e7c54281bb5b8a75314bcb5d1fbeb9a3c0fc9d8a766978c56427b227ce80791b

Analysis

max time kernel
143s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22-08-2024 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8a220f1408b1b09c2e61c00a7e3ca0f_JaffaCakes118.exe
Size

2.6MB
MD5

b8a220f1408b1b09c2e61c00a7e3ca0f
SHA1

aac3a48c6cc16cf12a7258896d3ab46425f09c34
SHA256

e7c54281bb5b8a75314bcb5d1fbeb9a3c0fc9d8a766978c56427b227ce80791b
SHA512

87536d0299d2ce5985cc227bd64736dcbb7eee14ee603cd9f4e3b3e0b5a0d247a92e7ea19c50bc23bdf1fbe6e9e9714f3f9faf91386fb2f43a597f50777ec7a5
SSDEEP

49152:BG0PJJb4mc062G1fSKYUIIK5lFOJ3i63G5m8J5IRKZozy5PzI98+aDXqCpfVDVgD:zJH7tG1fSKYlIK5lFc73wJ50KZz5PzaL

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2868	H_Client.exe
2400	H_Client.exe
2180	ÐÂµÄ.exe
2740	H_Client.exe
2924	syms.exe

Loads dropped DLL 7 IoCs

pid	Process
2532	b8a220f1408b1b09c2e61c00a7e3ca0f_JaffaCakes118.exe
2532	b8a220f1408b1b09c2e61c00a7e3ca0f_JaffaCakes118.exe
2868	H_Client.exe
2868	H_Client.exe
2868	H_Client.exe
2868	H_Client.exe
2400	H_Client.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c000000018671-3.dat	upx
behavioral1/memory/2868-13-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/2532-6-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/2868-33-0x0000000000400000-0x000000000041A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b8a220f1408b1b09c2e61c00a7e3ca0f_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2400 set thread context of 2740	2400	H_Client.exe	33

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\syms.exe	ÐÂµÄ.exe
File opened for modification	C:\Windows\syms.exe	ÐÂµÄ.exe
File created	C:\Windows\uninstal.bat	ÐÂµÄ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8a220f1408b1b09c2e61c00a7e3ca0f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	H_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	H_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ÐÂµÄ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	H_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	syms.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2180	ÐÂµÄ.exe
Token: SeDebugPrivilege	2924	syms.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2924	syms.exe
2740	H_Client.exe
2740	H_Client.exe
2740	H_Client.exe
2740	H_Client.exe
2740	H_Client.exe
2740	H_Client.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2740	H_Client.exe
2740	H_Client.exe
2740	H_Client.exe
2740	H_Client.exe
2740	H_Client.exe
2740	H_Client.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2868	2532	b8a220f1408b1b09c2e61c00a7e3ca0f_JaffaCakes118.exe	30
PID 2532 wrote to memory of 2868	2532	b8a220f1408b1b09c2e61c00a7e3ca0f_JaffaCakes118.exe	30
PID 2532 wrote to memory of 2868	2532	b8a220f1408b1b09c2e61c00a7e3ca0f_JaffaCakes118.exe	30
PID 2532 wrote to memory of 2868	2532	b8a220f1408b1b09c2e61c00a7e3ca0f_JaffaCakes118.exe	30
PID 2868 wrote to memory of 2400	2868	H_Client.exe	31
PID 2868 wrote to memory of 2400	2868	H_Client.exe	31
PID 2868 wrote to memory of 2400	2868	H_Client.exe	31
PID 2868 wrote to memory of 2400	2868	H_Client.exe	31
PID 2868 wrote to memory of 2180	2868	H_Client.exe	32
PID 2868 wrote to memory of 2180	2868	H_Client.exe	32
PID 2868 wrote to memory of 2180	2868	H_Client.exe	32
PID 2868 wrote to memory of 2180	2868	H_Client.exe	32
PID 2400 wrote to memory of 2740	2400	H_Client.exe	33
PID 2400 wrote to memory of 2740	2400	H_Client.exe	33
PID 2400 wrote to memory of 2740	2400	H_Client.exe	33
PID 2400 wrote to memory of 2740	2400	H_Client.exe	33
PID 2400 wrote to memory of 2740	2400	H_Client.exe	33
PID 2400 wrote to memory of 2740	2400	H_Client.exe	33
PID 2180 wrote to memory of 2760	2180	ÐÂµÄ.exe	36
PID 2180 wrote to memory of 2760	2180	ÐÂµÄ.exe	36
PID 2180 wrote to memory of 2760	2180	ÐÂµÄ.exe	36
PID 2180 wrote to memory of 2760	2180	ÐÂµÄ.exe	36
PID 2180 wrote to memory of 2760	2180	ÐÂµÄ.exe	36
PID 2180 wrote to memory of 2760	2180	ÐÂµÄ.exe	36
PID 2180 wrote to memory of 2760	2180	ÐÂµÄ.exe	36
PID 2924 wrote to memory of 2840	2924	syms.exe	35
PID 2924 wrote to memory of 2840	2924	syms.exe	35
PID 2924 wrote to memory of 2840	2924	syms.exe	35
PID 2924 wrote to memory of 2840	2924	syms.exe	35

C:\Users\Admin\AppData\Local\Temp\b8a220f1408b1b09c2e61c00a7e3ca0f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b8a220f1408b1b09c2e61c00a7e3ca0f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\H_Client.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\H_Client.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Users\Admin\AppData\Local\Temp\H_Client.exe
    "C:\Users\Admin\AppData\Local\Temp\H_Client.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\Users\Admin\AppData\Local\Temp\H_Client.exe
      C:\Users\Admin\AppData\Local\Temp\H_Client.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2740
- - C:\Users\Admin\AppData\Local\Temp\ÐÂµÄ.exe
    "C:\Users\Admin\AppData\Local\Temp\ÐÂµÄ.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\uninstal.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:2760

C:\Windows\syms.exe
C:\Windows\syms.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\H_Client.exe

Filesize
1.9MB

MD5
24f944ae8127ac7b120d0e0ca34e7480

SHA1
9916fef8ba20b7e36661a9c0dc735f705d031cdf

SHA256
0727edef68c27b0b3726f55e070b622d238419356e3e7dd4647db82715216a1d

SHA512
e72a53f922e55c03ce06ad3a5baf50d8df8b5d6a9897400675c3a4d428affd2afe45e1a300376613d7119b4a6e569b3b9c60ca494a19dcbd94313bd24d6f82c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Operate.ini

Filesize
607B

MD5
f17409a7f176b2696ebe93a2da6ff6ec

SHA1
3c699a1d2460dcd42500be658042ccaf31b3bce4

SHA256
de2f79eff89dec777ef5d4dac172bdc8a469c25c55753600a89f19603ca58c87

SHA512
fb5a449ca964fc4e9f408aca96aa48b383e6326c92f5445b25f7bcef341ebf045f6b69bf9773062969accbaee5804167d627e0d01f3333ddc9d6060c2c2d5551

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÐÂµÄ.exe

Filesize
743KB

MD5
bf87da785b89f4f3e743c7826ce2a046

SHA1
58f72f919f855e42cf4695860c70e3d50478d98d

SHA256
e9f9dfe82843455f3b3b82682edbd5f5c5d7b54e7b7eb9298384f8a9046b0599

SHA512
e4c4b914271b0dfc8706082532f559e5df671dbe15e0adebc7484120816f1d3f5f610b7a737d7d2defcd6a3d218c8d6d87448cfdcf83272ac99d2d87770a3d00

Download Submit
C:\Windows\uninstal.bat

Filesize
134B

MD5
d4e1e8c38b99db083ba9b13bb521b9bc

SHA1
ab7e43aa2593ff8902f0bd68e5969d02e0d0a69e

SHA256
0646b1c50c72d89a9f7f74dafdb524e5449e2ed0ac3de56fa3571c8ecaefe466

SHA512
20743889ddb081ee236350973189de5b929994ca459090dfe399d103ad9e9945c6e74884417d9b9c58a4dbee8c3636edb6deacbaffc4971c054d29d06cb8adc1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\H_Client.exe

