d78a3a8487ba2d2edd69261a9c3f7f240cc80280e80037ed0cdb464244d7fdfb

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13/08/2024, 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94b34b7231308938091277a347d65ec5_JaffaCakes118.exe
Size

48KB
MD5

94b34b7231308938091277a347d65ec5
SHA1

00c6057646e4cf049c16346745e9dd91b3945267
SHA256

d78a3a8487ba2d2edd69261a9c3f7f240cc80280e80037ed0cdb464244d7fdfb
SHA512

9ad2d86dc0ae44858002364314af0c15a581d891383dedbdb2f74265146ad206c4ae286d02f7877f2416e20fdcd6886cb2a30ffd24f45bd84c643ddbc738de4e
SSDEEP

768:/9lIR05Et09xadDN0qsbKaocSyQCk4zsHG:/9lh5V5uDCXYHG

Score

6^/10

discovery

Malware Config

Signatures

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3044	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94b34b7231308938091277a347d65ec5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	94b34b7231308938091277a347d65ec5_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	94b34b7231308938091277a347d65ec5_JaffaCakes118.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2484	94b34b7231308938091277a347d65ec5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2348	2484	94b34b7231308938091277a347d65ec5_JaffaCakes118.exe	30
PID 2484 wrote to memory of 2348	2484	94b34b7231308938091277a347d65ec5_JaffaCakes118.exe	30
PID 2484 wrote to memory of 2348	2484	94b34b7231308938091277a347d65ec5_JaffaCakes118.exe	30
PID 2484 wrote to memory of 2348	2484	94b34b7231308938091277a347d65ec5_JaffaCakes118.exe	30
PID 2348 wrote to memory of 1952	2348	cmd.exe	32
PID 2348 wrote to memory of 1952	2348	cmd.exe	32
PID 2348 wrote to memory of 1952	2348	cmd.exe	32
PID 2348 wrote to memory of 1952	2348	cmd.exe	32
PID 1952 wrote to memory of 1712	1952	net.exe	33
PID 1952 wrote to memory of 1712	1952	net.exe	33
PID 1952 wrote to memory of 1712	1952	net.exe	33
PID 1952 wrote to memory of 1712	1952	net.exe	33
PID 2348 wrote to memory of 2056	2348	cmd.exe	34
PID 2348 wrote to memory of 2056	2348	cmd.exe	34
PID 2348 wrote to memory of 2056	2348	cmd.exe	34
PID 2348 wrote to memory of 2056	2348	cmd.exe	34
PID 2056 wrote to memory of 1752	2056	net.exe	35
PID 2056 wrote to memory of 1752	2056	net.exe	35
PID 2056 wrote to memory of 1752	2056	net.exe	35
PID 2056 wrote to memory of 1752	2056	net.exe	35
PID 2348 wrote to memory of 2344	2348	cmd.exe	36
PID 2348 wrote to memory of 2344	2348	cmd.exe	36
PID 2348 wrote to memory of 2344	2348	cmd.exe	36
PID 2348 wrote to memory of 2344	2348	cmd.exe	36
PID 2344 wrote to memory of 2744	2344	net.exe	37
PID 2344 wrote to memory of 2744	2344	net.exe	37
PID 2344 wrote to memory of 2744	2344	net.exe	37
PID 2344 wrote to memory of 2744	2344	net.exe	37
PID 2348 wrote to memory of 3044	2348	cmd.exe	38
PID 2348 wrote to memory of 3044	2348	cmd.exe	38
PID 2348 wrote to memory of 3044	2348	cmd.exe	38
PID 2348 wrote to memory of 3044	2348	cmd.exe	38
PID 2348 wrote to memory of 2164	2348	cmd.exe	39
PID 2348 wrote to memory of 2164	2348	cmd.exe	39
PID 2348 wrote to memory of 2164	2348	cmd.exe	39
PID 2348 wrote to memory of 2164	2348	cmd.exe	39
PID 2348 wrote to memory of 2652	2348	cmd.exe	40
PID 2348 wrote to memory of 2652	2348	cmd.exe	40
PID 2348 wrote to memory of 2652	2348	cmd.exe	40
PID 2348 wrote to memory of 2652	2348	cmd.exe	40
PID 2348 wrote to memory of 2224	2348	cmd.exe	41
PID 2348 wrote to memory of 2224	2348	cmd.exe	41
PID 2348 wrote to memory of 2224	2348	cmd.exe	41
PID 2348 wrote to memory of 2224	2348	cmd.exe	41
PID 2484 wrote to memory of 2604	2484	94b34b7231308938091277a347d65ec5_JaffaCakes118.exe	43
PID 2484 wrote to memory of 2604	2484	94b34b7231308938091277a347d65ec5_JaffaCakes118.exe	43
PID 2484 wrote to memory of 2604	2484	94b34b7231308938091277a347d65ec5_JaffaCakes118.exe	43
PID 2484 wrote to memory of 2604	2484	94b34b7231308938091277a347d65ec5_JaffaCakes118.exe	43
PID 2604 wrote to memory of 2576	2604	cmd.exe	45
PID 2604 wrote to memory of 2576	2604	cmd.exe	45
PID 2604 wrote to memory of 2576	2604	cmd.exe	45
PID 2604 wrote to memory of 2576	2604	cmd.exe	45
PID 2604 wrote to memory of 2576	2604	cmd.exe	45
PID 2604 wrote to memory of 2576	2604	cmd.exe	45
PID 2604 wrote to memory of 2576	2604	cmd.exe	45

