2df8a41e607a2d9842f6a18a42f466cc52c5d3977268c0d3f3adc0535cfd635c

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-08-2024 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96286be9b0e1f4b749c638790bb186cf_JaffaCakes118.exe
Size

31KB
MD5

96286be9b0e1f4b749c638790bb186cf
SHA1

c500e5b33c787095e513d9d5fc0c5475bcea28c1
SHA256

2df8a41e607a2d9842f6a18a42f466cc52c5d3977268c0d3f3adc0535cfd635c
SHA512

1aa2a115cb85068202414bf15cc5126868abf64db2e9f5a366310bc001a7173a78dd3bfa48b79c7d208d1683ae48dfab674992056455a1b674266a96705e8ef1
SSDEEP

768:3rw0BTBgAO2YNmqrFn6H2L4rXa5duby56JHKZF2M:3rw0NBgA5qp6HFbeBr5

Score

8^/10

discovery persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\B769BB8\ImagePath = "C:\\Windows\\system32\\767557A4.EXE -a"	96286be9b0e1f4b749c638790bb186cf_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3648	767557A4.EXE

Drops file in System32 directory 34 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	767557A4.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db	767557A4.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	767557A4.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	767557A4.EXE
File opened for modification	C:\Windows\SysWOW64\767557A4.EXE	96286be9b0e1f4b749c638790bb186cf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	767557A4.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_2560.db	767557A4.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	767557A4.EXE
File created	C:\Windows\SysWOW64\del.bat	96286be9b0e1f4b749c638790bb186cf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\767557A4.EXE	96286be9b0e1f4b749c638790bb186cf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db	767557A4.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db	767557A4.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	767557A4.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1280.db	767557A4.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide.db	767557A4.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_custom_stream.db	767557A4.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	767557A4.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	767557A4.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	767557A4.EXE
File created	C:\Windows\SysWOW64\767557A4.EXE	767557A4.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db	767557A4.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db	767557A4.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_exif.db	767557A4.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide_alternate.db	767557A4.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	767557A4.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	767557A4.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	767557A4.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db	767557A4.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_768.db	767557A4.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	767557A4.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	767557A4.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db	767557A4.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	767557A4.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1920.db	767557A4.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64	767557A4.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96286be9b0e1f4b749c638790bb186cf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	767557A4.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies data under HKEY_USERS 12 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	767557A4.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager	767557A4.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Owner = 400e0000a98dfef147eeda01	767557A4.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00570069006e0064006f00770073005c00530079007300740065006d003300320000000000	767557A4.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	767557A4.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	767557A4.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 266a6d4ce2b9f2eccbdcb9000d9db894d732ca413ef89b96c915456dc1f9830d	767557A4.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1"	767557A4.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 6f558d073293028a2ab07c7cda5fd56a0d64c05f263bce70e8cfc59ef38b50f0	767557A4.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	767557A4.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "3"	767557A4.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	767557A4.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4824	96286be9b0e1f4b749c638790bb186cf_JaffaCakes118.exe
4824	96286be9b0e1f4b749c638790bb186cf_JaffaCakes118.exe
3648	767557A4.EXE
3648	767557A4.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4824	96286be9b0e1f4b749c638790bb186cf_JaffaCakes118.exe
3648	767557A4.EXE
3648	767557A4.EXE
3648	767557A4.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 5008	4824	96286be9b0e1f4b749c638790bb186cf_JaffaCakes118.exe	96
PID 4824 wrote to memory of 5008	4824	96286be9b0e1f4b749c638790bb186cf_JaffaCakes118.exe	96
PID 4824 wrote to memory of 5008	4824	96286be9b0e1f4b749c638790bb186cf_JaffaCakes118.exe	96

C:\Users\Admin\AppData\Local\Temp\96286be9b0e1f4b749c638790bb186cf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\96286be9b0e1f4b749c638790bb186cf_JaffaCakes118.exe"
1⤵
- Sets service image path in registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\del.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5008

C:\Windows\SysWOW64\767557A4.EXE
C:\Windows\SysWOW64\767557A4.EXE -a
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\767557A4.EXE

Filesize
31KB

MD5
96286be9b0e1f4b749c638790bb186cf

SHA1
c500e5b33c787095e513d9d5fc0c5475bcea28c1

SHA256
2df8a41e607a2d9842f6a18a42f466cc52c5d3977268c0d3f3adc0535cfd635c

SHA512
1aa2a115cb85068202414bf15cc5126868abf64db2e9f5a366310bc001a7173a78dd3bfa48b79c7d208d1683ae48dfab674992056455a1b674266a96705e8ef1

Download Submit
C:\Windows\SysWOW64\del.bat

Filesize
233B

MD5
7f5d846474a95bbec3bbe044911a9440

SHA1
2515105f00e3c35b86d3d1acd84a5db068ce3a9a

SHA256
62fd6c0f6217dc36ca320dd3652e0936f6565cb403ba14f8423a6911b3993c60

SHA512
e70ab71e6db43f173160b6b078a3f09301b90eb26268fe49087805e02355a2162b53d7e7eda64cb8024668689e46acc7118af639270cbd3ab0b9375b02e8b0b2

Download Submit
memory/3648-7-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/3648-6-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3648-10-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/4824-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4824-1-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/4824-8-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4824-9-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download