90dad1a92ea5dfcbb51480d367e1a8e66564fb8302267be14dfcb1671904e528

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20/08/2024, 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b13a0a751da316ca82b0646c1e0d8d7a_JaffaCakes118.exe
Size

376KB
MD5

b13a0a751da316ca82b0646c1e0d8d7a
SHA1

20d68222e316828048468568484d5b35fb2f3bed
SHA256

90dad1a92ea5dfcbb51480d367e1a8e66564fb8302267be14dfcb1671904e528
SHA512

00a96b9a24ed2461a563a5c81e9521909123add27eccc2356d74ce30412f2e87946e9bfae2f6817fda1cb9418fe7e72fcea0b4147a0706bcb25459a21bdc1cf3
SSDEEP

6144:lSnPobDUShUmcREtiUcvpKey4Kkb0c/Fnk06hiqP2NXoiyJmEW5c1xZu9MYRVv1:sngbDnsREtirRK3LZSey+2NYxM5Cx8Su

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1724	lPk16601nIpGk16601.exe

Executes dropped EXE 2 IoCs

pid	Process
2864	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe

Loads dropped DLL 4 IoCs

pid	Process
2672	b13a0a751da316ca82b0646c1e0d8d7a_JaffaCakes118.exe
2672	b13a0a751da316ca82b0646c1e0d8d7a_JaffaCakes118.exe
2672	b13a0a751da316ca82b0646c1e0d8d7a_JaffaCakes118.exe
2672	b13a0a751da316ca82b0646c1e0d8d7a_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lPk16601nIpGk16601 = "C:\\ProgramData\\lPk16601nIpGk16601\\lPk16601nIpGk16601.exe"	lPk16601nIpGk16601.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b13a0a751da316ca82b0646c1e0d8d7a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lPk16601nIpGk16601.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lPk16601nIpGk16601.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main	lPk16601nIpGk16601.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2672	b13a0a751da316ca82b0646c1e0d8d7a_JaffaCakes118.exe
2864	lPk16601nIpGk16601.exe
2672	b13a0a751da316ca82b0646c1e0d8d7a_JaffaCakes118.exe
2864	lPk16601nIpGk16601.exe
2672	b13a0a751da316ca82b0646c1e0d8d7a_JaffaCakes118.exe
2864	lPk16601nIpGk16601.exe
2672	b13a0a751da316ca82b0646c1e0d8d7a_JaffaCakes118.exe
2864	lPk16601nIpGk16601.exe
2672	b13a0a751da316ca82b0646c1e0d8d7a_JaffaCakes118.exe
2672	b13a0a751da316ca82b0646c1e0d8d7a_JaffaCakes118.exe
2672	b13a0a751da316ca82b0646c1e0d8d7a_JaffaCakes118.exe
2672	b13a0a751da316ca82b0646c1e0d8d7a_JaffaCakes118.exe
2672	b13a0a751da316ca82b0646c1e0d8d7a_JaffaCakes118.exe
2672	b13a0a751da316ca82b0646c1e0d8d7a_JaffaCakes118.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2672	b13a0a751da316ca82b0646c1e0d8d7a_JaffaCakes118.exe
Token: SeDebugPrivilege	2864	lPk16601nIpGk16601.exe
Token: SeDebugPrivilege	1724	lPk16601nIpGk16601.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1724	lPk16601nIpGk16601.exe
1724	lPk16601nIpGk16601.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2864	2672	b13a0a751da316ca82b0646c1e0d8d7a_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2864	2672	b13a0a751da316ca82b0646c1e0d8d7a_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2864	2672	b13a0a751da316ca82b0646c1e0d8d7a_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2864	2672	b13a0a751da316ca82b0646c1e0d8d7a_JaffaCakes118.exe	30
PID 2672 wrote to memory of 1724	2672	b13a0a751da316ca82b0646c1e0d8d7a_JaffaCakes118.exe	31
PID 2672 wrote to memory of 1724	2672	b13a0a751da316ca82b0646c1e0d8d7a_JaffaCakes118.exe	31
PID 2672 wrote to memory of 1724	2672	b13a0a751da316ca82b0646c1e0d8d7a_JaffaCakes118.exe	31
PID 2672 wrote to memory of 1724	2672	b13a0a751da316ca82b0646c1e0d8d7a_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\b13a0a751da316ca82b0646c1e0d8d7a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b13a0a751da316ca82b0646c1e0d8d7a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672
- C:\ProgramData\lPk16601nIpGk16601\lPk16601nIpGk16601.exe
  "C:\ProgramData\lPk16601nIpGk16601\lPk16601nIpGk16601.exe" BOMBARDAMAXIMUM
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\ProgramData\lPk16601nIpGk16601\lPk16601nIpGk16601.exe
  "C:\ProgramData\lPk16601nIpGk16601\lPk16601nIpGk16601.exe" "C:\Users\Admin\AppData\Local\Temp\b13a0a751da316ca82b0646c1e0d8d7a_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\lPk16601nIpGk16601\lPk16601nIpGk16601

