c0e9011943090e77a03d80ffebd3625f4dc494d1d55cf8bbfdae5ef1e020704d

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
18/08/2024, 18:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a7b924518fc4c90b2acaaff4755da686_JaffaCakes118.exe
Size

1.3MB
MD5

a7b924518fc4c90b2acaaff4755da686
SHA1

20e0785526d132f59d44008e3bbc340e32b5151f
SHA256

c0e9011943090e77a03d80ffebd3625f4dc494d1d55cf8bbfdae5ef1e020704d
SHA512

d77a9275b6bfce0040f2cb11ae146286782441f57e16a9e76969092eb74d15d43fd4185c3782d2dfb6a75a46ff6e0dc3d2bf30328198b939ab4889a9c04f333a
SSDEEP

24576:B/yYcXiJAlYyPlHg+gqVIOaM2enphVR9e1R4u7Uk60haR:FfcSJiflHRDaMH3VRA1W50hY

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2044	RESTOR~1.EXE
2756	r2k_wnt.int

Loads dropped DLL 9 IoCs

pid	Process
2404	a7b924518fc4c90b2acaaff4755da686_JaffaCakes118.exe
2404	a7b924518fc4c90b2acaaff4755da686_JaffaCakes118.exe
2404	a7b924518fc4c90b2acaaff4755da686_JaffaCakes118.exe
2404	a7b924518fc4c90b2acaaff4755da686_JaffaCakes118.exe
2044	RESTOR~1.EXE
2044	RESTOR~1.EXE
2044	RESTOR~1.EXE
2044	RESTOR~1.EXE
2044	RESTOR~1.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	r2k_wnt.int
File opened (read-only)	\??\F:	r2k_wnt.int

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Restorer2000 Demo\uninstall.exe	a7b924518fc4c90b2acaaff4755da686_JaffaCakes118.exe
File created	C:\Program Files (x86)\Restorer2000 Demo\uninstall.exe	a7b924518fc4c90b2acaaff4755da686_JaffaCakes118.exe
File created	C:\Program Files (x86)\Restorer2000 Demo\eula.txt	a7b924518fc4c90b2acaaff4755da686_JaffaCakes118.exe
File created	C:\Program Files (x86)\Restorer2000 Demo\Restorer2000.hlp	a7b924518fc4c90b2acaaff4755da686_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Restorer2000 Demo\Restorer2000.cnt	a7b924518fc4c90b2acaaff4755da686_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Restorer2000 Demo\r2k_hdio.vxd	a7b924518fc4c90b2acaaff4755da686_JaffaCakes118.exe
File created	C:\Program Files (x86)\Restorer2000 Demo\Restorer2000.exe	a7b924518fc4c90b2acaaff4755da686_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Restorer2000 Demo\r2k_wnt.int	a7b924518fc4c90b2acaaff4755da686_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Restorer2000 Demo\eula.txt	a7b924518fc4c90b2acaaff4755da686_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Restorer2000 Demo\faq.url	a7b924518fc4c90b2acaaff4755da686_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Restorer2000 Demo\Restorer2000.hlp	a7b924518fc4c90b2acaaff4755da686_JaffaCakes118.exe
File created	C:\Program Files (x86)\Restorer2000 Demo\Restorer2000.cnt	a7b924518fc4c90b2acaaff4755da686_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Restorer2000 Demo\Restorer2000.exe	a7b924518fc4c90b2acaaff4755da686_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Restorer2000 Demo\uninstall.ini	a7b924518fc4c90b2acaaff4755da686_JaffaCakes118.exe
File created	C:\Program Files (x86)\Restorer2000 Demo\r2k_wnt.int	a7b924518fc4c90b2acaaff4755da686_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Restorer2000 Demo\r2k_w9x.int	a7b924518fc4c90b2acaaff4755da686_JaffaCakes118.exe
File created	C:\Program Files (x86)\Restorer2000 Demo\r2k_w9x.int	a7b924518fc4c90b2acaaff4755da686_JaffaCakes118.exe
File created	C:\Program Files (x86)\Restorer2000 Demo\faq.url	a7b924518fc4c90b2acaaff4755da686_JaffaCakes118.exe
File created	C:\Program Files (x86)\Restorer2000 Demo\r2k_hdio.vxd	a7b924518fc4c90b2acaaff4755da686_JaffaCakes118.exe
File created	C:\Program Files (x86)\Restorer2000 Demo\_ci_gentee_	a7b924518fc4c90b2acaaff4755da686_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a7b924518fc4c90b2acaaff4755da686_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RESTOR~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	r2k_wnt.int

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	r2k_wnt.int
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	r2k_wnt.int
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	r2k_wnt.int

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2756	r2k_wnt.int

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int
Token: SeBackupPrivilege	2756	r2k_wnt.int

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2756	r2k_wnt.int
2756	r2k_wnt.int

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2044	2404	a7b924518fc4c90b2acaaff4755da686_JaffaCakes118.exe	30
PID 2404 wrote to memory of 2044	2404	a7b924518fc4c90b2acaaff4755da686_JaffaCakes118.exe	30
PID 2404 wrote to memory of 2044	2404	a7b924518fc4c90b2acaaff4755da686_JaffaCakes118.exe	30
PID 2404 wrote to memory of 2044	2404	a7b924518fc4c90b2acaaff4755da686_JaffaCakes118.exe	30
PID 2404 wrote to memory of 2044	2404	a7b924518fc4c90b2acaaff4755da686_JaffaCakes118.exe	30
PID 2404 wrote to memory of 2044	2404	a7b924518fc4c90b2acaaff4755da686_JaffaCakes118.exe	30
PID 2404 wrote to memory of 2044	2404	a7b924518fc4c90b2acaaff4755da686_JaffaCakes118.exe	30
PID 2044 wrote to memory of 2756	2044	RESTOR~1.EXE	31
PID 2044 wrote to memory of 2756	2044	RESTOR~1.EXE	31
PID 2044 wrote to memory of 2756	2044	RESTOR~1.EXE	31
PID 2044 wrote to memory of 2756	2044	RESTOR~1.EXE	31
PID 2044 wrote to memory of 2756	2044	RESTOR~1.EXE	31
PID 2044 wrote to memory of 2756	2044	RESTOR~1.EXE	31
PID 2044 wrote to memory of 2756	2044	RESTOR~1.EXE	31

C:\Users\Admin\AppData\Local\Temp\a7b924518fc4c90b2acaaff4755da686_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a7b924518fc4c90b2acaaff4755da686_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2404
- C:\PROGRA~2\RESTOR~1\RESTOR~1.EXE
  C:\PROGRA~2\RESTOR~1\RESTOR~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\PROGRA~2\RESTOR~1\r2k_wnt.int
    C:\PROGRA~2\RESTOR~1\r2k_wnt.int
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Restorer2000 Demo\eula.txt

Filesize
3KB

MD5
df37a1e81773374ec190374ba272ce24

SHA1
879fc798fd66c796c2e54378010a6c0b6840e820

SHA256
f45d8793f97334eedfb6306918ee1f6c7c4b5c30bb8586628247bec20dc804e0

SHA512
2002d983e84a2bb5e410e91f85ce65e0c274b8de22198da7a4d50f0a30efbfcfb6d9588f54518ea69995e00611972b12be12bcdca248fa60452d4b58756280fc

Download Submit
C:\temp\r2klogov.bmp

Filesize
57KB

MD5
2a1f2ef36fd5590ec22bb01788b5f0b9

SHA1
2265227be7ca236a6e6524f8fcd13277d8761f86

SHA256
d6c0d070323204ee727a4e6ed346b1273abcbef460872709e633bcbeabe7b41d

SHA512
d8fca0e24625634b32ee69d6940aa3b5d86e3e9cb2dfc422459824f509786a0ec825e475a9f65d24988ed616b8338a755c30b575d286b6835436729b4d8de228

Download Submit
\PROGRA~2\RESTOR~1\r2k_wnt.int

Filesize
1.3MB

MD5
7f810119e4c5b1fa024b9f33caa0b93e

SHA1
7ffec8b4bfd2275e81c0fc35b076c1c19d9b37aa

SHA256
76b6c28dcf9a7572735a8bcf59f048d3a8d2f3048524f6193d2327a79242f950

SHA512
363558f5882e3471dd2534f4aa80d14b9607bec458379c261c0c3acb10e83f29a7f03e67572c4ead95d9a819265e040151173e07835c1baa69b1a3451c87e527

Download Submit
\Program Files (x86)\Restorer2000 Demo\Restorer2000.exe

Filesize
24KB

MD5
bf1ccd6cbd787dee46318c74aae9544d

SHA1
84aa8117a40408166d8694beefe9d726029ea58a

SHA256
57b24832ff9ae9ce65eff2aef74711706008d932d92a814c46333132cbb0e3e8

SHA512
274cc7d65683846f762542721951dc4e7e9723019666a424c863e66cfa851a7e89b33c44b7e6d37c1fe5181f35e05bed48345af9b317b3b3c09ae3fe755e4429

Download Submit
\Program Files (x86)\Restorer2000 Demo\uninstall.exe

Filesize
20KB

MD5
4c765359ad026088738ad16be589f027

SHA1
3a947b1d2636a26a4fb100ffa9a42bab1252c5b0

SHA256
304a1d9a196f2286933897cc7afc8ab52ef37e48abb65ecf792d3c5311a7e017

SHA512
5994e65bfc0543ba02c612c7489fe1da3222f88ef39b8d000da50e342435078abc91b57844284914fc6a7e52386d510538a4492d2556e098ad2e5d23dc965a76

Download Submit
memory/2404-11-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads