0e9ce795d42d12df970d95fa6bfe8cbff9c68eb92c450f1f0379a06f43abb85a

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27-07-2024 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.exe
Size

1.0MB
MD5

7666f9c021a008dbc0d87c02f4f18b7f
SHA1

7d9bedde73435791583532bd320648fe3520702a
SHA256

0e9ce795d42d12df970d95fa6bfe8cbff9c68eb92c450f1f0379a06f43abb85a
SHA512

4e23d133bc074608efa8706066333ae38c741aa0daab75d8dc14dad0c15b2d18b468bd2e7b7f023fb8acad9a498eb0eaffe858b843b259f22d6b31c102edc733
SSDEEP

24576:f207lu60YcqfAo7xIqF48v11BarajPjAdyhOFzH4UZXgXC75ld1qSVpcqg:f2+03qfAoNzC+11kOjPjAdyhGzfd1qay

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\sumpod.sys	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetHomeIDE\Parameters\ServiceDll = "C:\\Windows\\system32\\idecomp.dll"	rundll32.exe

Executes dropped EXE 7 IoCs

pid	Process
1872	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp
744	msfsg.exe
4288	msfsg.exe
1604	msfsg.exe
2916	msfsg.exe
4864	msfsg.exe
1528	dsetup.exe

Loads dropped DLL 3 IoCs

pid	Process
1872	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp
3528	rundll32.exe
2116	svchost.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\idecomp.dll	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp
File created	C:\Windows\SysWOW64\hardpol\hardpol.dll	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp
File created	C:\Windows\SysWOW64\hardpol\MyIEData\SysDat.bin	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp
File created	C:\Windows\SysWOW64\pierror.log	svchost.exe
File opened for modification	C:\Windows\SysWOW64\NetHome\main.ini	svchost.exe
File opened for modification	C:\Windows\SysWOW64\hardpol\MyIEData\main.ini	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp
File created	C:\Windows\SysWOW64\idecomp.dll	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\baidu\sumpod-nos.sys	msfsg.exe
File created	C:\Program Files (x86)\baidu\is-IGH65.tmp	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp
File created	C:\Program Files (x86)\baidu\is-BCC41.tmp	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp
File created	C:\Program Files (x86)\baidu\is-JBNMJ.tmp	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\baidu\spass.dll	msfsg.exe
File opened for modification	C:\Program Files (x86)\baidu\newnetgar.dll	msfsg.exe
File created	C:\Program Files (x86)\baidu\is-BII5N.tmp	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp
File created	C:\Program Files (x86)\baidu\is-D11CH.tmp	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp
File created	C:\Program Files (x86)\baidu\is-SNOFE.tmp	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp
File created	C:\Program Files (x86)\baidu\is-OQ1I0.tmp	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\baidu\passthru.dll	msfsg.exe
File opened for modification	C:\Program Files (x86)\baidu\dsetup.exe	msfsg.exe
File created	C:\Program Files (x86)\baidu\is-RS3QO.tmp	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp
File created	C:\Program Files (x86)\baidu\is-OABMR.tmp	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp
File created	C:\Program Files (x86)\baidu\is-FDUJL.tmp	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msfsg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msfsg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msfsg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msfsg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msfsg.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3528	rundll32.exe
3528	rundll32.exe
3528	rundll32.exe
3528	rundll32.exe
3528	rundll32.exe
3528	rundll32.exe
3528	rundll32.exe
3528	rundll32.exe
2116	svchost.exe
2116	svchost.exe
2116	svchost.exe
2116	svchost.exe
2116	svchost.exe
2116	svchost.exe
2116	svchost.exe
2116	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3528	rundll32.exe
Token: SeDebugPrivilege	2116	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1872	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
744	msfsg.exe
4288	msfsg.exe
1604	msfsg.exe
2916	msfsg.exe
4864	msfsg.exe
1528	dsetup.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 1872	4828	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.exe	84
PID 4828 wrote to memory of 1872	4828	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.exe	84
PID 4828 wrote to memory of 1872	4828	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.exe	84
PID 1872 wrote to memory of 744	1872	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	87
PID 1872 wrote to memory of 744	1872	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	87
PID 1872 wrote to memory of 744	1872	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	87
PID 1872 wrote to memory of 4288	1872	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	88
PID 1872 wrote to memory of 4288	1872	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	88
PID 1872 wrote to memory of 4288	1872	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	88
PID 1872 wrote to memory of 1604	1872	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	90
PID 1872 wrote to memory of 1604	1872	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	90
PID 1872 wrote to memory of 1604	1872	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	90
PID 1872 wrote to memory of 2916	1872	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	91
PID 1872 wrote to memory of 2916	1872	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	91
PID 1872 wrote to memory of 2916	1872	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	91
PID 1872 wrote to memory of 4864	1872	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	92
PID 1872 wrote to memory of 4864	1872	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	92
PID 1872 wrote to memory of 4864	1872	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	92
PID 1872 wrote to memory of 1528	1872	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	93
PID 1872 wrote to memory of 1528	1872	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	93
PID 1872 wrote to memory of 1528	1872	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	93
PID 1872 wrote to memory of 3528	1872	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	94
PID 1872 wrote to memory of 3528	1872	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	94
PID 1872 wrote to memory of 3528	1872	7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp	94