Filesize
192B

MD5
918efd9b9a285191925c36d9051ca3cf

SHA1
d3050656a2c4e696f4dd598db41aa0f1eaa83559

SHA256
91882a2ce9adb2a7159aa64f537079a5a8cd23e196f3cd416b7d2c9cfba54193

SHA512
074d58a16c861da23e113b01a12a11bab03adeeab84432bb6102f7c808572e950a4572aa25564f5feea18d2a21278cf46377fb4b2abdd5e83c9c410847296dd4

Download Submit
C:\ProgramData\lPk16601nIpGk16601\lPk16601nIpGk16601

Filesize
192B

MD5
ec36192b44dca3a24801b67adaa7ae2f

SHA1
143580194340a28d25d07e499c74936c1875c047

SHA256
82bf18f767b610aa2961d5f4788676ea1a6412d75f3d203892d6f38d3cda56c1

SHA512
a5beae46c1f54ef7c421a7b8b2f0e6ea6429dfe6f105f9ecb69eb618ecf47ee8044b05350faa8688de8b390cdd14b0ad261fecbf1bf6d8f4744430795abf012b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b13a0a751da316ca82b0646c1e0d8d7a_JaffaCakes118

Filesize
192B

MD5
8e9a0a164aa0db804187a7a558c31a60

SHA1
991016f7b4ece7ce3eadb2acf10aaf0b8fd992da

SHA256
ff4b681b4af756178f7a5a3051633b01b743e5ad3c79fe2181fbc109f7962738

SHA512
d9b46311bcb3505250ce890f2b8c5a761035874f7d5dffded451e5edd3bbf252db7a104715bc42c48f8bb114988e4cb790718547ce35b294dbcd1a22d5f15678

Download Submit
\ProgramData\lPk16601nIpGk16601\lPk16601nIpGk16601.exe

Filesize
376KB

MD5
e2666fd9f18d294aa72acbd0ed4bbd4b

SHA1
db0027d749f076bd907f960a4158d1e95fb854ba

SHA256
d90da876abf334f4da534f3a67c5c2d30bc1123bd749ecc349ad9c2b79031c52

SHA512
c52a31514e8006933c11dc322f7e548243128ebc8af8b32900c446b20f70f20c93e7678aa4cf5b48739e066f6e1b2c1eab1d4db76fba474b3deae200b6bd519c

Download Submit
memory/1724-35-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1724-38-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1724-47-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2672-23-0x00000000024A0000-0x0000000002579000-memory.dmp

Filesize
868KB

Download
memory/2672-29-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2672-6-0x0000000076FB1000-0x0000000076FB2000-memory.dmp

Filesize
4KB

Download
memory/2672-5-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2864-24-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2864-25-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download