95c00ca08fdf4eed2af33539b5bbfcdd7e3cc5b8b583337af3cac5e06107170e

Analysis

max time kernel
140s
max time network
137s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 00:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a8ed38a33d5aefca04c2e0cc1d7790c2_JaffaCakes118.exe
Size

218KB
MD5

a8ed38a33d5aefca04c2e0cc1d7790c2
SHA1

4989cf76e65a676f01cd3631505d885a023fd902
SHA256

95c00ca08fdf4eed2af33539b5bbfcdd7e3cc5b8b583337af3cac5e06107170e
SHA512

bad5b97d258a8c5e13f247ab13b9d2a7a0c1bef934b360f39c46457175d4a16cb187e5726429e2f8292c1dfe92ff66a4615efb1db05fed4dbcc14822b6ab9766
SSDEEP

6144:kSC2aF7P5/5JHCAh3lko9oEpGFV+bYUo4GHi3iKLIYTD:k7LF9/HHZk7EpGo+FKl3

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\npf.sys	cmd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\npf.sys	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1776	ctflsv.exe

Loads dropped DLL 8 IoCs

pid	Process
1956	a8ed38a33d5aefca04c2e0cc1d7790c2_JaffaCakes118.exe
1956	a8ed38a33d5aefca04c2e0cc1d7790c2_JaffaCakes118.exe
1776	ctflsv.exe
1776	ctflsv.exe
1776	ctflsv.exe
1776	ctflsv.exe
1776	ctflsv.exe
1776	ctflsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\svc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctflsv.exe"	ctflsv.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	ctflsv.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runonce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grpconv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8ed38a33d5aefca04c2e0cc1d7790c2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctflsv.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Suspicious behavior: LoadsDriver 13 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1776	ctflsv.exe
Token: SeRestorePrivilege	2704	rundll32.exe
Token: SeRestorePrivilege	2704	rundll32.exe
Token: SeRestorePrivilege	2704	rundll32.exe
Token: SeRestorePrivilege	2704	rundll32.exe
Token: SeRestorePrivilege	2704	rundll32.exe
Token: SeRestorePrivilege	2704	rundll32.exe
Token: SeRestorePrivilege	2704	rundll32.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 1776	1956	a8ed38a33d5aefca04c2e0cc1d7790c2_JaffaCakes118.exe	31
PID 1956 wrote to memory of 1776	1956	a8ed38a33d5aefca04c2e0cc1d7790c2_JaffaCakes118.exe	31
PID 1956 wrote to memory of 1776	1956	a8ed38a33d5aefca04c2e0cc1d7790c2_JaffaCakes118.exe	31
PID 1956 wrote to memory of 1776	1956	a8ed38a33d5aefca04c2e0cc1d7790c2_JaffaCakes118.exe	31
PID 1776 wrote to memory of 540	1776	ctflsv.exe	32
PID 1776 wrote to memory of 540	1776	ctflsv.exe	32
PID 1776 wrote to memory of 540	1776	ctflsv.exe	32
PID 1776 wrote to memory of 540	1776	ctflsv.exe	32
PID 1776 wrote to memory of 2784	1776	ctflsv.exe	33
PID 1776 wrote to memory of 2784	1776	ctflsv.exe	33
PID 1776 wrote to memory of 2784	1776	ctflsv.exe	33
PID 1776 wrote to memory of 2784	1776	ctflsv.exe	33
PID 2784 wrote to memory of 2704	2784	cmd.exe	36
PID 2784 wrote to memory of 2704	2784	cmd.exe	36
PID 2784 wrote to memory of 2704	2784	cmd.exe	36
PID 2784 wrote to memory of 2704	2784	cmd.exe	36
PID 2784 wrote to memory of 2704	2784	cmd.exe	36
PID 2784 wrote to memory of 2704	2784	cmd.exe	36
PID 2784 wrote to memory of 2704	2784	cmd.exe	36
PID 2704 wrote to memory of 2768	2704	rundll32.exe	37
PID 2704 wrote to memory of 2768	2704	rundll32.exe	37
PID 2704 wrote to memory of 2768	2704	rundll32.exe	37
PID 2704 wrote to memory of 2768	2704	rundll32.exe	37
PID 2768 wrote to memory of 2976	2768	runonce.exe	38
PID 2768 wrote to memory of 2976	2768	runonce.exe	38
PID 2768 wrote to memory of 2976	2768	runonce.exe	38
PID 2768 wrote to memory of 2976	2768	runonce.exe	38

C:\Users\Admin\AppData\Local\Temp\a8ed38a33d5aefca04c2e0cc1d7790c2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a8ed38a33d5aefca04c2e0cc1d7790c2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\AppData\Local\Temp\ctflsv.exe
  C:\Users\Admin\AppData\Local\Temp\ctflsv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:540
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c _wpcap_.bat
    3⤵
    - Drops file in Drivers directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Users\Admin\AppData\Local\Temp\_wpcap_.inf
      4⤵
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\SysWOW64\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        5⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:2768
      - C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2976

C:\Windows\system32\ctfmon.exe
ctfmon.exe
1⤵
PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_wpcap_.bat

Filesize
160B

MD5
365188a3a0097c5588ef3e4bb899e236

SHA1
bf9b4b7bc0675dad65739b4a3f43d82358e30c88

SHA256
ee93814361a51ba25ff77a9c1d990d210c466ad7de61afec7944287976425f4f

SHA512
351e09f1b0594799f085172eb65f9eed0e587f490d08ed1b8c8dace8bf0aadab74a1ba542ce9e4d368d4236f1057a7b0400ab27f2b4753cdbda4d63af3dfca6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_wpcap_.inf

Filesize
217B

MD5
f25ec42aef4ef70963f01af7d9cffd96

SHA1
e600676c30bdcbb79b5e1dee23a078d9e4756157

SHA256
0f0dc821a78931b644a6a7a805aec8e50b1301ea4a0ae8844503735814ae3074

SHA512
3118a648bc46feacea3a9386bf149aeb6e62dc75dbec5eb8bb3ede69bfb7c665881b2f8fb474e76659a0e86b252b8dc531499bfed9993b78ac3930d12b0c7e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\npf.sys

Filesize
31KB

MD5
d21fee8db254ba762656878168ac1db6

SHA1
a394b1bc33a3c678e4b6b3c55373468e6afa7b28

SHA256
3694aa2145af617c47a7b506bd3d22824659ca3bf1680d220892cac4bd0fc846

SHA512
c6e366be16e5614313c8ec394cbeda11df8cd57726fec2249db5d7d0f4266a38e2bc7873b9ea38e820bdf96e6e14619d9e6f2092dcbed4932389ec89bd0c2204

Download Submit
C:\Users\Admin\AppData\Local\Temp\packet.dll

Filesize
80KB

MD5
ab652dab12afdad853fd59207dd2d68b

SHA1
0969ebf80723c3f5889dc9d9b94872d4b474c89e

SHA256
19c6e6603021586092dcedf5592865cdda5cae1ee1db00343cdd523e399b0d65

SHA512
c5fd05fd866fcf17ec1173a049ea03db01301a3fa9073dfeafb6bc11a56f716eb9385fc1ceec7a80f41c1673aea5ba00dc6f8b6c41883c366a27c2d61ad24e56

Download Submit
\Users\Admin\AppData\Local\Temp\WanPacket.dll

Filesize
60KB

MD5
12aa2da30d1d2889511b4c1d14fb99b9

SHA1
e6d09e7581565d5e83563e23027784348fd188ca

SHA256
3064ea133646c4dbfbe750abbf836492a016b319783bc8166825e0783fd6e462

SHA512
6a732791d1c54098b4b143e03d21ecdd360d1b629d10afc442eeed5e7aae7ad877019f7a1bcf354d9d563f66083fbb9a66b1fde1ab34ac125d188a8f226e9ca0

Download Submit
\Users\Admin\AppData\Local\Temp\ctflsv.exe

Filesize
104KB

MD5
6d22c784a80741385fcc75849195245c

SHA1
4b1218cc4a07bcf0ed770a5bb56c190d9f9ccc90

SHA256
41408eee6109321f11f8680645ebb904b318ececd14fee3dddbd112ef3798c5e

SHA512
5d01e1143543e4f49bf9721cb3278d1dbda928b49e00ff8d2024751c043515057070648c960e1da19c9a6dacadb6847dd65ed3fb8ce439d90f7c3c02d49e9cf4

Download Submit
\Users\Admin\AppData\Local\Temp\h.dll

Filesize
25KB

MD5
d11d56d44d21357e28bcb73c86e6310b

SHA1
aae46c3a41c585d376d5aad138dd26f1633647a4

SHA256
e7755790ecfaa4ba656618d5ae807d373b371e28c19eb13e6501153edc8766b2

SHA512
f2df119aa03bddc101225d8f23940ea083e32c5a498e2ab4de2c6ab675ea9397ca00f5abe01a4ca12046b4379ab6175d91d334c439038815e88e660f0faf1b2f

Download Submit
\Users\Admin\AppData\Local\Temp\npptools.dll

Filesize
53KB

MD5
841007a04750a9acb56dd82095300d15

SHA1
58c1e338bc78a54795a844b559b614004e53d3cb

SHA256
a15c409af481494fa8c3d82ec0dc7c67075a706160cc060bec982e40c060d578

SHA512
dcaeae21ffc2479fc595632a93e082396caea1eb6c4093e24c199a5ee3dd09248dfb5fe11ea200034e2be928b2db09218d9d763428294347ccd63f4cad4c06de

Download Submit
memory/1776-18-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/1776-47-0x00000000004D0000-0x00000000004E0000-memory.dmp

Filesize
64KB

Download
memory/1776-57-0x0000000003DE0000-0x0000000003DE8000-memory.dmp

Filesize
32KB

Download
memory/1776-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1776-38-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1776-39-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/1776-41-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1776-19-0x0000000000220000-0x0000000000240000-memory.dmp

Filesize
128KB

Download
memory/1776-53-0x0000000003DE0000-0x0000000003DE8000-memory.dmp

Filesize
32KB

Download
memory/1776-22-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1776-14-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1776-44-0x00000000004A0000-0x00000000004B5000-memory.dmp

Filesize
84KB

Download
memory/1776-54-0x0000000003DE0000-0x0000000003DE8000-memory.dmp

Filesize
32KB

Download
memory/1956-12-0x00000000001B0000-0x00000000001F3000-memory.dmp

Filesize
268KB

Download
memory/1956-55-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1956-37-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1956-0-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads