d06eed697b1fd60b51f083b5f186d0dfc081355bffd02f7fdf72b89e2ae9552c

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac8d64159f01bd2beabb491d3ade5804_JaffaCakes118.exe
Size

1.0MB
MD5

ac8d64159f01bd2beabb491d3ade5804
SHA1

6a910e8241c2db1b3352ab71f764718f60777315
SHA256

d06eed697b1fd60b51f083b5f186d0dfc081355bffd02f7fdf72b89e2ae9552c
SHA512

b11d16e75ab391b893684cc068f9a5948bd3980a37cf50370ed0848bdfdbf4790433e03a84ffa49ef431773a5642a2d93244b7ed801aa3c6ef9ddfb2278e40ce
SSDEEP

24576:BkuFhCwUuqDluBMfEhJX3z5mKhwbLeoMbd:PhxqDosEL3F/w+bd

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2776	smes.exe
2868	smes.exe
2492	smes.exe
2984	smes.exe

Loads dropped DLL 13 IoCs

pid	Process
1908	ac8d64159f01bd2beabb491d3ade5804_JaffaCakes118.exe
1908	ac8d64159f01bd2beabb491d3ade5804_JaffaCakes118.exe
2736	cmd.exe
2736	cmd.exe
2776	smes.exe
2776	smes.exe
2736	cmd.exe
2736	cmd.exe
2868	smes.exe
2868	smes.exe
2492	smes.exe
2984	smes.exe
2984	smes.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ac8d64159f01bd2beabb491d3ade5804_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1908	ac8d64159f01bd2beabb491d3ade5804_JaffaCakes118.exe
1908	ac8d64159f01bd2beabb491d3ade5804_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2776	smes.exe
Token: SeDebugPrivilege	2868	smes.exe
Token: SeDebugPrivilege	2492	smes.exe
Token: 33	2492	smes.exe
Token: SeIncBasePriorityPrivilege	2492	smes.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2984	smes.exe
2984	smes.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 2736	1908	ac8d64159f01bd2beabb491d3ade5804_JaffaCakes118.exe	31
PID 1908 wrote to memory of 2736	1908	ac8d64159f01bd2beabb491d3ade5804_JaffaCakes118.exe	31
PID 1908 wrote to memory of 2736	1908	ac8d64159f01bd2beabb491d3ade5804_JaffaCakes118.exe	31
PID 1908 wrote to memory of 2736	1908	ac8d64159f01bd2beabb491d3ade5804_JaffaCakes118.exe	31
PID 1908 wrote to memory of 2736	1908	ac8d64159f01bd2beabb491d3ade5804_JaffaCakes118.exe	31
PID 1908 wrote to memory of 2736	1908	ac8d64159f01bd2beabb491d3ade5804_JaffaCakes118.exe	31
PID 1908 wrote to memory of 2736	1908	ac8d64159f01bd2beabb491d3ade5804_JaffaCakes118.exe	31
PID 1908 wrote to memory of 2668	1908	ac8d64159f01bd2beabb491d3ade5804_JaffaCakes118.exe	33
PID 1908 wrote to memory of 2668	1908	ac8d64159f01bd2beabb491d3ade5804_JaffaCakes118.exe	33
PID 1908 wrote to memory of 2668	1908	ac8d64159f01bd2beabb491d3ade5804_JaffaCakes118.exe	33
PID 1908 wrote to memory of 2668	1908	ac8d64159f01bd2beabb491d3ade5804_JaffaCakes118.exe	33
PID 1908 wrote to memory of 2668	1908	ac8d64159f01bd2beabb491d3ade5804_JaffaCakes118.exe	33
PID 1908 wrote to memory of 2668	1908	ac8d64159f01bd2beabb491d3ade5804_JaffaCakes118.exe	33
PID 1908 wrote to memory of 2668	1908	ac8d64159f01bd2beabb491d3ade5804_JaffaCakes118.exe	33
PID 2736 wrote to memory of 2776	2736	cmd.exe	35
PID 2736 wrote to memory of 2776	2736	cmd.exe	35
PID 2736 wrote to memory of 2776	2736	cmd.exe	35
PID 2736 wrote to memory of 2776	2736	cmd.exe	35
PID 2736 wrote to memory of 2776	2736	cmd.exe	35
PID 2736 wrote to memory of 2776	2736	cmd.exe	35
PID 2736 wrote to memory of 2776	2736	cmd.exe	35
PID 2736 wrote to memory of 2868	2736	cmd.exe	36
PID 2736 wrote to memory of 2868	2736	cmd.exe	36
PID 2736 wrote to memory of 2868	2736	cmd.exe	36
PID 2736 wrote to memory of 2868	2736	cmd.exe	36
PID 2736 wrote to memory of 2868	2736	cmd.exe	36
PID 2736 wrote to memory of 2868	2736	cmd.exe	36
PID 2736 wrote to memory of 2868	2736	cmd.exe	36
PID 2492 wrote to memory of 2984	2492	smes.exe	38
PID 2492 wrote to memory of 2984	2492	smes.exe	38
PID 2492 wrote to memory of 2984	2492	smes.exe	38
PID 2492 wrote to memory of 2984	2492	smes.exe	38

C:\Users\Admin\AppData\Local\Temp\ac8d64159f01bd2beabb491d3ade5804_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ac8d64159f01bd2beabb491d3ade5804_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\smes\u.bat"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\ProgramData\smes\smes.exe
    smes.exe -install
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2776
- - C:\ProgramData\smes\smes.exe
    smes.exe -start
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2868
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\temg_tmp.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2668

C:\ProgramData\smes\smes.exe
C:\ProgramData\smes\smes.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492
- C:\ProgramData\smes\smes.exe
  C:\ProgramData\smes\smes.exe -run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\kingsoft\kws\kws.ini

Filesize
720B

MD5
ffc3088dc68b14616fc334ce25f7c4ec

SHA1
83ea5e504ba582fd0db81371888b2d2d36012af8

SHA256
f39e009b78bbca138cf7ca72023390afe0e9ab1980eb0e326e637186a1249872

SHA512
b3c29e4513ba21d9588661eeffe029bdc5a2317cb3345cbe945f50df9688732d478e614e67a64f87d9cdf2c284eaeb9c497feef69ee71a621f4fc009bf1c09b4

Download Submit
C:\ProgramData\smes\KWSSVC.log

Filesize
202B

MD5
631f56bd7162a8bb8448a132b9f9b6c3

SHA1
9a819f9add620259916538e5f53d6a16c8b83141

SHA256
f44be399b223ed8aa0e07646db7b25fef991556372b5cfbfe6c670a6a8a7410c

SHA512
625285307d57e435b76595aa13decb9d2b2c1606e082a5e9481dad667e223151c9733ee2d6dd01d46118f043d5d7c41e3f45dfa6bd9aa2b831e225cf2a183010

Download Submit
C:\ProgramData\smes\KWSSVC.log

Filesize
448B

MD5
6208b710e9d857d0e596d2b85def06a1

SHA1
73dc89826e33e7e68d978d449f327ce5e10b760d

SHA256
b3309a16aadd3bdd7ce36342512f909776bd3d90a5558f9f6385fe6c23561a68

SHA512
c68a2a890d6349b3777203ae25c3b71d939d9810ba92a6b1c55f1c5b9b583065881bfacf1b4c7aa0b5fce8baf144c0e4bff87e61c17d665abdaafec5f9ae2e46

Download Submit
C:\ProgramData\smes\KWSSVC.log

Filesize
546B

MD5
39c069cc2db290d42a620a84026a226f

SHA1
fa496bebeb99ed9fd28be37060c76b8798f11d2f

SHA256
7a60385deb9d8e576770a33dd229bd53b83dfb90640e2677d8883fef86595b6c

SHA512
0dd6f9eaf1135fbe616bd6cbf594066b9a0d08273ba614be207e212466ba28cdeaf221c21fad5a56555ad88c66de3f54e05cd53b3d811a4ecf505c5b5e9ce917

Download Submit
C:\ProgramData\smes\kswebshield.dll

Filesize
441KB

MD5
7851449473178f9782263d51bc5e3bbc

SHA1
ad5148ee1bed2348b320c62c025d52fbcbb28799

SHA256
c3bc7ec8428f0bb210a0597c9a0cad1be412b7fa46ea006819a3df9ac23118b4

SHA512
b01fc37ac84b81df8d7657000295aed7eb50aaf7f13ab2b2be9030c9f83ed1559318c83c78b4a29926d7d30e9eea9538d123ef4a649179be5a5b54ee71ed9b49

Download Submit
C:\ProgramData\smes\kwssp.dll

Filesize
425KB

MD5
bf5dcfd9da0514334d41cbd80d2a9138

SHA1
802f9e0b82edca56be08a33b2ba874b34c31f1e3

SHA256
f9506cf9a87aa6bfbf07f2124f2785a711b27a70839ebb95bdd4b2cf747fb060

SHA512
246796f2e201cde30043eaa2c0ffb4d2b3bea2bae97261a022824c31a42d2b08998b1bdcd436e8392bdd153dd6fadf9ba69361c7316a6bfda5d475678b7aa5cc

Download Submit
C:\ProgramData\smes\kwsui.dll

Filesize
433KB

MD5
45199dab51eeece95728abfe25e18f35

SHA1
59ab0fe25aa2adc253adbecba6862e7432df1c39

SHA256
a22006861cac6a849346282e2f7729deeb8f68bf29f13c15ae33d20311f77391

SHA512
825c6ae1f88cec3d6c469e6a15cad0430845ecc8d436777092f4c5fe8ecd02abbfeb3e2a17b2f4896b9d6e4b2d229a8b83bfdda75a3e025fc32f86610c6eef12

Download Submit
C:\ProgramData\smes\u.bat

Filesize
44B

MD5
704efba1aee1454561da552dda430498

SHA1
d20fb96683f769eb9cef1b0a068bcba70aeab9c2

SHA256
80b08d35bd27636e0774ce35ab57306f76edc6a0f7058cb1f93733cdf88bf94c

SHA512
7e0c9ede686238703af4893af8842c05c48ab1681ae273b32d8085cf1a17aae946c0c823a0a418787522a551d684367259ff8203ebca6e4ec69b6ded95231bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\temg_tmp.bat

Filesize
135B

MD5
24754f38c37910d748a5dd1c45daf9ab

SHA1
62d87cd516c59039c94a5426e4f630c142931fa3

SHA256
63cea6b342ddff35ec0f99411d689533282132f079553dc4d504ee3143c9dcfc

SHA512
8de5c6df3b62f28dee31f647dfb05c7f54a34bb4946d54b1184e499c10b34472f58189474bfb72c4755cbb87e04fd064c1ec7acd20c79d511371bf09033e6aa2

Download Submit
\ProgramData\smes\smes.exe

Filesize
209KB

MD5
1fa47f5b173cee5ef9c3ee1bda0c321e

SHA1
60ee40236f960affb01d569a32e1b05888bb081a

SHA256
b21526716068d2a8550780038e2b5ddb843d77890a07ec82ed9ce9dd0be52c64

SHA512
01f39376269a75510347fcf66ff2585b25d5e6e10e26b7feefa3af66e712a5f50c62bff6d40abee733e1ce965d17a2e443664838268eb7c7a2e36fc1c024224d

Download Submit
\Users\Admin\AppData\Local\Temp\nsoFA09.tmp\AccessControl.dll

Filesize
10KB

MD5
055f4f9260e07fc83f71877cbb7f4fad

SHA1
a245131af1a182de99bd74af9ff1fab17977a72f

SHA256
4209588362785b690d08d15cd982b8d1c62c348767ca19114234b21d5df74ddc

SHA512
a8e82dc4435ed938f090f43df953ddad9b0075f16218c09890c996299420162d64b1dbfbf613af37769ae796717eec78204dc786b757e8b1d13d423d4ee82e26

Download Submit
\Users\Admin\AppData\Local\Temp\nsoFA09.tmp\FindProcDLL.dll

Filesize
3KB

MD5
8614c450637267afacad1645e23ba24a

SHA1
e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2

SHA256
0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758

SHA512
af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

Download Submit
memory/1908-5-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/2984-56-0x0000000000440000-0x00000000004B1000-memory.dmp

Filesize
452KB

Download