C:\Users\Admin\AppData\Local\Temp\7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Users\Admin\AppData\Local\Temp\is-5S7LF.tmp\7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-5S7LF.tmp\7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp" /SL5="$90048,822235,54272,C:\Users\Admin\AppData\Local\Temp\7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Program Files (x86)\baidu\msfsg.exe
    "C:\Program Files (x86)\baidu\msfsg.exe" md5 -s passthru.dll -d passthru.dll
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:744
- - C:\Program Files (x86)\baidu\msfsg.exe
    "C:\Program Files (x86)\baidu\msfsg.exe" md5 -s dsetup.exe -d dsetup.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4288
- - C:\Program Files (x86)\baidu\msfsg.exe
    "C:\Program Files (x86)\baidu\msfsg.exe" md5 -s spass.dll -d spass.dll
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1604
- - C:\Program Files (x86)\baidu\msfsg.exe
    "C:\Program Files (x86)\baidu\msfsg.exe" md5 -s newnetgar.dll -d newnetgar.dll
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2916
- - C:\Program Files (x86)\baidu\msfsg.exe
    "C:\Program Files (x86)\baidu\msfsg.exe" md5 -s sumpod-nos.sys -d sumpod-nos.sys
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4864
- - C:\Program Files (x86)\baidu\dsetup.exe
    "C:\Program Files (x86)\baidu\dsetup.exe" install
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1528
- - C:\Windows\SysWOW64\rundll32.exe
    "rundll32.exe" C:\Windows\system32\idecomp.dll RundllInstall NetHomeIDE
    3⤵
    - Server Software Component: Terminal Services DLL
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3528

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k mysysgroup3 -s NetHomeIDE
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\baidu\SysDat.bin

Filesize
113KB

MD5
3a2588ff6d0810b8cf0c61a55b8981c7

SHA1
cc89caf6e587af4f6701800fce825250c0416bc6

SHA256
21129e5157adf308acc31a7701f2c86c103e78ec6010eb1a10a4f5b065a77584

SHA512
c54038e35a291ca30235286cb6823536f74d6dec48928bd46567e093c7f355f10e2af0c727b4b333162309d4bc09b9081443450c428d40c1b55c2f6e3d4788a1

Download Submit
C:\Program Files (x86)\baidu\dsetup.exe

Filesize
324KB

MD5
2a63e1368788fc7d629a44950cea291b

SHA1
c5f30aa6130c09193b329abaf732d00e760eae35

SHA256
dc12dae0314209c2435008069e18ba4d1a1b73666ad464bf779c72d47e3a55d3

SHA512
bc2df8800f0844fb5879d936f21c6a3d68831714fac4c5805906403cfe2da4143963fad1e3e2ca9b65ad3e5f655bb16fb886ea91003e62f30baedaba4195d411

