724333d57a79efd6b56ef0451206d4c04c90f6ed85e363bfd26c43d7f2ff5124

Analysis

max time kernel
149s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 07:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b294e18e7cba198d748cdcee578d59de_JaffaCakes118.exe
Size

79KB
MD5

b294e18e7cba198d748cdcee578d59de
SHA1

48fa0d21c63150e6dc80b99812c0bc7ec9606d62
SHA256

724333d57a79efd6b56ef0451206d4c04c90f6ed85e363bfd26c43d7f2ff5124
SHA512

bd3f88fc8446d879fe97970722e8602ed87be29f9b50805d4cd393c4ac1b92b1811a4d8471f9b3fe56726801b1d11081e99e0f09dba6d583f5d86dadbd633383
SSDEEP

1536:5WFro3Zoa+O9lmUPpk6iN5z0OvmiwJfrhl:5Wg4PN5FYr

Score

8^/10

discovery evasion execution persistence

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Loads dropped DLL 3 IoCs

pid	Process
3948	Rundll32.exe
1968	Rundll32.exe
1968	Rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\system32\\system.exe"	Rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mnma.dll	b294e18e7cba198d748cdcee578d59de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ltna.dll	b294e18e7cba198d748cdcee578d59de_JaffaCakes118.exe

Launches sc.exe 20 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2500	sc.exe
408	sc.exe
2844	sc.exe
2840	sc.exe
3840	sc.exe
2416	sc.exe
3920	sc.exe
3124	sc.exe
2360	sc.exe
3276	sc.exe
3000	sc.exe
4408	sc.exe
3428	sc.exe
2928	sc.exe
4780	sc.exe
2968	sc.exe
2368	sc.exe
2420	sc.exe
3932	sc.exe
4120	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b294e18e7cba198d748cdcee578d59de_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3948	Rundll32.exe
3948	Rundll32.exe
3948	Rundll32.exe
3948	Rundll32.exe
3948	Rundll32.exe
3948	Rundll32.exe
3948	Rundll32.exe
3948	Rundll32.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4624	b294e18e7cba198d748cdcee578d59de_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4624 wrote to memory of 3948	4624	b294e18e7cba198d748cdcee578d59de_JaffaCakes118.exe	84
PID 4624 wrote to memory of 3948	4624	b294e18e7cba198d748cdcee578d59de_JaffaCakes118.exe	84
PID 4624 wrote to memory of 3948	4624	b294e18e7cba198d748cdcee578d59de_JaffaCakes118.exe	84
PID 3948 wrote to memory of 2360	3948	Rundll32.exe	85
PID 3948 wrote to memory of 2360	3948	Rundll32.exe	85
PID 3948 wrote to memory of 2360	3948	Rundll32.exe	85
PID 3948 wrote to memory of 2500	3948	Rundll32.exe	86
PID 3948 wrote to memory of 2500	3948	Rundll32.exe	86
PID 3948 wrote to memory of 2500	3948	Rundll32.exe	86
PID 3948 wrote to memory of 4120	3948	Rundll32.exe	87
PID 3948 wrote to memory of 4120	3948	Rundll32.exe	87
PID 3948 wrote to memory of 4120	3948	Rundll32.exe	87
PID 3948 wrote to memory of 3276	3948	Rundll32.exe	88
PID 3948 wrote to memory of 3276	3948	Rundll32.exe	88
PID 3948 wrote to memory of 3276	3948	Rundll32.exe	88
PID 3948 wrote to memory of 3124	3948	Rundll32.exe	89
PID 3948 wrote to memory of 3124	3948	Rundll32.exe	89
PID 3948 wrote to memory of 3124	3948	Rundll32.exe	89
PID 3948 wrote to memory of 3920	3948	Rundll32.exe	90
PID 3948 wrote to memory of 3920	3948	Rundll32.exe	90
PID 3948 wrote to memory of 3920	3948	Rundll32.exe	90
PID 3948 wrote to memory of 3840	3948	Rundll32.exe	92
PID 3948 wrote to memory of 3840	3948	Rundll32.exe	92
PID 3948 wrote to memory of 3840	3948	Rundll32.exe	92
PID 3948 wrote to memory of 3428	3948	Rundll32.exe	93
PID 3948 wrote to memory of 3428	3948	Rundll32.exe	93
PID 3948 wrote to memory of 3428	3948	Rundll32.exe	93
PID 3948 wrote to memory of 2840	3948	Rundll32.exe	95
PID 3948 wrote to memory of 2840	3948	Rundll32.exe	95
PID 3948 wrote to memory of 2840	3948	Rundll32.exe	95
PID 3948 wrote to memory of 3932	3948	Rundll32.exe	96
PID 3948 wrote to memory of 3932	3948	Rundll32.exe	96
PID 3948 wrote to memory of 3932	3948	Rundll32.exe	96
PID 3948 wrote to memory of 2420	3948	Rundll32.exe	97
PID 3948 wrote to memory of 2420	3948	Rundll32.exe	97
PID 3948 wrote to memory of 2420	3948	Rundll32.exe	97
PID 3948 wrote to memory of 2844	3948	Rundll32.exe	98
PID 3948 wrote to memory of 2844	3948	Rundll32.exe	98
PID 3948 wrote to memory of 2844	3948	Rundll32.exe	98
PID 3948 wrote to memory of 2368	3948	Rundll32.exe	99
PID 3948 wrote to memory of 2368	3948	Rundll32.exe	99
PID 3948 wrote to memory of 2368	3948	Rundll32.exe	99
PID 3948 wrote to memory of 2416	3948	Rundll32.exe	100
PID 3948 wrote to memory of 2416	3948	Rundll32.exe	100
PID 3948 wrote to memory of 2416	3948	Rundll32.exe	100
PID 3948 wrote to memory of 2968	3948	Rundll32.exe	101
PID 3948 wrote to memory of 2968	3948	Rundll32.exe	101
PID 3948 wrote to memory of 2968	3948	Rundll32.exe	101
PID 3948 wrote to memory of 408	3948	Rundll32.exe	103
PID 3948 wrote to memory of 408	3948	Rundll32.exe	103
PID 3948 wrote to memory of 408	3948	Rundll32.exe	103
PID 3948 wrote to memory of 4408	3948	Rundll32.exe	104
PID 3948 wrote to memory of 4408	3948	Rundll32.exe	104
PID 3948 wrote to memory of 4408	3948	Rundll32.exe	104
PID 3948 wrote to memory of 4780	3948	Rundll32.exe	105
PID 3948 wrote to memory of 4780	3948	Rundll32.exe	105
PID 3948 wrote to memory of 4780	3948	Rundll32.exe	105
PID 3948 wrote to memory of 3000	3948	Rundll32.exe	106
PID 3948 wrote to memory of 3000	3948	Rundll32.exe	106
PID 3948 wrote to memory of 3000	3948	Rundll32.exe	106
PID 3948 wrote to memory of 2928	3948	Rundll32.exe	107
PID 3948 wrote to memory of 2928	3948	Rundll32.exe	107
PID 3948 wrote to memory of 2928	3948	Rundll32.exe	107
PID 3948 wrote to memory of 4624	3948	Rundll32.exe	83

C:\Users\Admin\AppData\Local\Temp\b294e18e7cba198d748cdcee578d59de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b294e18e7cba198d748cdcee578d59de_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Windows\SysWOW64\Rundll32.exe
  Rundll32 C:\Windows\system32\mnma.dll Execute
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\Windows\SysWOW64\sc.exe
    sc stop 360rp
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2360
- - C:\Windows\SysWOW64\sc.exe
    sc delete 360rp
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2500
- - C:\Windows\SysWOW64\sc.exe
    sc stop RsRavMon
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4120
- - C:\Windows\SysWOW64\sc.exe
    sc delete RsRavMon
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3276
- - C:\Windows\SysWOW64\sc.exe
    sc stop McNASvc
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3124
- - C:\Windows\SysWOW64\sc.exe
    sc delete McNASvc
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3920
- - C:\Windows\SysWOW64\sc.exe
    sc stop MpfService
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3840
- - C:\Windows\SysWOW64\sc.exe
    sc delete MpfService
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3428
- - C:\Windows\SysWOW64\sc.exe
    sc stop McProxy
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2840
- - C:\Windows\SysWOW64\sc.exe
    sc delete McProxy
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3932
- - C:\Windows\SysWOW64\sc.exe
    sc stop McShield
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2420
- - C:\Windows\SysWOW64\sc.exe
    sc delete McShield
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2844
- - C:\Windows\SysWOW64\sc.exe
    sc stop McODS
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2368
- - C:\Windows\SysWOW64\sc.exe
    sc delete McODS
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2416
- - C:\Windows\SysWOW64\sc.exe
    sc stop mcmscsvc
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2968
- - C:\Windows\SysWOW64\sc.exe
    sc delete mcmscsvc
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:408
- - C:\Windows\SysWOW64\sc.exe
    sc stop McSysmon
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4408
- - C:\Windows\SysWOW64\sc.exe
    sc delete McSysmon
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4780
- - C:\Windows\SysWOW64\sc.exe
    sc stop ekrn
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3000
- - C:\Windows\SysWOW64\sc.exe
    sc delete ekrn
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2928
- C:\Windows\SysWOW64\Rundll32.exe
  Rundll32 C:\Windows\system32\ltna.dll Execute
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Driver.sys

Filesize
11KB

MD5
85aa9639f8bb0d6eed673a8274b48e00

SHA1
7cb2187d4fea4495d5e1bac2dc2327afd2511416

SHA256
2ddbd07ddfda5d4f9b1c44c8ff16f7e38027d275af6bf57f317b136060d695a9

SHA512
9af7c108b244a8b12f27d57e9e52cd4a8066f200aba03b77e1f6100f386f15670d89f00d57afff5960af7336337bfb885ac7cf5a8ea0323d5711bf3b51ffc9c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\70EA.tmp

Filesize
4.3MB

MD5
6c7cdd25c2cb0073306eb22aebfc663f

SHA1
a1eba8ab49272b9852fe6a543677e8af36271248

SHA256
58280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705

SHA512
17344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6

Download Submit
C:\Windows\SysWOW64\ltna.dll

Filesize
8KB

MD5
68fc17d525510a480d24e2161ef742cc

SHA1
ac2fd933345cf37fd381cabe8a94b183e6bd7c41

SHA256
c0f4820660edacf4225473ffed81b37a7009a8c323228459c2ca8068c6dcabcf

SHA512
bafb1a3a63406d3479bde68aac05f48453574df08069d7f29c6cd1999ae1d8c5c61e4864315bfe91d045338dcbf006c3e79aa0197d249b8c9d4ed76befdd017a

Download Submit
C:\Windows\SysWOW64\mnma.dll

Filesize
14KB

MD5
ca1ed5dccd9870d95f57763145dfbb48

SHA1
b40319735fd1e9bc978bb267f8e5f46ebb60e393

SHA256
c59cdac86482e5208569803b884d1aed3b60d8f98a413babf097b32dde20544b

SHA512
a6897c65955c4d1b6d7fea61762211be1aec3da4d879dd8923420353c8309f26766ef977b3338bfbf120ed209c69e328feb1bf148e98db1c6d7164c2094ba62c

Download Submit
memory/4624-5-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download