Filesize
2.3MB

MD5
83fd8ff3407b979b9eb7a8dee415cef9

SHA1
aeb596279bdf3e23839d5242d032567e75bd7d10

SHA256
635b7af703797e69b5794232f7d2b81352aa5d67e5f99933ab7bbb2d8476d0ca

SHA512
a2a5373422f66754915bc795cd11c3d926ae1e445f6f032d25c3a35ff06e8cd3c70dad79ff7b0bcbb8c2ba3ca69e0bbcc9f1bae93813abe2086ffa9159c5e40e

Download Submit
memory/2180-58-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2400-43-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2532-36-0x0000000001000000-0x0000000001506000-memory.dmp

Filesize
5.0MB

Download
memory/2532-2-0x0000000001000000-0x0000000001506000-memory.dmp

Filesize
5.0MB

Download
memory/2532-10-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2532-6-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2740-86-0x0000000000400000-0x00000000017BF000-memory.dmp

Filesize
19.7MB

Download
memory/2740-96-0x0000000000400000-0x00000000017BF000-memory.dmp

Filesize
19.7MB

Download
memory/2740-42-0x0000000000400000-0x00000000017BF000-memory.dmp

Filesize
19.7MB

Download
memory/2740-40-0x0000000000400000-0x00000000017BF000-memory.dmp

Filesize
19.7MB

Download
memory/2740-49-0x0000000000400000-0x00000000017BF000-memory.dmp

Filesize
19.7MB

Download
memory/2740-44-0x0000000000400000-0x00000000017BF000-memory.dmp

Filesize
19.7MB

Download
memory/2740-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2740-123-0x0000000000400000-0x00000000017BF000-memory.dmp

Filesize
19.7MB

Download
memory/2740-60-0x0000000000400000-0x00000000017BF000-memory.dmp

Filesize
19.7MB

Download
memory/2740-121-0x0000000000400000-0x00000000017BF000-memory.dmp

Filesize
19.7MB

Download
memory/2740-87-0x0000000000400000-0x00000000017BF000-memory.dmp

Filesize
19.7MB

Download
memory/2740-88-0x0000000000400000-0x00000000017BF000-memory.dmp

Filesize
19.7MB

Download
memory/2740-93-0x0000000000400000-0x00000000017BF000-memory.dmp

Filesize
19.7MB

Download
memory/2740-94-0x0000000000400000-0x00000000017BF000-memory.dmp

Filesize
19.7MB

Download
memory/2740-95-0x0000000000400000-0x00000000017BF000-memory.dmp

Filesize
19.7MB

Download
memory/2740-38-0x0000000000400000-0x00000000017BF000-memory.dmp

Filesize
19.7MB

Download
memory/2740-97-0x0000000000400000-0x00000000017BF000-memory.dmp

Filesize
19.7MB

Download
memory/2740-119-0x0000000000400000-0x00000000017BF000-memory.dmp

Filesize
19.7MB

Download
memory/2740-99-0x0000000000400000-0x00000000017BF000-memory.dmp

Filesize
19.7MB

Download
memory/2740-101-0x0000000000400000-0x00000000017BF000-memory.dmp

Filesize
19.7MB

Download
memory/2740-103-0x0000000000400000-0x00000000017BF000-memory.dmp

Filesize
19.7MB

Download
memory/2740-105-0x0000000000400000-0x00000000017BF000-memory.dmp

Filesize
19.7MB

Download
memory/2740-107-0x0000000000400000-0x00000000017BF000-memory.dmp

Filesize
19.7MB

Download
memory/2740-109-0x0000000000400000-0x00000000017BF000-memory.dmp

Filesize
19.7MB

Download
memory/2740-111-0x0000000000400000-0x00000000017BF000-memory.dmp

Filesize
19.7MB

Download
memory/2740-113-0x0000000000400000-0x00000000017BF000-memory.dmp

Filesize
19.7MB

Download
memory/2740-115-0x0000000000400000-0x00000000017BF000-memory.dmp

Filesize
19.7MB

Download
memory/2740-117-0x0000000000400000-0x00000000017BF000-memory.dmp

Filesize
19.7MB

Download
memory/2868-13-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2868-33-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2924-98-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads