3ca70ff1cb99955da2115b5cef743579384f72b1bbee4beff9f2ac9b40abd53d

Analysis

max time kernel
140s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 06:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.exe
Size

1.0MB
MD5

a17d26ccee64a05176c0eb3b38e9caab
SHA1

00e0f1880606928f88c551dda8db78b64f295a03
SHA256

3ca70ff1cb99955da2115b5cef743579384f72b1bbee4beff9f2ac9b40abd53d
SHA512

08f7e7ebe96a77bf853e5dbb6e1829392023895fda09b6150134ba13cd3302dbcda93c6abf5c5b28638d5efd280d16589b41ab461627874484f9445302d3613a
SSDEEP

24576:f20SYlME+yYPBRgbPhrHAFj5Yi0sakj9xpNj+hFgXC75ld1qSVpcq9:f2OMEqPBRYgFGi0sf9Md1qapcq9

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\sumpod.sys	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetHomeIDE\Parameters\ServiceDll = "C:\\Windows\\system32\\idecomp.dll"	rundll32.exe

Executes dropped EXE 7 IoCs

pid	Process
2416	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp
1560	msfsg.exe
3096	msfsg.exe
4820	msfsg.exe
8	msfsg.exe
836	msfsg.exe
2468	dsetup.exe

Loads dropped DLL 3 IoCs

pid	Process
2416	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp
388	rundll32.exe
4828	svchost.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\idecomp.dll	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp
File opened for modification	C:\Windows\SysWOW64\idecomp.dll	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp
File created	C:\Windows\SysWOW64\hardpol\hardpol.dll	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp
File created	C:\Windows\SysWOW64\hardpol\MyIEData\SysDat.bin	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp
File created	C:\Windows\SysWOW64\pierror.log	svchost.exe
File opened for modification	C:\Windows\SysWOW64\NetHome\main.ini	svchost.exe
File opened for modification	C:\Windows\SysWOW64\hardpol\MyIEData\main.ini	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\baidu\newnetgar.dll	msfsg.exe
File opened for modification	C:\Program Files (x86)\baidu\spass.dll	msfsg.exe
File created	C:\Program Files (x86)\baidu\is-NDGUL.tmp	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp
File created	C:\Program Files (x86)\baidu\is-2OTU5.tmp	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp
File created	C:\Program Files (x86)\baidu\is-HC7O0.tmp	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp
File created	C:\Program Files (x86)\baidu\is-HOMH7.tmp	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\baidu\sumpod-nos.sys	msfsg.exe
File created	C:\Program Files (x86)\baidu\is-KNGUJ.tmp	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp
File created	C:\Program Files (x86)\baidu\is-C2KEK.tmp	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp
File created	C:\Program Files (x86)\baidu\is-VEFMK.tmp	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp
File created	C:\Program Files (x86)\baidu\is-SCHSR.tmp	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp
File created	C:\Program Files (x86)\baidu\is-GKD6G.tmp	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp
File created	C:\Program Files (x86)\baidu\is-41JI3.tmp	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\baidu\passthru.dll	msfsg.exe
File opened for modification	C:\Program Files (x86)\baidu\dsetup.exe	msfsg.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msfsg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msfsg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msfsg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msfsg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msfsg.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
388	rundll32.exe
388	rundll32.exe
388	rundll32.exe
388	rundll32.exe
388	rundll32.exe
388	rundll32.exe
388	rundll32.exe
388	rundll32.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	388	rundll32.exe
Token: SeDebugPrivilege	4828	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2416	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1560	msfsg.exe
3096	msfsg.exe
4820	msfsg.exe
8	msfsg.exe
836	msfsg.exe
2468	dsetup.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3332 wrote to memory of 2416	3332	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.exe	84
PID 3332 wrote to memory of 2416	3332	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.exe	84
PID 3332 wrote to memory of 2416	3332	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.exe	84
PID 2416 wrote to memory of 1560	2416	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp	88
PID 2416 wrote to memory of 1560	2416	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp	88
PID 2416 wrote to memory of 1560	2416	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp	88
PID 2416 wrote to memory of 3096	2416	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp	89
PID 2416 wrote to memory of 3096	2416	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp	89
PID 2416 wrote to memory of 3096	2416	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp	89
PID 2416 wrote to memory of 4820	2416	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp	90
PID 2416 wrote to memory of 4820	2416	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp	90
PID 2416 wrote to memory of 4820	2416	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp	90
PID 2416 wrote to memory of 8	2416	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp	91
PID 2416 wrote to memory of 8	2416	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp	91
PID 2416 wrote to memory of 8	2416	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp	91
PID 2416 wrote to memory of 836	2416	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp	92
PID 2416 wrote to memory of 836	2416	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp	92
PID 2416 wrote to memory of 836	2416	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp	92
PID 2416 wrote to memory of 2468	2416	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp	93
PID 2416 wrote to memory of 2468	2416	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp	93
PID 2416 wrote to memory of 2468	2416	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp	93
PID 2416 wrote to memory of 388	2416	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp	94
PID 2416 wrote to memory of 388	2416	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp	94
PID 2416 wrote to memory of 388	2416	a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp	94

C:\Users\Admin\AppData\Local\Temp\a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Users\Admin\AppData\Local\Temp\is-ENE81.tmp\a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-ENE81.tmp\a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp" /SL5="$50244,822559,54272,C:\Users\Admin\AppData\Local\Temp\a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Program Files (x86)\baidu\msfsg.exe
    "C:\Program Files (x86)\baidu\msfsg.exe" md5 -s passthru.dll -d passthru.dll
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1560
- - C:\Program Files (x86)\baidu\msfsg.exe
    "C:\Program Files (x86)\baidu\msfsg.exe" md5 -s dsetup.exe -d dsetup.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3096
- - C:\Program Files (x86)\baidu\msfsg.exe
    "C:\Program Files (x86)\baidu\msfsg.exe" md5 -s spass.dll -d spass.dll
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4820
- - C:\Program Files (x86)\baidu\msfsg.exe
    "C:\Program Files (x86)\baidu\msfsg.exe" md5 -s newnetgar.dll -d newnetgar.dll
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:8
- - C:\Program Files (x86)\baidu\msfsg.exe
    "C:\Program Files (x86)\baidu\msfsg.exe" md5 -s sumpod-nos.sys -d sumpod-nos.sys
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:836
- - C:\Program Files (x86)\baidu\dsetup.exe
    "C:\Program Files (x86)\baidu\dsetup.exe" install
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2468
- - C:\Windows\SysWOW64\rundll32.exe
    "rundll32.exe" C:\Windows\system32\idecomp.dll RundllInstall NetHomeIDE
    3⤵
    - Server Software Component: Terminal Services DLL
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:388

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k mysysgroup3 -s NetHomeIDE
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\baidu\SysDat.bin

Filesize
97KB

MD5
a3ed7d31b2b6a2460126903c5348e3c0

SHA1
0d59172d0302f51e173a6a21e83271cc95710d1f

SHA256
0f34d58f2ed0fb9a91224a007b194a9007b13c2cb5e6fdd942c5888c212e5f92

SHA512
a93badd2b171c90067bd239b12f89babbe5eb570e519ecdab005a9b9edd3d5c365c79a202d66f214c9f8692d4002cad8ecbfd1a8f39505662889bcd5160aa062

Download Submit
C:\Program Files (x86)\baidu\dsetup.exe

Filesize
320KB

MD5
a87ca370e4a3f99bfd0dd4294ecdb885

SHA1
460d8793b38e63734706b454b76bc1f9cbe22e90

SHA256
ccb196c0d51fd3bfd2d3a460454dd2be84045c3c4d685909333ed8494ae23e55

SHA512
4fc99391621dc70396ede5a3adef474dce6910206ed1ae3cb56b5dc2b4e6739f0d56219b6b44a3f5ef106ee2db0c62091b3ccab1b1106cabe3df79e6cfbd0503

Download Submit
C:\Program Files (x86)\baidu\msfsg.exe

Filesize
356KB

MD5
1eb596055e3d297a77513a3f0fef46aa

SHA1
0b63d78f081654afb62dfeaa7e74070a09f85549

SHA256
0027e5bb7331d1ea6e03ed0952663852ab851affe5ef03e6e59ba85f8f5f18e4

SHA512
c6350bdab4a88825ed422f69000f081bc6037aa63c078818998ed856743af94ea9d941d6f69815cd21bd7b06274781df51c293d674f684b1805e9a1229ad339d

Download Submit
C:\Program Files (x86)\baidu\newnetgar.dll

Filesize
308KB

MD5
cb7650ecf5c41d84d079068ff55b097a

SHA1
a5f6e17dd71d4ad479f467f6c91fdd561b8b00a3

SHA256
b500424bd6a8f8ff93bac2e51970430aff19ec02fb9b9dbcc092791d8e2c7209

SHA512
c3547c042e3389e1f302e9505a596e0f5eb16f748a40c023ac62d8923f7d4c25a88e1896ad317825a2a2e40b62ff160eff5ac6d949e1e8875acf3ae69ae2f0e8

Download Submit
C:\Program Files (x86)\baidu\passthru.dll

Filesize
35KB

MD5
8f37c4b2bb2e1d80956bb33b3f416f76

SHA1
e80641d062d8959bf32eaa501cc85e54e30bef50

SHA256
799e26230348f4c1792fd78a04a2b7b5449497fe2211303d1646de3651ab66ce

SHA512
fc86bb25a7799939e467e081ea5ccbcc9bf6dffe16877eca751667f1ad33cdcd4cf9b67f329c24f3f6e20ad768b63edab9fa9e61d979cece9e14a0d82648ba2b

Download Submit
C:\Program Files (x86)\baidu\spass.dll

Filesize
692KB

MD5
6202423d17371e6fec79e75cdc3dae4f

SHA1
51656f909fe053b6cddad9ff5e14f1ded0d05258

SHA256
bd546d04e1f84b276ff52cd444aa6ad1fe38d3f016d29565fadd2b041bd24148

SHA512
c67e3df418090c115e0d821359f2bf3d4fe7708104e2a45a95a49ddea9e8e6ac2c18bf80444d8be13a71071f51887ecc2eceaf354054cf0b667bb6459a98bd62

Download Submit
C:\Program Files (x86)\baidu\sumpod-nos.sys

Filesize
14KB

MD5
ed13f5cc62ae6b5c59a2eacdf726c922

SHA1
f0577a73be63019b10853efc1c50a37450b8c679

SHA256
4d894a184d6730d71f4acd14fa4c9e4a8a5462ea52a06805536f1ea5b425e9b7

SHA512
5861709aa9b5c85af316fdf4db43f9975a6d122a5c5d5511e27a4e3063aa4c6c38ab1000610bf28af8198f5135550fff4cd7d20ea1f4597973f1f960ed4d6d0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ENE81.tmp\a17d26ccee64a05176c0eb3b38e9caab_JaffaCakes118.tmp

Filesize
695KB

MD5
620f32e56b46e90e8aee43febc59f6e3

SHA1
d5edd63dd1390a1420b85f746e12a66625ae9354

SHA256
bcc9d63213012bf25a37f48015e5f755d359f3b08d05d35319b03b4a72710730

SHA512
8a9d2a2eb3891265cec379978399ad6c9b4bf3e12e0f381946b4390621b943b97fa04fbb87ad628652bd765b706eb2ff56001f24de24e9bcc487a59ca2f07d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QIEJ1.tmp\spass.dll

Filesize
692KB

MD5
90f580a95cdb0627cf0dd11269875138

SHA1
f1af7f5fa34c2a4185627fd485ee61edf56f63f3

SHA256
b2d405529fada3420923ed4b183fe7f9af66d1ae11264a3ff38a7dd0177015b6

SHA512
d23b96caba5b1299e37d17a0904471fc869cb2aa20c0acf4addd94b8e506324a8e5fce05b1d36d75081ec3131c06015ed0d94db27b6c12f4ebed6f10e75c3c94

Download Submit
memory/2416-10-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2416-86-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/3332-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/3332-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3332-87-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download