fd434f3356c0d62c06f6aced1623dc7daac90a8f78b21455f2ef559e1b039410

Analysis

max time kernel
149s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12-08-2024 06:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8dbf8f1d5aea16a940a6d8d1de03c945_JaffaCakes118.exe
Size

102KB
MD5

8dbf8f1d5aea16a940a6d8d1de03c945
SHA1

f0fdda337b3f9e414ed4b84a8af54c07209ccea5
SHA256

fd434f3356c0d62c06f6aced1623dc7daac90a8f78b21455f2ef559e1b039410
SHA512

0b001aeed21ae2ee2a355bc912c2d0bcf8a709584b08e3fdc41b84332b6311ea4dcf12abfae14237d00ff52f42c65304a14982b74396988898c8edbbd27d36e3
SSDEEP

3072:zftffjmNoxlfP2d67tPmFsp2MdYDluW1Sgs10MtNXFokMDvi:DVfjmNn/6EluW1Psv

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
996	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1856	Logo1_.exe
2620	8dbf8f1d5aea16a940a6d8d1de03c945_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
996	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Journal\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\af\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_CN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\sd\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\setup_wm.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lo\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	8dbf8f1d5aea16a940a6d8d1de03c945_JaffaCakes118.exe
File created	C:\Windows\Logo1_.exe	8dbf8f1d5aea16a940a6d8d1de03c945_JaffaCakes118.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8dbf8f1d5aea16a940a6d8d1de03c945_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1856	Logo1_.exe
1856	Logo1_.exe
1856	Logo1_.exe
1856	Logo1_.exe
1856	Logo1_.exe
1856	Logo1_.exe
1856	Logo1_.exe
1856	Logo1_.exe
1856	Logo1_.exe
1856	Logo1_.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 996	1092	8dbf8f1d5aea16a940a6d8d1de03c945_JaffaCakes118.exe	29
PID 1092 wrote to memory of 996	1092	8dbf8f1d5aea16a940a6d8d1de03c945_JaffaCakes118.exe	29
PID 1092 wrote to memory of 996	1092	8dbf8f1d5aea16a940a6d8d1de03c945_JaffaCakes118.exe	29
PID 1092 wrote to memory of 996	1092	8dbf8f1d5aea16a940a6d8d1de03c945_JaffaCakes118.exe	29
PID 1092 wrote to memory of 1856	1092	8dbf8f1d5aea16a940a6d8d1de03c945_JaffaCakes118.exe	30
PID 1092 wrote to memory of 1856	1092	8dbf8f1d5aea16a940a6d8d1de03c945_JaffaCakes118.exe	30
PID 1092 wrote to memory of 1856	1092	8dbf8f1d5aea16a940a6d8d1de03c945_JaffaCakes118.exe	30
PID 1092 wrote to memory of 1856	1092	8dbf8f1d5aea16a940a6d8d1de03c945_JaffaCakes118.exe	30
PID 1856 wrote to memory of 1716	1856	Logo1_.exe	32
PID 1856 wrote to memory of 1716	1856	Logo1_.exe	32
PID 1856 wrote to memory of 1716	1856	Logo1_.exe	32
PID 1856 wrote to memory of 1716	1856	Logo1_.exe	32
PID 996 wrote to memory of 2620	996	cmd.exe	33
PID 996 wrote to memory of 2620	996	cmd.exe	33
PID 996 wrote to memory of 2620	996	cmd.exe	33
PID 996 wrote to memory of 2620	996	cmd.exe	33
PID 996 wrote to memory of 2620	996	cmd.exe	33
PID 996 wrote to memory of 2620	996	cmd.exe	33
PID 996 wrote to memory of 2620	996	cmd.exe	33
PID 1716 wrote to memory of 2472	1716	net.exe	35
PID 1716 wrote to memory of 2472	1716	net.exe	35
PID 1716 wrote to memory of 2472	1716	net.exe	35
PID 1716 wrote to memory of 2472	1716	net.exe	35
PID 1856 wrote to memory of 1208	1856	Logo1_.exe	20
PID 1856 wrote to memory of 1208	1856	Logo1_.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\8dbf8f1d5aea16a940a6d8d1de03c945_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\8dbf8f1d5aea16a940a6d8d1de03c945_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a9EA0.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:996
  - - C:\Users\Admin\AppData\Local\Temp\8dbf8f1d5aea16a940a6d8d1de03c945_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\8dbf8f1d5aea16a940a6d8d1de03c945_JaffaCakes118.exe"
      4⤵
      Executes dropped EXE
      PID:2620
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1856
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1716
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
93178cd015cbcf907874eb9b42415cf9