C:\Users\Admin\AppData\Local\Temp\94b34b7231308938091277a347d65ec5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\94b34b7231308938091277a347d65ec5_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\sseg.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\SysWOW64\net.exe
    net stop "central de seguranτa"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "central de seguranτa"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1712
- - C:\Windows\SysWOW64\net.exe
    net stop wscsvc
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wscsvc
      4⤵
      System Location Discovery: System Language Discovery
      PID:1752
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      System Location Discovery: System Language Discovery
      PID:2744
- - C:\Windows\SysWOW64\sc.exe
    sc config wscsvc start = disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3044
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\System\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t REG_DWORD /d 0x00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2164
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2652
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 0x00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\ocx.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\SysWOW64\regsvr32.exe
    Regsvr32.exe /s C:\Users\Admin\AppData\Local\Temp\MSINET.OCX
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Network Share Discovery

T1135

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HHT5LGG0\1[1].htm

Filesize
8KB

MD5
73e349893791986dcaa2d00900e6c443

SHA1
1ef841cc0895227f22999157a058e54471888dc5

SHA256
a0454849d2ee1369f82c44e820f3980475930a6f1941fc33f099665b63a6b1d2

SHA512
a20a7ff3f18743583aa8b2f15409b63ce7223096263ebcac82f61d68591f92ffc582a7d03c3e14f31c64555d1ebfb80872cae7de92191d4c6ffc750aad8d5747

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\ki[1].htm

Filesize
795B

MD5
5d8d79c3cb9af023240b1be6f5057aaa

SHA1
df22980677b134e83d878893f7c7984e0d78a240

SHA256
e8b101a7c7f64aad528cc734513cbeb02243c0af37930dc0f3239749cff184b6

SHA512
66f432b622cee0bcc06cbc0f833de1471ea36c295b4cd93eb848d97e69c2252acd2fc8972db51ea35475a424f4d6cb5001325525fb04f71b8704eb24de1c4008

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSINET.OCX

Filesize
30KB

MD5
6cbf4b38eb961b858e1dc68fdc76a9f6

SHA1
261bcec6bab2ee8da97593ed307a0fbe3d8138cd

SHA256
73b06271b2e2f4792933407867c24adf745d19035cd49f324c10ff6d59592254

SHA512
676a13a83adbf5e705774ff374174fc254b812e2fe4638fd61f285d035b48426b94780081219aaf3f6c75e36453448898775f530b65b30c429bbd91ea5bcf697

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocx.bat

Filesize
79B

MD5
8024b884c962eb4d4173937815862d4a

SHA1
705948046cf10f04d969ba2ebaac0d9ec5890ff4

SHA256
dd7a4118ad940887b5ff318001e1841b994c9c1f83571708b49a9b1290fb9d9f

SHA512
11b3b313c35785ec437b47e422a3ce23ca602f727d784b4f804b9ea876b08eebf97b9dfe6fd4f5540e109e6b082466e8678884f3d886b279e4269bcd9a8ddaba

Download Submit
C:\Users\Admin\AppData\Local\Temp\sseg.bat

Filesize
598B

MD5
b632bdffd9eea8a8bdef34fe54422ee2

SHA1
7221ff2239f23b2d25d54202fcfa4e38bdd4203b

SHA256
34f2d00d5de8476b29f033031933967391afd0a882f95bf751614066d870b601

SHA512
4ef975151aad95ee03136eb6be819ad8115350e9e328b13c0fcb774f4e8584b840859ad98a418d34be86ce79965a8e4529cb55a696b37dd007c9c3b6a423ec82

Download Submit