Download Submit
C:\Program Files (x86)\baidu\msfsg.exe

Filesize
360KB

MD5
31868e5353152084bc594cee28afbf9a

SHA1
3757d11f82d52b5c085049d2ea7fb4cd6d444c1f

SHA256
e8fd382f2d01922d443eb9057f9dcc786143ec399850366f0024a7a3d9f7156b

SHA512
1a871d4f2f7272629d66c456a2a6ef0de4d005759dfb69a8df958dea20bb646d5ddc3845e9374b3dc6780b9a9bdb021440efc465e1e269d83a1cb9ed1e38a57b

Download Submit
C:\Program Files (x86)\baidu\newnetgar.dll

Filesize
308KB

MD5
6bab86a26f1a611d782422bed86b0231

SHA1
5f2ddbbc8e76a7843e1955798acdce4a3f91b132

SHA256
6150826ec788fd2f7663acc8eeb55fd06b4e4726613e62fea6556d5e78da2dd6

SHA512
7b1c6ee9dfb11569d566453aaf25c5ef0bcc6154e2bf4f85bd6fa714d5de70a1e28c81255146d43b36e806e50f14f20a4cdfa844124e816a1d21fd2ab64f1fa1

Download Submit
C:\Program Files (x86)\baidu\passthru.dll

Filesize
35KB

MD5
8f95887cf26fd0dd0c7342076d2a988c

SHA1
dd958e79cb991f535ce83c43457a868cc48d64b9

SHA256
ec2edccad2c7956477bb0fdc420937afa87a271676c2fa112a504198eb6b8a12

SHA512
255d4f4880d8737a7cf3cbe83837cc404afa6577803d1ab1d7330b7d33eb4135a8ddb710f16625a4841501ad141806308ee976ba688cb640ebf5708044e3d44c

Download Submit
C:\Program Files (x86)\baidu\spass.dll

Filesize
652KB

MD5
6ac015e22801bbd345715d426ba9b4d9

SHA1
acee7e900525b34d3e9020a1c032c48246bd0f9c

SHA256
01c631f2cc4ec76540f0a8fd88d762b87d4f4f1787cc71f9fe2ab7717ed04b5f

SHA512
4ea6ed5b2ae40be0fbe751816fa349f44271c24f05e666af7f7e566128002a7464cf3d0ca5ac246cac623e3cf6005acf82c6c5b753c8d4e18f61b23395e173e6

Download Submit
C:\Program Files (x86)\baidu\sumpod-nos.sys

Filesize
13KB

MD5
e3211053199cf632ff8e5a3dee5766f8

SHA1
758e2547f6b34b12b8e0911718792f8d973a6bb6

SHA256
9c04f7fc885fe83cd9bcbfb34b00c925cfa8ad4db89a409c39e04570df55574c

SHA512
091c65965d5cda173e784c3009c1ba54b3e073dae396bef7cfb3783da01edd5438163b9f2649822c2f118c34e7924c78987b7c9dc5da60de7266e391989edbd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5S7LF.tmp\7666f9c021a008dbc0d87c02f4f18b7f_JaffaCakes118.tmp

Filesize
695KB

MD5
620f32e56b46e90e8aee43febc59f6e3

SHA1
d5edd63dd1390a1420b85f746e12a66625ae9354

SHA256
bcc9d63213012bf25a37f48015e5f755d359f3b08d05d35319b03b4a72710730

SHA512
8a9d2a2eb3891265cec379978399ad6c9b4bf3e12e0f381946b4390621b943b97fa04fbb87ad628652bd765b706eb2ff56001f24de24e9bcc487a59ca2f07d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F7S7S.tmp\spass.dll

Filesize
652KB

MD5
edbbbdd96ba8834b70348aba49d38fd9

SHA1
85b287e3b6da7aa143e5f1c02b460e4afcb13679

SHA256
14c6b08ef37b2391075fb3686f5d22a447f7d1e61e5224a9ac7c2dd07182f336

SHA512
d11dc804e78f7562448c1d728ce2e07ebc5dd2b4d72f2d49886d1199dad0c23914ad7171fc3f9f995c7310f4a4f4dfc1f28a36130902d9fb67612cacdd0e7ff8

Download Submit
memory/1872-10-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1872-86-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4828-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4828-3-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/4828-87-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download