6514f528222f2dbb47fdbd054c456816f17ff69e57326919b43309514141b8cd

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9eec084421dd52a1931e8595777cfe9_JaffaCakes118.exe
Size

1.7MB
MD5

a9eec084421dd52a1931e8595777cfe9
SHA1

03d34d54aa3ac46e191f0a9352b2123f86ddc342
SHA256

6514f528222f2dbb47fdbd054c456816f17ff69e57326919b43309514141b8cd
SHA512

92bb3a7fce9bb6780898627641ca2953e806e4e984d7147b4052172c16a67059bb165ebf2167fc0e30746ff083293372ab4a85127755f9a57ef0e478a80f6645
SSDEEP

49152:I2ejrKZdvUIgAgAf/ipMk49ZlrJaan+A:HerqVghA3TkOZlt+A

Score

8^/10

defense_evasion discovery evasion

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\NetLogon.exe	pro.exe
File opened for modification	C:\Windows\system32\drivers\etc\NetLogon.exe	pro.exe

Deletes itself 1 IoCs

pid	Process
1796	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2756	gho.exe
2308	pro.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine	a9eec084421dd52a1931e8595777cfe9_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine	gho.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\鹎섶ӊ㻭鶷髋朔餠﯊꺙픑湶鐁ㅟ崷⤈꿛䔕甮퐾脜霤掿췖Đᓛṯ峮㾥댅榽藼᧳ȁ쭧ݲ匣堁蒇他㼾̉벂☙⊒꥽甒Н⌾㳲䄁󏍶眅Г䞧둪潊췾팉瀝胕괌媘ₕ䄆㓔대ᶓ蔂䖣뽇ⰱ甡솧ń඾ᨑ⏟󩌂ꣶ῿慡ଫ軣쵸怂.exe	gho.exe
File opened for modification	C:\Windows\SysWOW64\鹎섶ӊ㻭鶷髋朔餠﯊꺙픑湶鐁ㅟ崷⤈꿛䔕甮퐾脜霤掿췖Đᓛṯ峮㾥댅榽藼᧳ȁ쭧ݲ匣堁蒇他㼾̉벂☙⊒꥽甒Н⌾㳲䄁󏍶眅Г䞧둪潊췾팉瀝胕괌媘ₕ䄆㓔대ᶓ蔂䖣뽇ⰱ甡솧ń඾ᨑ⏟󩌂ꣶ῿慡ଫ軣쵸怂.exe	gho.exe
File opened for modification	C:\Windows\SysWOW64\鹎섶ӊ㻭鶷髋朔餠﯊꺙픑湶鐁ㅟ崷⤈꿛䔕甮퐾脜霤掿췖Đᓛṯ峮㾥댅榽藼᧳ȁ쭧ݲ匣堁蒇他㼾̉벂☙⊒꥽甒Н⌾㳲䄁󏍶眅Г䞧둪潊췾팉瀝胕괌媘ₕ䄆㓔대ᶓ蔂䖣뽇ⰱ甡솧ń඾ᨑ⏟󩌂ꣶ῿慡ଫ軣쵸怂.dll	gho.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\delete.bat	a9eec084421dd52a1931e8595777cfe9_JaffaCakes118.exe
File opened for modification	C:\Windows\pro.exe	pro.exe
File created	C:\Windows\61642520.BAT	pro.exe
File created	C:\Windows\gho.exe	a9eec084421dd52a1931e8595777cfe9_JaffaCakes118.exe
File created	C:\Windows\pro.exe	a9eec084421dd52a1931e8595777cfe9_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a9eec084421dd52a1931e8595777cfe9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gho.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2536	a9eec084421dd52a1931e8595777cfe9_JaffaCakes118.exe
2756	gho.exe
2756	gho.exe
2756	gho.exe
2536	a9eec084421dd52a1931e8595777cfe9_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2308	pro.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2264	2536	a9eec084421dd52a1931e8595777cfe9_JaffaCakes118.exe	31
PID 2536 wrote to memory of 2264	2536	a9eec084421dd52a1931e8595777cfe9_JaffaCakes118.exe	31
PID 2536 wrote to memory of 2264	2536	a9eec084421dd52a1931e8595777cfe9_JaffaCakes118.exe	31
PID 2536 wrote to memory of 2264	2536	a9eec084421dd52a1931e8595777cfe9_JaffaCakes118.exe	31
PID 2264 wrote to memory of 2756	2264	cmd.exe	33
PID 2264 wrote to memory of 2756	2264	cmd.exe	33
PID 2264 wrote to memory of 2756	2264	cmd.exe	33
PID 2264 wrote to memory of 2756	2264	cmd.exe	33
PID 2536 wrote to memory of 2728	2536	a9eec084421dd52a1931e8595777cfe9_JaffaCakes118.exe	34
PID 2536 wrote to memory of 2728	2536	a9eec084421dd52a1931e8595777cfe9_JaffaCakes118.exe	34
PID 2536 wrote to memory of 2728	2536	a9eec084421dd52a1931e8595777cfe9_JaffaCakes118.exe	34
PID 2536 wrote to memory of 2728	2536	a9eec084421dd52a1931e8595777cfe9_JaffaCakes118.exe	34
PID 2536 wrote to memory of 340	2536	a9eec084421dd52a1931e8595777cfe9_JaffaCakes118.exe	35
PID 2536 wrote to memory of 340	2536	a9eec084421dd52a1931e8595777cfe9_JaffaCakes118.exe	35
PID 2536 wrote to memory of 340	2536	a9eec084421dd52a1931e8595777cfe9_JaffaCakes118.exe	35
PID 2536 wrote to memory of 340	2536	a9eec084421dd52a1931e8595777cfe9_JaffaCakes118.exe	35
PID 2728 wrote to memory of 2308	2728	cmd.exe	38
PID 2728 wrote to memory of 2308	2728	cmd.exe	38
PID 2728 wrote to memory of 2308	2728	cmd.exe	38
PID 2728 wrote to memory of 2308	2728	cmd.exe	38
PID 2536 wrote to memory of 1796	2536	a9eec084421dd52a1931e8595777cfe9_JaffaCakes118.exe	39
PID 2536 wrote to memory of 1796	2536	a9eec084421dd52a1931e8595777cfe9_JaffaCakes118.exe	39
PID 2536 wrote to memory of 1796	2536	a9eec084421dd52a1931e8595777cfe9_JaffaCakes118.exe	39
PID 2536 wrote to memory of 1796	2536	a9eec084421dd52a1931e8595777cfe9_JaffaCakes118.exe	39
PID 2308 wrote to memory of 2704	2308	pro.exe	41
PID 2308 wrote to memory of 2704	2308	pro.exe	41
PID 2308 wrote to memory of 2704	2308	pro.exe	41
PID 2308 wrote to memory of 2704	2308	pro.exe	41

C:\Users\Admin\AppData\Local\Temp\a9eec084421dd52a1931e8595777cfe9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a9eec084421dd52a1931e8595777cfe9_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Windows\gho.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\gho.exe
    C:\Windows\gho.exe
    3⤵
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2756
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Windows\pro.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\pro.exe
    C:\Windows\pro.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\61642520.BAT
      4⤵
      System Location Discovery: System Language Discovery
      PID:2704
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c del C:\Windows\gho.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:340
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\delete.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\61642520.BAT

Filesize
86B

MD5
0cd047b28ca4429f0ff97f0e2b1547d6

SHA1
bbdf96884e59d4018abc9614021b26941216f549

SHA256
1d66a9e44469b45f4f7da04ad44c40288d50c3968bbda79a6e09c78009959bee

SHA512
ea8c0144aed4bec60bf5bef13efed1b60b6644e261ab26eeaf96f167137265e622ff9bbda246e263ac4792a3fe666c675024ed54421a7f9418295b59f7668e1f

