Overview

overview

8

Static

static

3

7449db5183...18.exe

windows7-x64

8

7449db5183...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    26/07/2024, 13:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7449db518313590156bc5ee7a353327b_JaffaCakes118.exe

  • Size

    744KB

  • MD5

    7449db518313590156bc5ee7a353327b

  • SHA1

    dcb882661c8d968c9a21fd425773fb1e14260d41

  • SHA256

    234d2f8fdeb35d8e73e559f28cb87f69a93074a6c6e8bfa5b97ab444893e228c

  • SHA512

    ab882451172c3855a8edbfae1c07af823b24949194ab3e423f6ab3b63ad6d9b509b457d39255ec7d133c2b692e159f9e4cbed449f154eedb8b1569e39339d890

  • SSDEEP

    12288:oJ73bGitBjTwhkSJ3xPpCya20wHr0qWbULe8Jnlb:oDymmxPpVqwHr8bUqGt

Score
8/10
defense_evasiondiscoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 15 IoCs
    discovery
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 16 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7449db518313590156bc5ee7a353327b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7449db518313590156bc5ee7a353327b_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2956
    • C:\Users\Admin\AppData\Roaming\Microsoft\f76cc35.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\f76cc35.exe" dmedmedme "C:\Users\Admin\AppData\Local\Temp\7449db518313590156bc5ee7a353327b_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2976
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe shimgvw.dll,ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\7449db518313590156bc5ee7a353327b_JaffaCakes118.jpg
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        PID:2340
      • C:\Users\Admin\AppData\Roaming\Microsoft\WindowsUpdate.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\WindowsUpdate.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2652
        • C:\Windows\Fonts\winsdk.exe
          "C:\Windows\Fonts\winsdk.exe"
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:760
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Windows\Fonts\shutdown.bat
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2644
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 10
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1044
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              6⤵
              • Enumerates processes with tasklist
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:1604
            • C:\Windows\SysWOW64\find.exe
              find /i "winsdk.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1884
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 10
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:304
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              6⤵
              • Enumerates processes with tasklist
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:1100
            • C:\Windows\SysWOW64\find.exe
              find /i "winsdk.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1096
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 10
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1684
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              6⤵
              • Enumerates processes with tasklist
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:2560
            • C:\Windows\SysWOW64\find.exe
              find /i "winsdk.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3056
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 10
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2156
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              6⤵
              • Enumerates processes with tasklist
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:2500
            • C:\Windows\SysWOW64\find.exe
              find /i "winsdk.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2716
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 10
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1204
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              6⤵
              • Enumerates processes with tasklist
              • System Location Discovery: System Language Discovery
              PID:940
            • C:\Windows\SysWOW64\find.exe
              find /i "winsdk.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1304
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 10
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1568
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              6⤵
              • Enumerates processes with tasklist
              • System Location Discovery: System Language Discovery
              PID:2496
            • C:\Windows\SysWOW64\find.exe
              find /i "winsdk.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2124
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 10
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1696
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              6⤵
              • Enumerates processes with tasklist
              • System Location Discovery: System Language Discovery
              PID:540
            • C:\Windows\SysWOW64\find.exe
              find /i "winsdk.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:344
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 10
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2992
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              6⤵
              • Enumerates processes with tasklist
              • System Location Discovery: System Language Discovery
              PID:1396
            • C:\Windows\SysWOW64\find.exe
              find /i "winsdk.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2188
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 10
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:872
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              6⤵
              • Enumerates processes with tasklist
              • System Location Discovery: System Language Discovery
              PID:2776
            • C:\Windows\SysWOW64\find.exe
              find /i "winsdk.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1508
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 10
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1928
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              6⤵
              • Enumerates processes with tasklist
              • System Location Discovery: System Language Discovery
              PID:2664
            • C:\Windows\SysWOW64\find.exe
              find /i "winsdk.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2964
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 10
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2788
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              6⤵
              • Enumerates processes with tasklist
              • System Location Discovery: System Language Discovery
              PID:2800
            • C:\Windows\SysWOW64\find.exe
              find /i "winsdk.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2820
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 10
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2532
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              6⤵
              • Enumerates processes with tasklist
              • System Location Discovery: System Language Discovery
              PID:2748
            • C:\Windows\SysWOW64\find.exe
              find /i "winsdk.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2660
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 10
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1596
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              6⤵
              • Enumerates processes with tasklist
              • System Location Discovery: System Language Discovery
              PID:1592
            • C:\Windows\SysWOW64\find.exe
              find /i "winsdk.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2920
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 10
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2368
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              6⤵
              • Enumerates processes with tasklist
              • System Location Discovery: System Language Discovery
              PID:1588
            • C:\Windows\SysWOW64\find.exe
              find /i "winsdk.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1960
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 10
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2276
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              6⤵
              • Enumerates processes with tasklist
              • System Location Discovery: System Language Discovery
              PID:2872
            • C:\Windows\SysWOW64\find.exe
              find /i "winsdk.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2852
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 10
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:3000
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c del "C:\Users\Admin\AppData\Roaming\Microsoft\WindowsUpdate.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2136

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7449db518313590156bc5ee7a353327b_JaffaCakes118.jpg
    Filesize

