06e052f9031bb16ba3d3fca5e5e4978aa10a43b654028ba898abc4bd6b81b9aa

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
21/08/2024, 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b28f8310cb92f5db49c65cf77b4dab13_JaffaCakes118.exe
Size

187KB
MD5

b28f8310cb92f5db49c65cf77b4dab13
SHA1

0657be4d3ea9437db3d7d4b880093aa65755ad14
SHA256

06e052f9031bb16ba3d3fca5e5e4978aa10a43b654028ba898abc4bd6b81b9aa
SHA512

adac7e0fdac1cf6c4ccb5be4c15356e30b1e6f00a9c5a5b3b1ed0d71f324cc40ad89984a0040d87feab855d551902ff357b100bafa7d854c0c1d95e216b7e1c2
SSDEEP

3072:NrFkY0W+dNGryWlLin61AOTQJ/FtMVKVGxbfT/j/MwG:BExNGeSWeAOTiUo6DXk

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2748	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2744	KB00553129.exe

Loads dropped DLL 2 IoCs

pid	Process
2080	b28f8310cb92f5db49c65cf77b4dab13_JaffaCakes118.exe
2080	b28f8310cb92f5db49c65cf77b4dab13_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\KB00553129.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\KB00553129.exe\""	b28f8310cb92f5db49c65cf77b4dab13_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b28f8310cb92f5db49c65cf77b4dab13_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe
2744	KB00553129.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2744	KB00553129.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2744	2080	b28f8310cb92f5db49c65cf77b4dab13_JaffaCakes118.exe	30
PID 2080 wrote to memory of 2744	2080	b28f8310cb92f5db49c65cf77b4dab13_JaffaCakes118.exe	30
PID 2080 wrote to memory of 2744	2080	b28f8310cb92f5db49c65cf77b4dab13_JaffaCakes118.exe	30
PID 2080 wrote to memory of 2744	2080	b28f8310cb92f5db49c65cf77b4dab13_JaffaCakes118.exe	30
PID 2080 wrote to memory of 2748	2080	b28f8310cb92f5db49c65cf77b4dab13_JaffaCakes118.exe	31
PID 2080 wrote to memory of 2748	2080	b28f8310cb92f5db49c65cf77b4dab13_JaffaCakes118.exe	31
PID 2080 wrote to memory of 2748	2080	b28f8310cb92f5db49c65cf77b4dab13_JaffaCakes118.exe	31
PID 2080 wrote to memory of 2748	2080	b28f8310cb92f5db49c65cf77b4dab13_JaffaCakes118.exe	31
PID 2744 wrote to memory of 1120	2744	KB00553129.exe	19
PID 2744 wrote to memory of 1120	2744	KB00553129.exe	19
PID 2744 wrote to memory of 1120	2744	KB00553129.exe	19
PID 2744 wrote to memory of 1120	2744	KB00553129.exe	19
PID 2744 wrote to memory of 1120	2744	KB00553129.exe	19
PID 2744 wrote to memory of 1176	2744	KB00553129.exe	20
PID 2744 wrote to memory of 1176	2744	KB00553129.exe	20
PID 2744 wrote to memory of 1176	2744	KB00553129.exe	20
PID 2744 wrote to memory of 1176	2744	KB00553129.exe	20
PID 2744 wrote to memory of 1176	2744	KB00553129.exe	20
PID 2744 wrote to memory of 1228	2744	KB00553129.exe	21
PID 2744 wrote to memory of 1228	2744	KB00553129.exe	21
PID 2744 wrote to memory of 1228	2744	KB00553129.exe	21
PID 2744 wrote to memory of 1228	2744	KB00553129.exe	21
PID 2744 wrote to memory of 1228	2744	KB00553129.exe	21
PID 2744 wrote to memory of 1384	2744	KB00553129.exe	23
PID 2744 wrote to memory of 1384	2744	KB00553129.exe	23
PID 2744 wrote to memory of 1384	2744	KB00553129.exe	23
PID 2744 wrote to memory of 1384	2744	KB00553129.exe	23
PID 2744 wrote to memory of 1384	2744	KB00553129.exe	23
PID 2744 wrote to memory of 2080	2744	KB00553129.exe	29
PID 2744 wrote to memory of 2080	2744	KB00553129.exe	29
PID 2744 wrote to memory of 2080	2744	KB00553129.exe	29
PID 2744 wrote to memory of 2080	2744	KB00553129.exe	29
PID 2744 wrote to memory of 2080	2744	KB00553129.exe	29
PID 2744 wrote to memory of 2748	2744	KB00553129.exe	31
PID 2744 wrote to memory of 2748	2744	KB00553129.exe	31
PID 2744 wrote to memory of 2748	2744	KB00553129.exe	31
PID 2744 wrote to memory of 2748	2744	KB00553129.exe	31
PID 2744 wrote to memory of 2748	2744	KB00553129.exe	31
PID 2744 wrote to memory of 2712	2744	KB00553129.exe	32
PID 2744 wrote to memory of 2712	2744	KB00553129.exe	32
PID 2744 wrote to memory of 2712	2744	KB00553129.exe	32
PID 2744 wrote to memory of 2712	2744	KB00553129.exe	32
PID 2744 wrote to memory of 2712	2744	KB00553129.exe	32
PID 2744 wrote to memory of 2144	2744	KB00553129.exe	33
PID 2744 wrote to memory of 2144	2744	KB00553129.exe	33
PID 2744 wrote to memory of 2144	2744	KB00553129.exe	33
PID 2744 wrote to memory of 2144	2744	KB00553129.exe	33
PID 2744 wrote to memory of 2144	2744	KB00553129.exe	33

