16bc2af45a7a3ab7adf9b369a5f5fbeba1924db09278038d3c4dfcfda1af8940

Analysis

max time kernel
143s
max time network
145s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
11-08-2024 07:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89759ff8befbf5d841e10aab7d60ccb8_JaffaCakes118.exe
Size

221KB
MD5

89759ff8befbf5d841e10aab7d60ccb8
SHA1

28d243ecf7f97c31a289f3f998861113b5a9d435
SHA256

16bc2af45a7a3ab7adf9b369a5f5fbeba1924db09278038d3c4dfcfda1af8940
SHA512

3efa3cdc266aae25d72b8c316d25d3ebbea02eb27306d330075b4aa53457608d2c53a25825ece310b8d8568d21fe7b93f0e0e5f73017a7612c3e69ffbf384e66
SSDEEP

3072:bqEH+GiEs2SMylNOjyFbxJr5qojW5SiUSv7q2reaSkJ+naWUnBgq9LIK7FskG8oD:OsehzRFxC5SiVLSa5JGFsZs2JKpW4gw

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1804	QVODSE~1.EXE
3012	Setup8.exe
2324	vsjiwctb.exe

Loads dropped DLL 11 IoCs

pid	Process
2488	89759ff8befbf5d841e10aab7d60ccb8_JaffaCakes118.exe
2488	89759ff8befbf5d841e10aab7d60ccb8_JaffaCakes118.exe
1804	QVODSE~1.EXE
2488	89759ff8befbf5d841e10aab7d60ccb8_JaffaCakes118.exe
3012	Setup8.exe
2860	cmd.exe
2860	cmd.exe
3012	Setup8.exe
3012	Setup8.exe
2324	vsjiwctb.exe
2324	vsjiwctb.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	89759ff8befbf5d841e10aab7d60ccb8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\system32\\system.exe"	vsjiwctb.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\vsjiwctb.exe	QVODSE~1.EXE

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89759ff8befbf5d841e10aab7d60ccb8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QVODSE~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vsjiwctb.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1804	QVODSE~1.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3012	Setup8.exe
3012	Setup8.exe
3012	Setup8.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3012	Setup8.exe
3012	Setup8.exe
3012	Setup8.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 1804	2488	89759ff8befbf5d841e10aab7d60ccb8_JaffaCakes118.exe	30
PID 2488 wrote to memory of 1804	2488	89759ff8befbf5d841e10aab7d60ccb8_JaffaCakes118.exe	30
PID 2488 wrote to memory of 1804	2488	89759ff8befbf5d841e10aab7d60ccb8_JaffaCakes118.exe	30
PID 2488 wrote to memory of 1804	2488	89759ff8befbf5d841e10aab7d60ccb8_JaffaCakes118.exe	30
PID 2488 wrote to memory of 1804	2488	89759ff8befbf5d841e10aab7d60ccb8_JaffaCakes118.exe	30
PID 2488 wrote to memory of 1804	2488	89759ff8befbf5d841e10aab7d60ccb8_JaffaCakes118.exe	30
PID 2488 wrote to memory of 1804	2488	89759ff8befbf5d841e10aab7d60ccb8_JaffaCakes118.exe	30
PID 1804 wrote to memory of 2860	1804	QVODSE~1.EXE	31
PID 1804 wrote to memory of 2860	1804	QVODSE~1.EXE	31
PID 1804 wrote to memory of 2860	1804	QVODSE~1.EXE	31
PID 1804 wrote to memory of 2860	1804	QVODSE~1.EXE	31
PID 1804 wrote to memory of 2860	1804	QVODSE~1.EXE	31
PID 1804 wrote to memory of 2860	1804	QVODSE~1.EXE	31
PID 1804 wrote to memory of 2860	1804	QVODSE~1.EXE	31
PID 2488 wrote to memory of 3012	2488	89759ff8befbf5d841e10aab7d60ccb8_JaffaCakes118.exe	33
PID 2488 wrote to memory of 3012	2488	89759ff8befbf5d841e10aab7d60ccb8_JaffaCakes118.exe	33
PID 2488 wrote to memory of 3012	2488	89759ff8befbf5d841e10aab7d60ccb8_JaffaCakes118.exe	33
PID 2488 wrote to memory of 3012	2488	89759ff8befbf5d841e10aab7d60ccb8_JaffaCakes118.exe	33
PID 2488 wrote to memory of 3012	2488	89759ff8befbf5d841e10aab7d60ccb8_JaffaCakes118.exe	33
PID 2488 wrote to memory of 3012	2488	89759ff8befbf5d841e10aab7d60ccb8_JaffaCakes118.exe	33
PID 2488 wrote to memory of 3012	2488	89759ff8befbf5d841e10aab7d60ccb8_JaffaCakes118.exe	33
PID 2860 wrote to memory of 2324	2860	cmd.exe	34
PID 2860 wrote to memory of 2324	2860	cmd.exe	34
PID 2860 wrote to memory of 2324	2860	cmd.exe	34
PID 2860 wrote to memory of 2324	2860	cmd.exe	34
PID 2860 wrote to memory of 2324	2860	cmd.exe	34
PID 2860 wrote to memory of 2324	2860	cmd.exe	34
PID 2860 wrote to memory of 2324	2860	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\89759ff8befbf5d841e10aab7d60ccb8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\89759ff8befbf5d841e10aab7d60ccb8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QVODSE~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QVODSE~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\system32\vsjiwctb.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Windows\SysWOW64\vsjiwctb.exe
      C:\Windows\system32\vsjiwctb.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2324
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup8.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup8.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\vsjiwctb.exe

Filesize
49KB

MD5
9f8ff0afc4967c39cf43d014acdaac97

SHA1
ef699bc0b7a3d280420c5fdb9f3274c6730d42da

SHA256
cbaee1978832a44c0e8cfef854192f0d507de1e44d9190c9e615ee35be11ab1e

SHA512
41324155f5b87a1c62af8f807578fa598c5de1d54561771663c44ea22d5322e54437881ef0d361d3d939be1e57feb9171f7038ed1d02e484bc838c251116b5bf

Download Submit
\Users\Admin\AppData\Local\Temp\7FCA.tmp

Filesize
1.7MB

MD5
b5eb5bd3066959611e1f7a80fd6cc172

SHA1
6fb1532059212c840737b3f923a9c0b152c0887a

SHA256
1ffb68a66f28f604adcae9c135f8dcf301316ab7fda8ebd294583c56dd26f7cc

SHA512
6c0743e0ff4922e859ba66b68040ab994dbae33e80c63ce8c993ad31a0c7aad6c6467484da1550063214953cd641dbf597438dd0c02f24164505d88ca80ea1b6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\QVODSE~1.EXE

Filesize
125KB

MD5
8200d8aa567e728a8b9a303f717f771a

SHA1
a4c3fa13847873e27ca4459cc5db972b6e043468

SHA256
a9ff33fa335035d12169c85a711f8f8875743d88a9c0807f5668028601eba806

SHA512
eab1ad28df174b3750c4747909a1f52dabcd714d05a5665d8058040cda172d1f50dc17379e2da451553f2ee9d1aa5b84003926598c3bba4c8aaf0e15c96851c3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup8.exe

Filesize
297KB

MD5
e6859c9a14016562fd6b7a4fc2d063f0

SHA1
d103b8185bc56fbc86aa0a110b022d5801552cc0

SHA256
9ab7142e21013ada234c176b57684547e1e55570b5cde694f08f7e497c0e2fb7

SHA512
38c24f9685adcad166e57f1ccc15a45c9267b14f313151ed1ff434633705d7435a73b6a00369c2e9b5c50573d64809111940c59b1ff4ba185e03f92d32fb8868

Download Submit
memory/1804-14-0x0000000000D30000-0x0000000000D52000-memory.dmp

Filesize
136KB

Download
memory/3012-31-0x0000000003BE0000-0x0000000003DE4000-memory.dmp

Filesize
2.0MB

Download
memory/3012-32-0x0000000003BE0000-0x0000000003DE4000-memory.dmp

Filesize
2.0MB

Download