d93696fa7d758f55c7f8b9c283ec2dcaeb5c572e932287e43cd8a12b98ebefef

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
Size

14KB
MD5

772cac15ce601e0da72e2a46b75f5c30
SHA1

ec5b3006ef013b618643bb93eab6942d3c140a1e
SHA256

d93696fa7d758f55c7f8b9c283ec2dcaeb5c572e932287e43cd8a12b98ebefef
SHA512

572109b1ca9770bff5777ad0380d1edfbbf53bec032015d270009479f8ed5ac8399cf88525e497f561391b206f8a7def411a2f340cfde2b23dbeacded3ae59ac
SSDEEP

384:3ghZQWvPfJvw3qXs/JsDCmeTWkz/khvb56Cqq:iQePa3p/KCTFz/khv9V

Score

7^/10

defense_evasion discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1220	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bndfxdh = "C:\\Windows\\system32\\bndfxdh.exe"	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fgthe.dll	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fgthe.dll	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\hyhhtr.dll	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\bndfxdh.cfg	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\bndfxdh.dll	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\bndfxdh.dll	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\hyhhtr.dll	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\bndfxdh.exe	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\bndfxdh.exe	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
Token: SeDebugPrivilege	1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
Token: SeDebugPrivilege	1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
Token: SeDebugPrivilege	1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 1252	1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe	21
PID 1948 wrote to memory of 1252	1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe	21
PID 1948 wrote to memory of 108	1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe	17
PID 1948 wrote to memory of 108	1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe	17
PID 1948 wrote to memory of 1220	1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe	31
PID 1948 wrote to memory of 1220	1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe	31
PID 1948 wrote to memory of 1220	1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe	31
PID 1948 wrote to memory of 1220	1948	772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe	31

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:108

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1252
- C:\Users\Admin\AppData\Local\Temp\772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\772cac15ce601e0da72e2a46b75f5c30_JaffaCakes118.exe"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:1220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\bndfxdh.dll

Filesize
26KB

MD5
76c247520224a7da51aed20dc4a833d8

SHA1
5e651f100f11a6b7a6683e723c92661f851dbeac

SHA256
4cdfc11ca779a9c9cf2ef3b9247242a9bee99f3d1ce111371d78bd5eb025a2de

SHA512
f7a970b31a6eb5186116907a6bc65bb22fe4a964221a9beaa04b87e77179590c4e62e189c955c9bb497eebf15b6dc9599bb79bb2d6d00213a0f3535d57e2bdcd

Download Submit
memory/1252-11-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

Filesize
4KB

Download
memory/1948-17-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download