exe	86
PID 3308 wrote to memory of 2284	3308	7279c73e1ddf0b32d80580b34d5ec081_JaffaCakes118.exe	86
PID 3308 wrote to memory of 2284	3308	7279c73e1ddf0b32d80580b34d5ec081_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\7279c73e1ddf0b32d80580b34d5ec081_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7279c73e1ddf0b32d80580b34d5ec081_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3308
- C:\windows\system\csrss.exe
  \windows\system\csrss.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2284

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\7279c73e1ddf0b32d80580b34d5ec081_JaffaCakes118.exe"
1⤵
- Modifies registry class
PID:4180

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\windows\system\csrss.exe"
1⤵
- Modifies registry class
PID:3264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\csrss.exe

Filesize
399KB

MD5
7279c73e1ddf0b32d80580b34d5ec081

SHA1
2ea5d905f0b14a278d0ed75845e2d6326cb5626f

SHA256
5662579ddb65b97309c00c24a5a989bd2319e74246e589eedc2cb46311c606bb

SHA512
f5e3d670b6c172ea3396ef6878ee3600757759c7227a95196ae26ac96e545908b9e373d818ee2fd0a27bca4792b0d8e356f686d2df95549335a4315b78eae391

Download Submit
memory/2284-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2284-13-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3308-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3308-12-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads