1676096e7b725505b14ec93352e05d7d1a1c95a622d9766e288cfb84f2168354

Analysis

max time kernel
29s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23-08-2024 03:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba3c825ff6bef6116b08f93ba53438d3_JaffaCakes118.exe
Size

1.4MB
MD5

ba3c825ff6bef6116b08f93ba53438d3
SHA1

278817cc30e842d66abc1f6427ad0d8fdb212184
SHA256

1676096e7b725505b14ec93352e05d7d1a1c95a622d9766e288cfb84f2168354
SHA512

ef236bd1b1462aca6df41e6b7146695e74798cea87b6ec457c55c72a5604fa925995530515afb20d823aaec72b9d2fce51d6ad13cf5d7210ba7981999da3405c
SSDEEP

12288:Nxrx0r3zEUtNL8YcL5YHaI7XHgZQKhJgeCmdo3zK7LdykEjYnA6lfr:4XbL8iHFLHgZpJEoPdykFnDlz

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2708	838.#.exe
1144	776.#.exe
2732	558.#.exe
2856	458.#.exe
924	31.#.exe

Loads dropped DLL 10 IoCs

pid	Process
2552	ba3c825ff6bef6116b08f93ba53438d3_JaffaCakes118.exe
2552	ba3c825ff6bef6116b08f93ba53438d3_JaffaCakes118.exe
2708	838.#.exe
2708	838.#.exe
1144	776.#.exe
1144	776.#.exe
2732	558.#.exe
2732	558.#.exe
2856	458.#.exe
2856	458.#.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	458.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	31.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	ba3c825ff6bef6116b08f93ba53438d3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	838.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	776.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	558.#.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\	ba3c825ff6bef6116b08f93ba53438d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\	ba3c825ff6bef6116b08f93ba53438d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\	776.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\	838.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\	838.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\	ba3c825ff6bef6116b08f93ba53438d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\	776.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\	776.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\	776.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	776.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\	ba3c825ff6bef6116b08f93ba53438d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe$	ba3c825ff6bef6116b08f93ba53438d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\	838.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\	ba3c825ff6bef6116b08f93ba53438d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\	776.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\	776.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\	776.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\	ba3c825ff6bef6116b08f93ba53438d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\	ba3c825ff6bef6116b08f93ba53438d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\	776.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\	776.#.exe
File opened for modification	C:\Program Files\7-Zip\	838.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\	838.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\	838.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\	ba3c825ff6bef6116b08f93ba53438d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\	838.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\	776.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\	ba3c825ff6bef6116b08f93ba53438d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	838.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\	838.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\	838.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\	838.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	ba3c825ff6bef6116b08f93ba53438d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\	776.#.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	ba3c825ff6bef6116b08f93ba53438d3_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\7zG.exe	ba3c825ff6bef6116b08f93ba53438d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\	838.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\	ba3c825ff6bef6116b08f93ba53438d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\	838.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\	ba3c825ff6bef6116b08f93ba53438d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	ba3c825ff6bef6116b08f93ba53438d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	838.#.exe
File created	C:\Program Files\7-Zip\Uninstall.exe	838.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\	838.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\	838.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\	776.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\	ba3c825ff6bef6116b08f93ba53438d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\	ba3c825ff6bef6116b08f93ba53438d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\	ba3c825ff6bef6116b08f93ba53438d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\	776.#.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe$	ba3c825ff6bef6116b08f93ba53438d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	838.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\	ba3c825ff6bef6116b08f93ba53438d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\	838.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\	776.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	776.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\	838.#.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	838.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\	ba3c825ff6bef6116b08f93ba53438d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\	838.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\	776.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\	776.#.exe
File created	C:\Program Files\7-Zip\7zFM.exe	ba3c825ff6bef6116b08f93ba53438d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\	ba3c825ff6bef6116b08f93ba53438d3_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba3c825ff6bef6116b08f93ba53438d3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	838.#.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	776.#.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	558.#.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	458.#.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	31.#.exe

