9c41259717f6e7712a1e4ea9c2d494beaa72960442b7d8bbe360dda6506a8830

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
23-08-2024 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc4d5bb18d3718dba0ff6ccd1634e58e_JaffaCakes118.exe
Size

47KB
MD5

bc4d5bb18d3718dba0ff6ccd1634e58e
SHA1

a9a1a2cb89009518d3ef360a58b8727420fd7ab2
SHA256

9c41259717f6e7712a1e4ea9c2d494beaa72960442b7d8bbe360dda6506a8830
SHA512

a1de3611f0c98b55d44015f358ca8242a69e0cf47e976aec247c30bb813564ce865dadf176886e0d6eb3fd7e6f9fa2c2950a56f53f368e9674a6ffc0cd121455
SSDEEP

768:1GGPUEF9nQ2CU2d0hpSNhy3abcPyO08vzHdNRY/q9uieZD4wRMtNbYXH2V9D:19dRCU+0hpCNoPXvz9NW/q9uieZD4Wzs

Score

8^/10

discovery persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\COMSysApp\ImagePath = "C:\\Program Files\\Common Files\\Microsoft Shared\\aqpbvc.exe comsysapp"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\COMSysApp\ImagePath = "C:\\Program Files\\Common Files\\Microsoft Shared\\aqpbvc.exe comsysapp"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\COMSysApp\ImagePath = "C:\\Program Files\\Common Files\\Microsoft Shared\\aqpbvc.exe comsysapp"	regedit.exe

Deletes itself 1 IoCs

pid	Process
3652	rundll32.exe

Loads dropped DLL 9 IoCs

pid	Process
1944	bc4d5bb18d3718dba0ff6ccd1634e58e_JaffaCakes118.exe
3600	rundll32.exe
3600	rundll32.exe
3600	rundll32.exe
3600	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\aqpbvc.exe	rundll32.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\aqpbvc.exe	rundll32.exe
File created	C:\Program Files\Common Files\Microsoft Shared\aqpbvc.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc4d5bb18d3718dba0ff6ccd1634e58e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc4d5bb18d3718dba0ff6ccd1634e58e_JaffaCakes118.exe

Runs .reg file with regedit 1 IoCs

pid	Process
3628	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1944	bc4d5bb18d3718dba0ff6ccd1634e58e_JaffaCakes118.exe
1944	bc4d5bb18d3718dba0ff6ccd1634e58e_JaffaCakes118.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1944	bc4d5bb18d3718dba0ff6ccd1634e58e_JaffaCakes118.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1244	bc4d5bb18d3718dba0ff6ccd1634e58e_JaffaCakes118.exe
1944	bc4d5bb18d3718dba0ff6ccd1634e58e_JaffaCakes118.exe
1944	bc4d5bb18d3718dba0ff6ccd1634e58e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 1944	1244	bc4d5bb18d3718dba0ff6ccd1634e58e_JaffaCakes118.exe	30
PID 1244 wrote to memory of 1944	1244	bc4d5bb18d3718dba0ff6ccd1634e58e_JaffaCakes118.exe	30
PID 1244 wrote to memory of 1944	1244	bc4d5bb18d3718dba0ff6ccd1634e58e_JaffaCakes118.exe	30
PID 1244 wrote to memory of 1944	1244	bc4d5bb18d3718dba0ff6ccd1634e58e_JaffaCakes118.exe	30
PID 1944 wrote to memory of 3600	1944	bc4d5bb18d3718dba0ff6ccd1634e58e_JaffaCakes118.exe	31
PID 1944 wrote to memory of 3600	1944	bc4d5bb18d3718dba0ff6ccd1634e58e_JaffaCakes118.exe	31
PID 1944 wrote to memory of 3600	1944	bc4d5bb18d3718dba0ff6ccd1634e58e_JaffaCakes118.exe	31
PID 1944 wrote to memory of 3600	1944	bc4d5bb18d3718dba0ff6ccd1634e58e_JaffaCakes118.exe	31
PID 1944 wrote to memory of 3600	1944	bc4d5bb18d3718dba0ff6ccd1634e58e_JaffaCakes118.exe	31
PID 1944 wrote to memory of 3600	1944	bc4d5bb18d3718dba0ff6ccd1634e58e_JaffaCakes118.exe	31
PID 1944 wrote to memory of 3600	1944	bc4d5bb18d3718dba0ff6ccd1634e58e_JaffaCakes118.exe	31
PID 3600 wrote to memory of 3628	3600	rundll32.exe	32
PID 3600 wrote to memory of 3628	3600	rundll32.exe	32
PID 3600 wrote to memory of 3628	3600	rundll32.exe	32
PID 3600 wrote to memory of 3628	3600	rundll32.exe	32
PID 3600 wrote to memory of 3652	3600	rundll32.exe	33
PID 3600 wrote to memory of 3652	3600	rundll32.exe	33
PID 3600 wrote to memory of 3652	3600	rundll32.exe	33
PID 3600 wrote to memory of 3652	3600	rundll32.exe	33
PID 3600 wrote to memory of 3652	3600	rundll32.exe	33
PID 3600 wrote to memory of 3652	3600	rundll32.exe	33
PID 3600 wrote to memory of 3652	3600	rundll32.exe	33

C:\Users\Admin\AppData\Local\Temp\bc4d5bb18d3718dba0ff6ccd1634e58e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bc4d5bb18d3718dba0ff6ccd1634e58e_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Users\Admin\AppData\Local\Temp\bc4d5bb18d3718dba0ff6ccd1634e58e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\bc4d5bb18d3718dba0ff6ccd1634e58e_JaffaCakes118.exe" TWO
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\aqpbvcreg.dll",polmxhat
    3⤵
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3600
  - - C:\Windows\SysWOW64\regedit.exe
      regedit.exe -s "C:\Users\Admin\AppData\Local\Temp\aqpbvcreg.reg"
      4⤵
      Sets service image path in registry
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:3628
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" "C:\Program Files\Common Files\Microsoft Shared\aqpbvc.dll",polmxhat
      4⤵
      Deletes itself
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aqpbvcreg.reg

Filesize
1KB

MD5
b9ef43e9a4984e5a7d2ca86ed994b17f

SHA1
994901dbc13b1143c4c813ca42a6b3e9f6eafbc4

SHA256
677a242a89720f094e2e607c8dec0f4a136ea60e6267c07ef6a23a004530c2b4

SHA512
126f06f8a1e3e6fed4a6324c701522e0e1c6b48192b0f0b5e8cdc574dbdb1c882c3069446dcc1dbb271048cdf3ed0d157b665de2008d78491294fa981b5f0981

Download Submit
\Users\Admin\AppData\Local\Temp\aqpbvc.dll

Filesize
48KB

MD5
1ef61df1f33549b57f5e81a1095e3d56

SHA1
01c890d044ecf8ec73b4b9728130e0912d7c5441

SHA256
b0a1f6f574bcab07880c3c9c26e68c6da2bb4021e1f6e5759ae4a00f6d3054a6

SHA512
e3a60cc957cf57bb2af49e88e6cc1afe6db7da5f0fa71ee4909bd06b2a7cce433d1a86f69925b50f2fef122aaad2b5debea324fd8a6a045ed84a23301a7b94a1

Download Submit