Download Submit
C:\Windows\delete.bat

Filesize
212B

MD5
021139903f1ddc296ab3342ad5ee98c0

SHA1
54f08c4b9fc671202ab350d005c2d220c0a08ce1

SHA256
d1822eac8a7bc2cfcc2d82d77497b11932234b9a3383a0eb4bc1d52a27612c70

SHA512
d5a661cb87160c60ca3922a5c8f04991ee927c55877b2a9e03a3d8910f8af7c8bd5d0281a898d8f1d3966e3da49ae4462fc2e2694d4a968a8016d026ae477c50

Download Submit
C:\Windows\gho.exe

Filesize
544KB

MD5
1b571f41a700486cbed095d1932350c1

SHA1
7d260cb34ce13bf5bc7975f9a0f167fd68a0cca7

SHA256
cc2a66d691dbde538f2d9dc8c1f3d62b144cac76aa9406f988741b58c2fa8520

SHA512
6d3028f85dd96159ae79071491118b30eb162d283fe93c99a590b3e43b876cf170395e20db3165059171a6a919d0057681dac017d4a3751aa380f608711f339b

Download Submit
C:\Windows\pro.exe

Filesize
744KB

MD5
4e4a4eb005e826985f8501b6b6ed7b9f

SHA1
70e7ac78faee29648624f6423ad62498f23f854b

SHA256
f722d7b12171740fb8a478a195f103614829920dfac97d6e00e67328867820a5

SHA512
b7041db0986ca756c289350d1a6a82be462a20c09d7782662f7530b241cac3dca8a964491317b8430eff64751cb56fd00ebb014e4c0c48abeb785fd0b2072fff

Download Submit
memory/2264-18-0x0000000002350000-0x0000000002483000-memory.dmp

Filesize
1.2MB

Download
memory/2264-16-0x0000000002350000-0x0000000002483000-memory.dmp

Filesize
1.2MB

Download
memory/2264-9-0x0000000002350000-0x0000000002483000-memory.dmp

Filesize
1.2MB

Download
memory/2264-7-0x0000000002350000-0x0000000002483000-memory.dmp

Filesize
1.2MB

Download
memory/2308-30-0x0000000000400000-0x00000000004C2200-memory.dmp

Filesize
776KB

Download
memory/2308-53-0x0000000000400000-0x00000000004C2200-memory.dmp

Filesize
776KB

Download
memory/2308-31-0x0000000000400000-0x00000000004C2200-memory.dmp

Filesize
776KB

Download
memory/2536-15-0x0000000000400000-0x00000000006BD000-memory.dmp

Filesize
2.7MB

Download
memory/2536-42-0x0000000000400000-0x00000000006BD000-memory.dmp

Filesize
2.7MB

Download
memory/2536-4-0x0000000000400000-0x00000000006BD000-memory.dmp

Filesize
2.7MB

Download
memory/2536-0-0x0000000000400000-0x00000000006BD000-memory.dmp

Filesize
2.7MB

Download
memory/2536-43-0x0000000000400000-0x00000000006BD000-memory.dmp

Filesize
2.7MB

Download
memory/2536-14-0x0000000000400000-0x00000000006BD000-memory.dmp

Filesize
2.7MB

Download
memory/2536-3-0x0000000000400000-0x00000000006BD000-memory.dmp

Filesize
2.7MB

Download
memory/2536-20-0x0000000000400000-0x00000000006BD000-memory.dmp

Filesize
2.7MB

Download
memory/2536-1-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2728-28-0x0000000002380000-0x0000000002443000-memory.dmp

Filesize
780KB

Download
memory/2728-29-0x0000000002380000-0x0000000002443000-memory.dmp

Filesize
780KB

Download
memory/2756-25-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/2756-22-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/2756-21-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/2756-19-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/2756-17-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/2756-13-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/2756-12-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/2756-8-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download