Analysis
-
max time kernel
134s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22/08/2024, 12:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b792db9a702ece2509a79c28574901a3_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
b792db9a702ece2509a79c28574901a3_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
b792db9a702ece2509a79c28574901a3_JaffaCakes118.exe
-
Size
320KB
-
MD5
b792db9a702ece2509a79c28574901a3
-
SHA1
0781c221730ab72fb2c46e44f9aead2dd16aba62
-
SHA256
89cd75a6520f1d87704c4eb5b71eefce3384d452916cd888b90e8cf6071f8520
-
SHA512
9726b51efb9b2458330ebb5896c75807bba2c439422593f64b941d5672d487d0452cbf76adf5dbaa6a6478125abe86808cce5016a836a1d4d3854a62d32a7162
-
SSDEEP
3072:/3tiDbD1iiBn2xiFagjbTPFzbbVBoPXwIuhT6K9K2CUFh7XT0044Dg5a9t70Hj0W:/EP4Sn1FZdWk6K82Cs7XdgCotgccpNhy
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2764 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2672 Sysdll.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat Sysdll.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12 Sysdll.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12 Sysdll.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8 Sysdll.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8 Sysdll.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Sysdll.exe b792db9a702ece2509a79c28574901a3_JaffaCakes118.exe File opened for modification C:\Windows\Sysdll.exe b792db9a702ece2509a79c28574901a3_JaffaCakes118.exe File created C:\Windows\uninstal.bat b792db9a702ece2509a79c28574901a3_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b792db9a702ece2509a79c28574901a3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Sysdll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs Sysdll.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D1B3EA5-73FC-441B-9AA7-AACEA1F16518}\WpadDecisionReason = "1" Sysdll.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs Sysdll.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D1B3EA5-73FC-441B-9AA7-AACEA1F16518} Sysdll.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-a9-da-7b-b7-2e\WpadDecisionReason = "1" Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs Sysdll.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust Sysdll.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs Sysdll.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D1B3EA5-73FC-441B-9AA7-AACEA1F16518}\WpadNetworkName = "Network 3" Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs Sysdll.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Sysdll.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates Sysdll.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0071000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates Sysdll.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D1B3EA5-73FC-441B-9AA7-AACEA1F16518}\WpadDecision = "0" Sysdll.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-a9-da-7b-b7-2e\WpadDecision = "0" Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D1B3EA5-73FC-441B-9AA7-AACEA1F16518}\ee-a9-da-7b-b7-2e Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-a9-da-7b-b7-2e Sysdll.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-a9-da-7b-b7-2e\WpadDecisionTime = 60d4962c8cf4da01 Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople Sysdll.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs Sysdll.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D1B3EA5-73FC-441B-9AA7-AACEA1F16518}\WpadDecisionTime = 60d4962c8cf4da01 Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust Sysdll.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings Sysdll.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2436 b792db9a702ece2509a79c28574901a3_JaffaCakes118.exe Token: SeDebugPrivilege 2672 Sysdll.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2672 Sysdll.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2672 wrote to memory of 2700 2672 Sysdll.exe 32 PID 2672 wrote to memory of 2700 2672 Sysdll.exe 32 PID 2672 wrote to memory of 2700 2672 Sysdll.exe 32 PID 2672 wrote to memory of 2700 2672 Sysdll.exe 32 PID 2436 wrote to memory of 2764 2436 b792db9a702ece2509a79c28574901a3_JaffaCakes118.exe 33 PID 2436 wrote to memory of 2764 2436 b792db9a702ece2509a79c28574901a3_JaffaCakes118.exe 33 PID 2436 wrote to memory of 2764 2436 b792db9a702ece2509a79c28574901a3_JaffaCakes118.exe 33 PID 2436 wrote to memory of 2764 2436 b792db9a702ece2509a79c28574901a3_JaffaCakes118.exe 33 PID 2436 wrote to memory of 2764 2436 b792db9a702ece2509a79c28574901a3_JaffaCakes118.exe 33 PID 2436 wrote to memory of 2764 2436 b792db9a702ece2509a79c28574901a3_JaffaCakes118.exe 33 PID 2436 wrote to memory of 2764 2436 b792db9a702ece2509a79c28574901a3_JaffaCakes118.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\b792db9a702ece2509a79c28574901a3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b792db9a702ece2509a79c28574901a3_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\uninstal.bat2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2764
-
-
C:\Windows\Sysdll.exeC:\Windows\Sysdll.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:2700
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
320KB
MD5b792db9a702ece2509a79c28574901a3
SHA10781c221730ab72fb2c46e44f9aead2dd16aba62
SHA25689cd75a6520f1d87704c4eb5b71eefce3384d452916cd888b90e8cf6071f8520
SHA5129726b51efb9b2458330ebb5896c75807bba2c439422593f64b941d5672d487d0452cbf76adf5dbaa6a6478125abe86808cce5016a836a1d4d3854a62d32a7162
-
Filesize
217B
MD5ae97a374278e23536a22a27b9bf9a60c
SHA164e80b020eef94ed7cf5bf37568b03ca5b5efdfc
SHA2568cf7a6d6eae6ad39f3fd8fe60a92b5c7e38b57a545b9ea1dd799bf3a1b42a8de
SHA512411c87843b6d2a2e5edf87043d73619d770f2474923679eb33181ee93a08755b225d1e5e87ba872f86d5a37c4822f0389a7d8ac5eefdbf2d50b8c0a75e6f3199