SHA1
f159cd61c7da56345dc8019c1125c0d84c7318f6

SHA256
df11c85e6a4a66f5d5c8a7c06b24be3111d5f7f6840366974b2fba7caada27f1

SHA512
71c8a7c267f06571fe4a973d26dcb3f251070956d5981ecde8e8557aa8e10549f46fc17449c8ad9eae2a534c1f0fc686d79bf325344e484129ca313e77e3bfa1

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
c6c8fde27f649c91ddaab8cb9ca344a6

SHA1
5e4865aec432a18107182f47edda176e8c566152

SHA256
32c3fed53bfc1d890e9bd1d771fdc7e2c81480e03f1425bce07b4045a192d100

SHA512
a8df7d1e852d871d7f16bae10c4ff049359583da88cc85a039f0298525839040d5363ce5ef4cbdb92a12a25785f73df83cf0df07752b78e6e6444f32160a2155

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9EA0.bat

Filesize
614B

MD5
6373f817c66a6b22c172b1f336c55c79

SHA1
f941b52ed2ef8504b66dfa6f07baad5a16bab647

SHA256
86aa4a7ece8f6b15c1f1c9a691a97c687b98151a874514eb27771fd6bee4bf28

SHA512
ffeecb3c137e98d58f881ef95397aa28581dd77ec68baac971c52dffeb2a8721fae1ea5b2f9db1f874737bfe0438b5c390be1d17c726b25955a9fc53e6514511

Download Submit
C:\Users\Admin\AppData\Local\Temp\8dbf8f1d5aea16a940a6d8d1de03c945_JaffaCakes118.exe.exe

Filesize
76KB

MD5
ab74aa8defc1ca82759788a55b673629

SHA1
64eaa5f6cc51635124674c4439ac34f7dd46bc13

SHA256
f6888f5a134294c2ed1be85357f1a7bf2eee9653251aa63271bb6e570caffc6a

SHA512
b54507a8d5086eb293bdc452b131cab1e5f3d9c92429b5d22ed82ff14386038eb903d1babdea95c16134771906329f40fcfbf3aad4b7fccddd0a417b147718b3

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
5d629e10931355c7c3664661f02486b8

SHA1
4ee30faf056a32b6f83fa902f7b68d9ffd9c0de1

SHA256
5ef46780ddef96df9b110efb96209c85b898b54584af78bacd6986c5c5be15ab

SHA512
98a82ec1dbe3b3ac7b8751334e24a9952b30b5672d7c767116fbd0bf5728ee70eb6fab73ac9ae0c1b66bf537f03a37c8354534743102a0b29d8f55032c340bfa

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1506706701-1246725540-2219210854-1000\_desktop.ini

Filesize
9B

MD5
1d7eff79e14bea77e992f25202a6decc

SHA1
2481953494e9f17a5d9c8186bac1e89c460da06b

SHA256
0bc3f26881fb44793cd3a989e616ce2b45848152d57eb4a38fd5f06df63f0a9a

SHA512
e9cffe2ce1cc689a1a0c9bee4da9e0ab90625931729257893780b13eb9060ee26bf373c87c0ae33e3fcdc3e8614d415ac00fe57fd7f1fb4908212cc145c8d9ad

Download Submit
memory/1092-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1092-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1208-29-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

Filesize
4KB

Download
memory/1856-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1856-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1856-46-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1856-92-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1856-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1856-698-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1856-1875-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1856-2455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1856-3335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1856-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download