cfd8d05748530fe5e056c03f1ecafeb4b0991e0ab7a0b72d181178c05a3f4586

Analysis

max time kernel
94s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
10/08/2024, 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Size

196KB
MD5

84a6f218da295960b72e34589f1fe942
SHA1

310fdb763fa8f7801213876b36f83bd445ad8479
SHA256

cfd8d05748530fe5e056c03f1ecafeb4b0991e0ab7a0b72d181178c05a3f4586
SHA512

b0e928437f8f6899ae597936a1f2313809a636aa0cd2246ad20e457807f5c382016cb863d4d2068a25bdd0c8dea0f437e80df494efcfc00d07779761e921db5f
SSDEEP

6144:1o0AWcB3yXobOffM7XEGskP7kzcJ1llipWcInJ:1JoJ1OpW9nJ

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\cfilesys\ImagePath = "\"C:\\Windows\\system32\\cfilesys.exe\""	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2504	ps.exe

Loads dropped DLL 2 IoCs

pid	Process
2888	cmd.exe
2888	cmd.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b00000001225e-15.dat	upx
behavioral1/memory/2504-20-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2504-21-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cfilesys.exe	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\cfilesys.exe	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Enable Browser Extensions = "yes"	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Use FormSuggest = "yes"	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Use FormSuggest = "yes"	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeAuditPrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeBackupPrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeCreatePermanentPrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeCreateTokenPrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeDebugPrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeMachineAccountPrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeRestorePrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeSecurityPrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeShutdownPrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeSystemtimePrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeAuditPrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeBackupPrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeCreatePermanentPrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeCreateTokenPrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeDebugPrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeMachineAccountPrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeRestorePrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeSecurityPrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeShutdownPrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeSystemtimePrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 376 wrote to memory of 2888	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe	30
PID 376 wrote to memory of 2888	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe	30
PID 376 wrote to memory of 2888	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe	30
PID 376 wrote to memory of 2888	376	84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2504	2888	cmd.exe	32
PID 2888 wrote to memory of 2504	2888	cmd.exe	32
PID 2888 wrote to memory of 2504	2888	cmd.exe	32
PID 2888 wrote to memory of 2504	2888	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe"
1⤵
- Sets service image path in registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:376
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ps.bat""
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Users\Admin\AppData\Local\Temp\ps.exe
    "C:\Users\Admin\AppData\Local\Temp\ps.exe"
    3⤵
    - Executes dropped EXE
    PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ps.bat

Filesize
85B

MD5
420b954d683e2b197d53efeaeba99c06

SHA1
896f9d9e85eab8f75027a6a8efc66985f9c8a315

SHA256
16969306883142174b1190225fb9a580bd31983bce486d90e059b42f0c394038

SHA512
83a58844491130f3668f4c6ffe9cbe416a58acd740f364b99c3bc1dcdba80b1ff60ecbe3aaf8e033f5c3bdfc2a92cd21506caf480914ae48e55c5233fe73951b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ps.exe

Filesize
18KB

MD5
b87de8861e17719e856a04de1220afb9

SHA1
eb4b4fa99c3ac75d1f49d555ec7769c4c99a604d

SHA256
9ba9dca3281e2739c2b4858e456a4b6f64c132c33421eae98b0dacbb7de1030a

SHA512
11f12457af35c2e1371a09d36ab7c89db6ef55fb4fd5b808f3af26fa54ddc962001ba03b4e5d60e683be846a9695eb10109a5d59bb08a5532bb757c2cd1d8c5f

Download Submit
memory/376-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2504-20-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2504-21-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2888-16-0x00000000000C0000-0x00000000000CF000-memory.dmp

Filesize
60KB

Download
memory/2888-19-0x00000000000C0000-0x00000000000CF000-memory.dmp

Filesize
60KB

Download