    81KB

    MD5

    070cf6787aa56fbdaa1b2fd98708c34c

    SHA1

    fb662cbd45033e03f65e0f278f44f4206a3c4293

    SHA256

    e073f22bff5d22fdbf3665855d2f979d300c4e28421a7edf5d616dd92c71580f

    SHA512

    93adca8cd47db7fd07d1bb0834c92ef0460d86975ee17276573223eb378d3cc7bc8324c0cd62c024664159b0320501d37bbc97d266a40ed2a51fb3e8e163ba52

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\f76cc35.exe
    Filesize

    744KB

    MD5

    7449db518313590156bc5ee7a353327b

    SHA1

    dcb882661c8d968c9a21fd425773fb1e14260d41

    SHA256

    234d2f8fdeb35d8e73e559f28cb87f69a93074a6c6e8bfa5b97ab444893e228c

    SHA512

    ab882451172c3855a8edbfae1c07af823b24949194ab3e423f6ab3b63ad6d9b509b457d39255ec7d133c2b692e159f9e4cbed449f154eedb8b1569e39339d890

    Download Submit

  • C:\Windows\Fonts\shutdown.bat
    Filesize

    94B

    MD5

    c21bf2e57aef714569dd66ca8193c9db

    SHA1

    653129bc030f88cd3f1be5cc6e14c583ea5bc584

    SHA256

    581b71fb62aa4b126fa348cc28b2eb846d1759054e92e6484ca1cc02a8f370ea

    SHA512

    0d02009ec0f336a66e50bac9bef9ad01a04153766d00bc4c07b21efe90683d4df16875aaa84f8004269221dd75e57bd51a6f772e4a41b5d26d18f9f6e30c2708

    Download Submit

  • \Users\Admin\AppData\Local\Temp\yvlD5F5.tmp
    Filesize

    172KB

    MD5

    4f407b29d53e9eb54e22d096fce82aa7

    SHA1

    a4ee25b066cac19ff679dd491f5791652bb71185

    SHA256

    cf0ecf30fc95800a34105acb9bcb484bb594a35b3ef26ace8f122af4f9f888dc

    SHA512

    325f7b599455195101e4c0dafd3654906d20ed2c1ce2a5f38784635e16ab545df6ee44a83bed6128239be2dee5be110552c7b246b7f52482ab31552e14b54183

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\WindowsUpdate.exe
    Filesize

    858KB

    MD5

    d2bf05e59519088df879d7ab8f30c95c

    SHA1

    11440d9e0c840f8ab6fa91dfc55ce072e1c42b11

    SHA256

    0a4bac084194005003b8161a1e099ecd4c49f3cfff0754f2a94617f2efe07a61

    SHA512

    58e161ad6997b8e6066b149490d05d37bd147568840f812fec4ef908cca8fd64f87d3e28325f06e65f6ce731df8a77b2fed8f4b0e3eeb89714d9411ea20570ff

    Download Submit

  • memory/760-84-0x0000000000400000-0x0000000000587200-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/760-93-0x0000000000400000-0x0000000000587200-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/760-85-0x0000000000590000-0x0000000000604000-memory.dmp

    Filesize

    464KB

    Download

  • memory/760-67-0x0000000000590000-0x0000000000604000-memory.dmp

    Filesize

    464KB

    Download

  • memory/760-102-0x0000000000400000-0x0000000000587200-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/760-75-0x0000000000400000-0x0000000000587200-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/760-66-0x0000000000400000-0x0000000000587200-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/760-45-0x0000000000400000-0x0000000000587200-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/760-63-0x0000000000590000-0x0000000000604000-memory.dmp

    Filesize

    464KB

    Download

  • memory/2340-101-0x0000000005DB0000-0x0000000005E24000-memory.dmp

    Filesize

    464KB

    Download

  • memory/2340-80-0x0000000005DB0000-0x0000000005E24000-memory.dmp

    Filesize

    464KB

    Download

  • memory/2340-34-0x0000000005D20000-0x0000000005D94000-memory.dmp

    Filesize

    464KB

    Download

  • memory/2340-62-0x0000000005DB0000-0x0000000005E24000-memory.dmp

    Filesize

    464KB

    Download

  • memory/2652-24-0x0000000000400000-0x0000000000587200-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2652-39-0x00000000056A0000-0x0000000005828000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2652-48-0x0000000000400000-0x0000000000587200-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2652-49-0x00000000007F0000-0x0000000000864000-memory.dmp

    Filesize

    464KB

    Download

  • memory/2652-29-0x00000000007F0000-0x0000000000864000-memory.dmp

    Filesize

    464KB

    Download

  • memory/2956-0-0x0000000000400000-0x00000000004FF200-memory.dmp

    Filesize

    1020KB

    Download

  • memory/2956-10-0x0000000000400000-0x00000000004FF200-memory.dmp

    Filesize

    1020KB

    Download

  • memory/2976-23-0x00000000025C0000-0x0000000002748000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2976-22-0x0000000000400000-0x00000000004FF200-memory.dmp

    Filesize

    1020KB

    Download

  • memory/2976-15-0x00000000024E0000-0x00000000025B7000-memory.dmp

    Filesize

    860KB

    Download