178932bd601a343e4d336ddfd0543baece4becc7b35869fe2ae7431243724758

Analysis

max time kernel
148s
max time network
18s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe
Size

420KB
MD5

bc5ed93a16efb2f651e1f11ca5f63af6
SHA1

6dd5f69073ddb90f5bd31513c9246416ee15e51f
SHA256

178932bd601a343e4d336ddfd0543baece4becc7b35869fe2ae7431243724758
SHA512

29b8ae7b825ee3e0e9270f1cede229d5a1ee3b9338b7d53687b8e98c566a041a8a63d1c3005a302678e7605216c619e44e877d31c0a5a5da588f7d23165e3ead
SSDEEP

6144:J/0uoMI62w243WiGOeriNeAHS6ODHmAu2thUz00acEzcnWIXMbx9VWcFHk:JJ73WZmNfy6ODGTaUg/AWIXs5WoE

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2236	ENJOY-~1.EXE
2728	enjoy-soft1.exe
2528	ENJOY-~1.EXE
2860	Setup.exe
2516	Utility Mang.exe

Loads dropped DLL 10 IoCs

pid	Process
3036	bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe
2236	ENJOY-~1.EXE
2236	ENJOY-~1.EXE
2728	enjoy-soft1.exe
3036	bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe
2528	ENJOY-~1.EXE
2728	enjoy-soft1.exe
2860	Setup.exe
2860	Setup.exe
2860	Setup.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000195f7-2.dat	upx
behavioral1/memory/2236-7-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/2236-10-0x0000000000240000-0x0000000000266000-memory.dmp	upx
behavioral1/memory/2236-21-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/2528-54-0x0000000000400000-0x0000000000426000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Uer.BAT	Setup.exe
File created	C:\Windows\Utility Mang.exe	Setup.exe
File opened for modification	C:\Windows\Utility Mang.exe	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ENJOY-~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	enjoy-soft1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ENJOY-~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Utility Mang.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control	Utility Mang.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties	Utility Mang.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick	Utility Mang.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	Utility Mang.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm\wheel = "1"	Utility Mang.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	Utility Mang.exe
Key created	\REGISTRY\USER\.DEFAULT\System	Utility Mang.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet	Utility Mang.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties	Utility Mang.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2516	Utility Mang.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 2236	3036	bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe	30
PID 3036 wrote to memory of 2236	3036	bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe	30
PID 3036 wrote to memory of 2236	3036	bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe	30
PID 3036 wrote to memory of 2236	3036	bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe	30
PID 3036 wrote to memory of 2236	3036	bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe	30
PID 3036 wrote to memory of 2236	3036	bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe	30
PID 3036 wrote to memory of 2236	3036	bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe	30
PID 2236 wrote to memory of 2728	2236	ENJOY-~1.EXE	31
PID 2236 wrote to memory of 2728	2236	ENJOY-~1.EXE	31
PID 2236 wrote to memory of 2728	2236	ENJOY-~1.EXE	31
PID 2236 wrote to memory of 2728	2236	ENJOY-~1.EXE	31
PID 2236 wrote to memory of 2728	2236	ENJOY-~1.EXE	31
PID 2236 wrote to memory of 2728	2236	ENJOY-~1.EXE	31
PID 2236 wrote to memory of 2728	2236	ENJOY-~1.EXE	31
PID 3036 wrote to memory of 2528	3036	bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe	32
PID 3036 wrote to memory of 2528	3036	bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe	32
PID 3036 wrote to memory of 2528	3036	bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe	32
PID 3036 wrote to memory of 2528	3036	bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe	32
PID 3036 wrote to memory of 2528	3036	bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe	32
PID 3036 wrote to memory of 2528	3036	bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe	32
PID 3036 wrote to memory of 2528	3036	bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe	32
PID 2728 wrote to memory of 2860	2728	enjoy-soft1.exe	33
PID 2728 wrote to memory of 2860	2728	enjoy-soft1.exe	33
PID 2728 wrote to memory of 2860	2728	enjoy-soft1.exe	33
PID 2728 wrote to memory of 2860	2728	enjoy-soft1.exe	33
PID 2728 wrote to memory of 2860	2728	enjoy-soft1.exe	33
PID 2728 wrote to memory of 2860	2728	enjoy-soft1.exe	33
PID 2728 wrote to memory of 2860	2728	enjoy-soft1.exe	33
PID 2516 wrote to memory of 2588	2516	Utility Mang.exe	35
PID 2516 wrote to memory of 2588	2516	Utility Mang.exe	35
PID 2516 wrote to memory of 2588	2516	Utility Mang.exe	35
PID 2516 wrote to memory of 2588	2516	Utility Mang.exe	35
PID 2860 wrote to memory of 2568	2860	Setup.exe	36
PID 2860 wrote to memory of 2568	2860	Setup.exe	36
PID 2860 wrote to memory of 2568	2860	Setup.exe	36
PID 2860 wrote to memory of 2568	2860	Setup.exe	36
PID 2860 wrote to memory of 2568	2860	Setup.exe	36
PID 2860 wrote to memory of 2568	2860	Setup.exe	36
PID 2860 wrote to memory of 2568	2860	Setup.exe	36

C:\Users\Admin\AppData\Local\Temp\bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ENJOY-~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ENJOY-~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Users\Admin\AppData\Local\Temp\enjoy-soft1.exe
    "C:\Users\Admin\AppData\Local\Temp\enjoy-soft1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\Uer.BAT
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2568
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ENJOY-~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ENJOY-~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2528

C:\Windows\Utility Mang.exe
"C:\Windows\Utility Mang.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Uer.BAT

Filesize
132B

MD5
aaf8434df1f8c6c6ed749ab01d1c22c6

SHA1
fa41fb89750fdeb128237140bcf4a0b8752f05ea

SHA256
be4ea232c5a9877e3c943a4738b18a8a4ec605a9a0562c00e89967f451769a0b

SHA512
bba9f6c1f4a63fcc756a05fa5ab900b28fa16ea7a7fd7342333073bcbcb1d9d36f2705a3d8a0b2b0c5d9466804ab7c0e1451d1c092b7acfd424d0ab6cc3266cd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ENJOY-~1.EXE

Filesize
366KB

MD5
a22dfb0055131ddaf228e3d0a35948fd

SHA1
8097dbb30cf73bc88146882a3a77d9e7fec0b93b

SHA256
f487ccc4f8c3d1ca61421ee17e4bbcbe6a6fa562640595162029fc1e15404177

SHA512
e7502c82c81c519eff1c8b0a31d819c9f4de2d96bb240f8b79a2a043b380428542522164afb7b270e04f07c28fe96334ff10925197e51414768d3237b79ee82d

Download Submit
\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
603KB

MD5
e34bb36cd573d0b8f6600fa74d55319b

SHA1
3ca8b1f5f68bb05367af57efad823e01d163c599

SHA256
2d015636a64b4fb5545577da672d055376239db5c2d9d79bcbf4cd1b60972dae

SHA512
32df80f123ed79753a9a096333017069277d08cf6800082a23b3afd0f7c0e8136ce417a821e793e5b7d41897cfcc092037f1fd9f08a4629409d483a960d2b823

Download Submit
\Users\Admin\AppData\Local\Temp\enjoy-soft1.exe

Filesize
355KB

MD5
2cd5631e374dfaa51252bcc2d39a514d

SHA1
cb5bdf1b92f48ad9c1401550b76293d750f23fc4

SHA256
bdad534481f11ec5384e28993d8080b7f8152347e723056354e9d2622424aa7c

SHA512
91ff61d83d8e1b8475f87d2d7565a23bd1b03904959311f112eec17cd23b5174f4320f66cc2d364a0146f1c78df0443834619b2cb0a95fc941cceb1566807964

Download Submit
memory/2236-10-0x0000000000240000-0x0000000000266000-memory.dmp

Filesize
152KB

Download
memory/2236-21-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2236-7-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2516-56-0x0000000000400000-0x00000000004A498C-memory.dmp

Filesize
658KB

Download
memory/2528-28-0x00000000001D0000-0x00000000001F6000-memory.dmp

Filesize
152KB

Download
memory/2528-54-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2728-38-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2860-50-0x0000000000400000-0x00000000004A498C-memory.dmp

Filesize
658KB

Download
memory/3036-24-0x0000000000210000-0x0000000000236000-memory.dmp

Filesize
152KB

Download
memory/3036-6-0x0000000000210000-0x0000000000236000-memory.dmp

Filesize
152KB

Download
memory/3036-52-0x0000000000210000-0x0000000000236000-memory.dmp

Filesize
152KB

Download
memory/3036-53-0x0000000000210000-0x0000000000236000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads