79525c2360d5eb5b817a6ae852ab1daeb3de171f1fb04c3f67cc62b0cf78765e

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 08:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

735f2f3c0d78551946debbaae311ac44_JaffaCakes118.exe
Size

2.5MB
MD5

735f2f3c0d78551946debbaae311ac44
SHA1

0fbac06cea353237b488decd7fb172d8a4fdd1e6
SHA256

79525c2360d5eb5b817a6ae852ab1daeb3de171f1fb04c3f67cc62b0cf78765e
SHA512

556f89b7a61acf5226e5cc5845d146aff96d9f9e8ac8c6c7d53846c29d0679f24c5c0d4cf2e5bab70c2de3eb7472e43eec14953140bd8787a3a3f49bb1a84995
SSDEEP

49152:Mr1rcdfkbfLxGETDBIpnsZffVzTSXTkurhjDm8tcGU:UhuMjFVTK6SXTZtmmcGU

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	735f2f3c0d78551946debbaae311ac44_JaffaCakes118.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	735f2f3c0d78551946debbaae311ac44_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	735f2f3c0d78551946debbaae311ac44_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	735f2f3c0d78551946debbaae311ac44_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	735f2f3c0d78551946debbaae311ac44_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}	735f2f3c0d78551946debbaae311ac44_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2248	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2072	fservice.exe
1288	services.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine	735f2f3c0d78551946debbaae311ac44_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine	fservice.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine	services.exe

Loads dropped DLL 6 IoCs

pid	Process
1940	735f2f3c0d78551946debbaae311ac44_JaffaCakes118.exe
1940	735f2f3c0d78551946debbaae311ac44_JaffaCakes118.exe
1288	services.exe
1288	services.exe
2072	fservice.exe
1940	735f2f3c0d78551946debbaae311ac44_JaffaCakes118.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	735f2f3c0d78551946debbaae311ac44_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	services.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winkey.dll	services.exe
File created	C:\Windows\SysWOW64\reginv.dll	services.exe
File created	C:\Windows\SysWOW64\fservice.exe	services.exe
File created	C:\Windows\SysWOW64\fservice.exe	735f2f3c0d78551946debbaae311ac44_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fservice.exe	735f2f3c0d78551946debbaae311ac44_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fservice.exe	fservice.exe
File opened for modification	C:\Windows\SysWOW64\fservice.exe	fservice.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
1940	735f2f3c0d78551946debbaae311ac44_JaffaCakes118.exe
2072	fservice.exe
1288	services.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\system\sservice.exe	735f2f3c0d78551946debbaae311ac44_JaffaCakes118.exe
File opened for modification	C:\Windows\system\sservice.exe	735f2f3c0d78551946debbaae311ac44_JaffaCakes118.exe
File created	C:\Windows\services.exe	fservice.exe
File opened for modification	C:\Windows\services.exe	fservice.exe
File created	C:\Windows\system\sservice.exe	fservice.exe
File opened for modification	C:\Windows\system\sservice.exe	fservice.exe
File created	C:\Windows\system\sservice.exe	services.exe
File opened for modification	C:\Windows\system\sservice.exe	services.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	735f2f3c0d78551946debbaae311ac44_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fservice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1940	735f2f3c0d78551946debbaae311ac44_JaffaCakes118.exe
2072	fservice.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe
1288	services.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1288	services.exe
1288	services.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 2072	1940	735f2f3c0d78551946debbaae311ac44_JaffaCakes118.exe	30
PID 1940 wrote to memory of 2072	1940	735f2f3c0d78551946debbaae311ac44_JaffaCakes118.exe	30
PID 1940 wrote to memory of 2072	1940	735f2f3c0d78551946debbaae311ac44_JaffaCakes118.exe	30
PID 1940 wrote to memory of 2072	1940	735f2f3c0d78551946debbaae311ac44_JaffaCakes118.exe	30
PID 2072 wrote to memory of 1288	2072	fservice.exe	31
PID 2072 wrote to memory of 1288	2072	fservice.exe	31
PID 2072 wrote to memory of 1288	2072	fservice.exe	31
PID 2072 wrote to memory of 1288	2072	fservice.exe	31
PID 1288 wrote to memory of 2236	1288	services.exe	32
PID 1288 wrote to memory of 2236	1288	services.exe	32
PID 1288 wrote to memory of 2236	1288	services.exe	32
PID 1288 wrote to memory of 2236	1288	services.exe	32
PID 1288 wrote to memory of 1792	1288	services.exe	33
PID 1288 wrote to memory of 1792	1288	services.exe	33
PID 1288 wrote to memory of 1792	1288	services.exe	33
PID 1288 wrote to memory of 1792	1288	services.exe	33
PID 1940 wrote to memory of 2248	1940	735f2f3c0d78551946debbaae311ac44_JaffaCakes118.exe	36
PID 1940 wrote to memory of 2248	1940	735f2f3c0d78551946debbaae311ac44_JaffaCakes118.exe	36
PID 1940 wrote to memory of 2248	1940	735f2f3c0d78551946debbaae311ac44_JaffaCakes118.exe	36
PID 1940 wrote to memory of 2248	1940	735f2f3c0d78551946debbaae311ac44_JaffaCakes118.exe	36
PID 2236 wrote to memory of 2928	2236	NET.exe	38
PID 2236 wrote to memory of 2928	2236	NET.exe	38
PID 2236 wrote to memory of 2928	2236	NET.exe	38
PID 2236 wrote to memory of 2928	2236	NET.exe	38
PID 1792 wrote to memory of 2012	1792	NET.exe	39
PID 1792 wrote to memory of 2012	1792	NET.exe	39
PID 1792 wrote to memory of 2012	1792	NET.exe	39
PID 1792 wrote to memory of 2012	1792	NET.exe	39

C:\Users\Admin\AppData\Local\Temp\735f2f3c0d78551946debbaae311ac44_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\735f2f3c0d78551946debbaae311ac44_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Identifies Wine through registry keys
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\SysWOW64\fservice.exe
  C:\Windows\system32\fservice.exe
  2⤵
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\services.exe
    C:\Windows\services.exe -XP
    3⤵
    - Modifies WinLogon for persistence
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Modifies WinLogon
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1288
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP srservice
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2236
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP srservice
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2928
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP navapsvc
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1792
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP navapsvc
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\735f2f3c0d78551946debbaae311ac44_JaffaCakes118.exe.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\735f2f3c0d78551946debbaae311ac44_JaffaCakes118.exe.bat

Filesize
133B

MD5
4d4fb82ea4c84b3b5a20f5004d2058ed

SHA1
deac0a4009c1a69656a0681c2ddfa37b09d3c5ff

SHA256
257efb98c2a600a64d6c0ffcbfb20b3ebaa58e368e2bfe4b1df4818403aba44d

SHA512
e997e7eb615807dac7065049434d637c8000e3acde3d03fe9cec87104b125828c6afc472d77e48fe165c5bb949b6f5c734e8654c8124594da40af97fa191c5d2

Download Submit
\Windows\SysWOW64\fservice.exe

Filesize
2.5MB

MD5
735f2f3c0d78551946debbaae311ac44

SHA1
0fbac06cea353237b488decd7fb172d8a4fdd1e6

SHA256
79525c2360d5eb5b817a6ae852ab1daeb3de171f1fb04c3f67cc62b0cf78765e

SHA512
556f89b7a61acf5226e5cc5845d146aff96d9f9e8ac8c6c7d53846c29d0679f24c5c0d4cf2e5bab70c2de3eb7472e43eec14953140bd8787a3a3f49bb1a84995

Download Submit
\Windows\SysWOW64\reginv.dll

Filesize
36KB

MD5
d4a3f90e159ffbcbc4f9740de4b7f171

SHA1
0542f5d1e2c23dca8d90766b3a8537dc3880e5c9

SHA256
2200dd5f83d2fb8c5d3994206a4fa9ff34b4cbfe56ed39a9a03c954cf45d8f77

SHA512
5493beb50b5f7d8ec52f32718d01696916ae173456005d0c1294ce695161ce5004aff58ee3892bf5db0f9b23720146a6d3ae8ffbcbbd81f84d894fdc8cf75a94

Download Submit
\Windows\SysWOW64\winkey.dll

Filesize
24KB

MD5
43e7d9b875c921ba6be38d45540fb9dd

SHA1
f22a73fc0d4aa3ea6c0b8f61d974b028f308acc4

SHA256
f1b2b0abe844e6ba812c7f8709a463a7f6c56fa6ac38d376a0739cc3469f795b

SHA512
2e74e23c0875b69b82319391c392132f28f4eb45aa412805130382498ae48969a06a2b3a7528b626fa7d7ddb6b006f19f0ef8d73cf73cb9a0c0df44a21077622

Download Submit
memory/1288-67-0x0000000000400000-0x0000000000817000-memory.dmp

Filesize
4.1MB

Download
memory/1288-66-0x0000000000400000-0x0000000000817000-memory.dmp

Filesize
4.1MB

Download
memory/1288-76-0x0000000000400000-0x0000000000817000-memory.dmp

Filesize
4.1MB

Download
memory/1288-75-0x0000000000400000-0x0000000000817000-memory.dmp

Filesize
4.1MB

Download
memory/1288-74-0x0000000000400000-0x0000000000817000-memory.dmp

Filesize
4.1MB

Download
memory/1288-73-0x0000000000400000-0x0000000000817000-memory.dmp

Filesize
4.1MB

Download
memory/1288-31-0x0000000000400000-0x0000000000817000-memory.dmp

Filesize
4.1MB

Download
memory/1288-72-0x0000000000400000-0x0000000000817000-memory.dmp

Filesize
4.1MB

Download
memory/1288-71-0x0000000000400000-0x0000000000817000-memory.dmp

Filesize
4.1MB

Download
memory/1288-35-0x0000000000400000-0x0000000000817000-memory.dmp

Filesize
4.1MB

Download
memory/1288-36-0x0000000000400000-0x0000000000817000-memory.dmp

Filesize
4.1MB

Download
memory/1288-37-0x0000000000400000-0x0000000000817000-memory.dmp

Filesize
4.1MB

Download
memory/1288-70-0x0000000000400000-0x0000000000817000-memory.dmp

Filesize
4.1MB

Download
memory/1288-41-0x0000000000400000-0x0000000000817000-memory.dmp

Filesize
4.1MB

Download
memory/1288-55-0x0000000000400000-0x0000000000817000-memory.dmp

Filesize
4.1MB

Download
memory/1288-53-0x0000000000400000-0x0000000000817000-memory.dmp

Filesize
4.1MB

Download
memory/1288-68-0x0000000000400000-0x0000000000817000-memory.dmp

Filesize
4.1MB

Download
memory/1288-65-0x0000000000400000-0x0000000000817000-memory.dmp

Filesize
4.1MB

Download
memory/1288-69-0x0000000000400000-0x0000000000817000-memory.dmp

Filesize
4.1MB

Download
memory/1288-60-0x0000000000400000-0x0000000000817000-memory.dmp

Filesize
4.1MB

Download
memory/1288-61-0x0000000000400000-0x0000000000817000-memory.dmp

Filesize
4.1MB

Download
memory/1288-62-0x0000000000400000-0x0000000000817000-memory.dmp

Filesize
4.1MB

Download
memory/1288-63-0x0000000000400000-0x0000000000817000-memory.dmp

Filesize
4.1MB

Download
memory/1288-64-0x0000000000400000-0x0000000000817000-memory.dmp

Filesize
4.1MB

Download
memory/1940-15-0x0000000005F90000-0x00000000063A7000-memory.dmp

Filesize
4.1MB

Download
memory/1940-57-0x0000000000400000-0x0000000000817000-memory.dmp

Filesize
4.1MB

Download
memory/1940-0-0x0000000000400000-0x0000000000817000-memory.dmp

Filesize
4.1MB

Download
memory/1940-1-0x0000000000401000-0x0000000000461000-memory.dmp

Filesize
384KB

Download
memory/1940-8-0x0000000000400000-0x0000000000817000-memory.dmp

Filesize
4.1MB

Download
memory/1940-14-0x0000000000400000-0x0000000000817000-memory.dmp

Filesize
4.1MB

Download
memory/1940-16-0x0000000005F90000-0x00000000063A7000-memory.dmp

Filesize
4.1MB

Download
memory/2072-54-0x0000000000400000-0x0000000000817000-memory.dmp

Filesize
4.1MB

Download
memory/2072-28-0x0000000005FA0000-0x00000000063B7000-memory.dmp

Filesize
4.1MB

Download
memory/2072-30-0x0000000005FA0000-0x00000000063B7000-memory.dmp

Filesize
4.1MB

Download
memory/2072-22-0x0000000000400000-0x0000000000817000-memory.dmp

Filesize
4.1MB

Download
memory/2072-17-0x0000000000400000-0x0000000000817000-memory.dmp

Filesize
4.1MB

Download