e53987d0184a7bf23f65b912007e1b6377fbc2d4a8ceaae94d9ef583254191db

Analysis

max time kernel
27s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe
Size

30KB
MD5

a1a8f1991d36f230365abc97550b746d
SHA1

ba95c4316be2816feb0314d054bfce6b307f5f84
SHA256

e53987d0184a7bf23f65b912007e1b6377fbc2d4a8ceaae94d9ef583254191db
SHA512

5798a13427178438c9c65aacd2bc61e994fe52fc3c4e2eace95d7bcb478d81a15bf547eec83f932fb2f0cc3b99a3045fe1e0ba3001f697458fd3eaf78e587456
SSDEEP

768:iy/2a9hc5gJ1QeerFjCO5uS0f1bIiFqOiByB8:F/2a4UaxR5Z+iB08

Score

10^/10

discovery evasion execution

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\acpiec.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\pcidump.sys	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe

Loads dropped DLL 12 IoCs

pid	Process
3036	rundll32.exe
3036	rundll32.exe
3036	rundll32.exe
3036	rundll32.exe
3036	rundll32.exe
3036	rundll32.exe
3036	rundll32.exe
3036	rundll32.exe
3036	rundll32.exe
3036	rundll32.exe
3036	rundll32.exe
3036	rundll32.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe
File opened for modification	C:\autorun.inf	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe
File created	F:\autorun.inf	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe
File opened for modification	F:\autorun.inf	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\func.dll	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\phpi.dll	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2576	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1840	ipconfig.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
2900	taskkill.exe
1684	taskkill.exe
2752	taskkill.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3036	rundll32.exe
3036	rundll32.exe
3036	rundll32.exe
3036	rundll32.exe
3036	rundll32.exe
3036	rundll32.exe
3036	rundll32.exe
3036	rundll32.exe
3036	rundll32.exe
3036	rundll32.exe
3036	rundll32.exe
3036	rundll32.exe
3036	rundll32.exe
3036	rundll32.exe
3036	rundll32.exe
3036	rundll32.exe
3036	rundll32.exe
3036	rundll32.exe
3036	rundll32.exe
3036	rundll32.exe
3036	rundll32.exe
3036	rundll32.exe
3036	rundll32.exe
3036	rundll32.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	1684	taskkill.exe
Token: SeDebugPrivilege	2752	taskkill.exe
Token: SeDebugPrivilege	2900	taskkill.exe
Token: SeDebugPrivilege	3036	rundll32.exe
Token: SeDebugPrivilege	3036	rundll32.exe
Token: SeDebugPrivilege	3036	rundll32.exe
Token: SeDebugPrivilege	1684	taskkill.exe
Token: SeDebugPrivilege	2752	taskkill.exe
Token: SeDebugPrivilege	2900	taskkill.exe
Token: SeDebugPrivilege	3036	rundll32.exe
Token: SeDebugPrivilege	3036	rundll32.exe
Token: SeDebugPrivilege	3036	rundll32.exe
Token: SeDebugPrivilege	1684	taskkill.exe
Token: SeDebugPrivilege	2752	taskkill.exe
Token: SeDebugPrivilege	2900	taskkill.exe
Token: SeDebugPrivilege	3036	rundll32.exe
Token: SeDebugPrivilege	3036	rundll32.exe
Token: SeDebugPrivilege	3036	rundll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2004	2372	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2004	2372	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2004	2372	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2004	2372	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2696	2372	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe	31
PID 2372 wrote to memory of 2696	2372	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe	31
PID 2372 wrote to memory of 2696	2372	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe	31
PID 2372 wrote to memory of 2696	2372	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe	31
PID 2372 wrote to memory of 2684	2372	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe	32
PID 2372 wrote to memory of 2684	2372	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe	32
PID 2372 wrote to memory of 2684	2372	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe	32
PID 2372 wrote to memory of 2684	2372	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe	32
PID 2372 wrote to memory of 2792	2372	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe	33
PID 2372 wrote to memory of 2792	2372	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe	33
PID 2372 wrote to memory of 2792	2372	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe	33
PID 2372 wrote to memory of 2792	2372	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe	33
PID 2372 wrote to memory of 2808	2372	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe	34
PID 2372 wrote to memory of 2808	2372	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe	34
PID 2372 wrote to memory of 2808	2372	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe	34
PID 2372 wrote to memory of 2808	2372	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe	34
PID 2372 wrote to memory of 2788	2372	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe	35
PID 2372 wrote to memory of 2788	2372	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe	35
PID 2372 wrote to memory of 2788	2372	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe	35
PID 2372 wrote to memory of 2788	2372	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe	35
PID 2696 wrote to memory of 2716	2696	cmd.exe	42
PID 2696 wrote to memory of 2716	2696	cmd.exe	42
PID 2696 wrote to memory of 2716	2696	cmd.exe	42
PID 2696 wrote to memory of 2716	2696	cmd.exe	42
PID 2788 wrote to memory of 2900	2788	cmd.exe	43
PID 2788 wrote to memory of 2900	2788	cmd.exe	43
PID 2788 wrote to memory of 2900	2788	cmd.exe	43
PID 2788 wrote to memory of 2900	2788	cmd.exe	43
PID 2684 wrote to memory of 2576	2684	cmd.exe	45
PID 2684 wrote to memory of 2576	2684	cmd.exe	45
PID 2684 wrote to memory of 2576	2684	cmd.exe	45
PID 2684 wrote to memory of 2576	2684	cmd.exe	45
PID 2004 wrote to memory of 2580	2004	cmd.exe	44
PID 2004 wrote to memory of 2580	2004	cmd.exe	44
PID 2004 wrote to memory of 2580	2004	cmd.exe	44
PID 2004 wrote to memory of 2580	2004	cmd.exe	44
PID 2808 wrote to memory of 2752	2808	cmd.exe	46
PID 2808 wrote to memory of 2752	2808	cmd.exe	46
PID 2808 wrote to memory of 2752	2808	cmd.exe	46
PID 2808 wrote to memory of 2752	2808	cmd.exe	46
PID 2792 wrote to memory of 1684	2792	cmd.exe	47
PID 2792 wrote to memory of 1684	2792	cmd.exe	47
PID 2792 wrote to memory of 1684	2792	cmd.exe	47
PID 2792 wrote to memory of 1684	2792	cmd.exe	47
PID 2372 wrote to memory of 3036	2372	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe	49
PID 2372 wrote to memory of 3036	2372	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe	49
PID 2372 wrote to memory of 3036	2372	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe	49
PID 2372 wrote to memory of 3036	2372	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe	49
PID 2372 wrote to memory of 3036	2372	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe	49
PID 2372 wrote to memory of 3036	2372	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe	49
PID 2372 wrote to memory of 3036	2372	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe	49
PID 2372 wrote to memory of 1840	2372	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe	50
PID 2372 wrote to memory of 1840	2372	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe	50
PID 2372 wrote to memory of 1840	2372	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe	50
PID 2372 wrote to memory of 1840	2372	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe	50
PID 2372 wrote to memory of 2004	2372	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2004	2372	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2004	2372	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2004	2372	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2696	2372	a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a1a8f1991d36f230365abc97550b746d_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows /e /p everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows /e /p everyone:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2580
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config ekrn start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\sc.exe
    sc config ekrn start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2576
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /im ekrn.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ekrn.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /im egui.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im egui.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /im ScanFrm.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ScanFrm.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2900
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe func.dll, droqp
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /all
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:1840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\func.dll

Filesize
36KB

MD5
691180351c43cee13907dc0235e18b7a

SHA1
60a1dd127fc2f413b66ce6413563d2a4eaf94221

SHA256
886581d8f51d4fbeed2eb42dfc5bd0a86101a3ff6c129adf96e02d466538d79f

SHA512
cae749029d9fd88602d840b126a7c0095d5adfd6b1141f38f49106172e7c38eda4bff9f3640c396c8458a10323df69ce2ee675092691a5915bcfcbb819b6a87e

Download Submit
memory/2372-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2372-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2372-9-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2372-18-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download
memory/2372-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2372-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2372-9-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2372-18-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download
memory/2372-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2372-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2372-9-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2372-18-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download