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1228
- C:\Users\Admin\AppData\Local\Temp\b28f8310cb92f5db49c65cf77b4dab13_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\b28f8310cb92f5db49c65cf77b4dab13_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Users\Admin\AppData\Roaming\KB00553129.exe
    "C:\Users\Admin\AppData\Roaming\KB00553129.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\POS3DDB.tmp.BAT"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2748

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1384

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "128948020076566094395168801-51523478016886624061757684332-2202454581322797374"
1⤵
PID:2712

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\POS3DDB.tmp.BAT

Filesize
286B

MD5
a36f05d595be60212a1868328d0dc2b9

SHA1
7ae8234dab90f0688e28789c71649e619afe7e4b

SHA256
bce585b169bf7dcf273a02871b506a97218157b6346f5c30dc28ea26813417bc

SHA512
da05298ab78ae194c78b433f3f6f364acb5fa6a326f83b95098a5001b5e18c783b0072d3937f43ad0f0e625a746a62294e3cc4bc57cf458f0302c543727510c3

Download Submit
C:\Users\Admin\AppData\Roaming\KB00553129.exe

Filesize
187KB

MD5
b28f8310cb92f5db49c65cf77b4dab13

SHA1
0657be4d3ea9437db3d7d4b880093aa65755ad14

SHA256
06e052f9031bb16ba3d3fca5e5e4978aa10a43b654028ba898abc4bd6b81b9aa

SHA512
adac7e0fdac1cf6c4ccb5be4c15356e30b1e6f00a9c5a5b3b1ed0d71f324cc40ad89984a0040d87feab855d551902ff357b100bafa7d854c0c1d95e216b7e1c2

Download Submit
memory/1120-30-0x0000000001F40000-0x0000000001F61000-memory.dmp

Filesize
132KB

Download
memory/1120-22-0x0000000001F40000-0x0000000001F61000-memory.dmp

Filesize
132KB

Download
memory/1176-32-0x0000000000130000-0x0000000000151000-memory.dmp

Filesize
132KB

Download
memory/1176-41-0x0000000000130000-0x0000000000151000-memory.dmp

Filesize
132KB

Download
memory/1228-44-0x0000000002AD0000-0x0000000002AF1000-memory.dmp

Filesize
132KB

Download
memory/1228-54-0x0000000002AD0000-0x0000000002AF1000-memory.dmp

Filesize
132KB

Download
memory/1384-57-0x0000000002200000-0x0000000002221000-memory.dmp

Filesize
132KB

Download
memory/1384-68-0x0000000002200000-0x0000000002221000-memory.dmp

Filesize
132KB

Download
memory/2080-84-0x0000000000270000-0x0000000000291000-memory.dmp

Filesize
132KB

Download
memory/2080-82-0x0000000000270000-0x0000000000291000-memory.dmp

Filesize
132KB

Download
memory/2080-74-0x0000000000270000-0x0000000000291000-memory.dmp

Filesize
132KB

Download
memory/2080-73-0x0000000000270000-0x0000000000291000-memory.dmp

Filesize
132KB

Download
memory/2080-70-0x0000000000270000-0x0000000000291000-memory.dmp

Filesize
132KB

Download
memory/2080-0-0x0000000000405000-0x0000000000407000-memory.dmp

Filesize
8KB

Download
memory/2080-13-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2080-2-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2080-1-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2080-77-0x0000000000270000-0x0000000000291000-memory.dmp

Filesize
132KB

Download
memory/2744-15-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2744-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2744-146-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download