NTFS ADS 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	ba3c825ff6bef6116b08f93ba53438d3_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	838.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	776.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	558.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	458.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak	31.#.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2552	ba3c825ff6bef6116b08f93ba53438d3_JaffaCakes118.exe
2708	838.#.exe
1144	776.#.exe
2732	558.#.exe
2856	458.#.exe
924	31.#.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2708	2552	ba3c825ff6bef6116b08f93ba53438d3_JaffaCakes118.exe	29
PID 2552 wrote to memory of 2708	2552	ba3c825ff6bef6116b08f93ba53438d3_JaffaCakes118.exe	29
PID 2552 wrote to memory of 2708	2552	ba3c825ff6bef6116b08f93ba53438d3_JaffaCakes118.exe	29
PID 2552 wrote to memory of 2708	2552	ba3c825ff6bef6116b08f93ba53438d3_JaffaCakes118.exe	29
PID 2708 wrote to memory of 1144	2708	838.#.exe	30
PID 2708 wrote to memory of 1144	2708	838.#.exe	30
PID 2708 wrote to memory of 1144	2708	838.#.exe	30
PID 2708 wrote to memory of 1144	2708	838.#.exe	30
PID 1144 wrote to memory of 2732	1144	776.#.exe	31
PID 1144 wrote to memory of 2732	1144	776.#.exe	31
PID 1144 wrote to memory of 2732	1144	776.#.exe	31
PID 1144 wrote to memory of 2732	1144	776.#.exe	31
PID 2732 wrote to memory of 2856	2732	558.#.exe	32
PID 2732 wrote to memory of 2856	2732	558.#.exe	32
PID 2732 wrote to memory of 2856	2732	558.#.exe	32
PID 2732 wrote to memory of 2856	2732	558.#.exe	32
PID 2856 wrote to memory of 924	2856	458.#.exe	33
PID 2856 wrote to memory of 924	2856	458.#.exe	33
PID 2856 wrote to memory of 924	2856	458.#.exe	33
PID 2856 wrote to memory of 924	2856	458.#.exe	33

C:\Users\Admin\AppData\Local\Temp\ba3c825ff6bef6116b08f93ba53438d3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ba3c825ff6bef6116b08f93ba53438d3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Users\Admin\AppData\Local\Temp\838.#.exe
  C:\Users\Admin\AppData\Local\Temp\838.#.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Users\Admin\AppData\Local\Temp\776.#.exe
    C:\Users\Admin\AppData\Local\Temp\776.#.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - NTFS ADS
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1144
  - - C:\Users\Admin\AppData\Local\Temp\558.#.exe
      C:\Users\Admin\AppData\Local\Temp\558.#.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      NTFS ADS
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Users\Admin\AppData\Local\Temp\458.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\458.#.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2856
      - C:\Users\Admin\AppData\Local\Temp\31.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\31.#.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\622.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\622.#.exe
        7⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\814.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\814.#.exe
        8⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\476.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\476.#.exe
        9⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\344.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\344.#.exe
        10⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\138.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\138.#.exe
        11⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\261.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\261.#.exe
        12⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\859.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\859.#.exe
        13⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\405.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\405.#.exe
        14⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\527.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\527.#.exe
        15⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\219.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\219.#.exe
        16⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\606.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\606.#.exe
        17⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\332.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\332.#.exe
        18⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\948.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\948.#.exe
        19⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\588.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\588.#.exe
        20⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\991.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\991.#.exe
        21⤵
        
        PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe$

Filesize
1.7MB

MD5
ce4a30b9702593d9779314089ebab545

SHA1
ced40aad498de1090dfdfa97091a95e8bf98007b

SHA256
09cf78edbebca026b3042f88801d14fe27e287a0aeaa059e51a9587cf2933190

SHA512
aab645aa464f68f3ae3793d74dc18bfd955c2f651b5e78a65b793a6877c683f44e06f378fdee10397504370665e03bd529995707793a2413fd3eddcf26168296

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe$

Filesize
1.4MB

MD5
1b406154446118661283f3981693a59d

SHA1
709041f6d429e71cd86853b51e960755ee7c8380

SHA256
c7adcf9baa1923325d0b24c820fc2a0f33fd463e69a2b95512e38ba8b768d460

SHA512
d64b4925508bd95f9552cdd0f6ca3b9baf2baded933e48c4d4f0aeed022508778e4f102d51b1b6cca06c507e0a187efa377b8cce009a165984f474187007f27e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe

Filesize
1.4MB

MD5
3895185667c9b28f070070adfc108143

SHA1
e972b3720dbe21a85fbadac3b9a4a4e69a513884

SHA256
2c33eaa49e5e96206dd86f52bd16892d0fa842c515d77248463ecff8a679fe6a

SHA512
c3776eed83c044e70d0952b15933bbd71060d2722f1915c56b594706281b14e8c50acabec8d8b23f4dca5ec4fd41becf541323995f436347b25b3bd327068562

Download Submit
\Users\Admin\AppData\Local\Temp\838.#.exe

Filesize
1.4MB

MD5
ba3c825ff6bef6116b08f93ba53438d3

SHA1
278817cc30e842d66abc1f6427ad0d8fdb212184

SHA256
1676096e7b725505b14ec93352e05d7d1a1c95a622d9766e288cfb84f2168354

SHA512
ef236bd1b1462aca6df41e6b7146695e74798cea87b6ec457c55c72a5604fa925995530515afb20d823aaec72b9d2fce51d6ad13cf5d7210ba7981999da3405c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads