Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
24/08/2024, 14:07
Static task
static1
Behavioral task
behavioral1
Sample
bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe
-
Size
6.2MB
-
MD5
bec12049d6f62ae123ebfe16da23e621
-
SHA1
7805c1de5b986c7a6e14954ea39a474355878adb
-
SHA256
6e22d752ea8c85e6427bd81fcea004cb41d91210856483c772210700d983fc6d
-
SHA512
190e3e2306de5a054d01b89a2ad124099b6692eae9d9255d052ce76cc93bdd016d6257c058d3ea75af20811cb8922b97c1e4fe58f2fd8f86374a0e28c47c9b0f
-
SSDEEP
196608:5PfarYMRlp30bgwOGcjwppBR5dgI8H++:5KMMRlN0bgXGGwpj5gI8e
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe" bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\System64\\1systemsmss.exe, explorer.exe" bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe" 1systemsmss.exe -
Executes dropped EXE 7 IoCs
pid Process 2744 1systemsmss.exe 2692 svnhost.exe 2552 svnhost.exe 2632 svnhost.exe 2972 svnhost.exe 2376 systemsmss.exe 2244 systemsmss.exe -
Loads dropped DLL 6 IoCs
pid Process 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 2744 1systemsmss.exe 2584 cmd.exe 2972 svnhost.exe 2972 svnhost.exe -
Drops file in Windows directory 13 IoCs
description ioc Process File created C:\Windows\Zont911\Home.zip 1systemsmss.exe File created C:\Windows\System64\vp8decoder.dll 1systemsmss.exe File created C:\Windows\System64\vp8encoder.dll 1systemsmss.exe File opened for modification C:\Windows\System64\svnhost.exe 1systemsmss.exe File created C:\Windows\System64\systemsmss.exe 1systemsmss.exe File opened for modification C:\Windows\System64\systemsmss.exe 1systemsmss.exe File created C:\Windows\System64\1systemsmss.exe bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe File opened for modification C:\Windows\System64\1systemsmss.exe bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe File created C:\Windows\Zont911\Regedit.reg 1systemsmss.exe File opened for modification C:\Windows\System64\vp8encoder.dll 1systemsmss.exe File created C:\Windows\Zont911\Tupe.bat 1systemsmss.exe File opened for modification C:\Windows\System64\vp8decoder.dll 1systemsmss.exe File created C:\Windows\System64\svnhost.exe 1systemsmss.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language systemsmss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1systemsmss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svnhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svnhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svnhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svnhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language systemsmss.exe -
Runs .reg file with regedit 1 IoCs
pid Process 2816 regedit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2692 svnhost.exe Token: SeDebugPrivilege 2632 svnhost.exe Token: SeTakeOwnershipPrivilege 2972 svnhost.exe Token: SeTcbPrivilege 2972 svnhost.exe Token: SeTcbPrivilege 2972 svnhost.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2692 svnhost.exe 2552 svnhost.exe 2632 svnhost.exe 2972 svnhost.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1848 wrote to memory of 2744 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 30 PID 1848 wrote to memory of 2744 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 30 PID 1848 wrote to memory of 2744 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 30 PID 1848 wrote to memory of 2744 1848 bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe 30 PID 2744 wrote to memory of 2816 2744 1systemsmss.exe 31 PID 2744 wrote to memory of 2816 2744 1systemsmss.exe 31 PID 2744 wrote to memory of 2816 2744 1systemsmss.exe 31 PID 2744 wrote to memory of 2816 2744 1systemsmss.exe 31 PID 2744 wrote to memory of 2584 2744 1systemsmss.exe 32 PID 2744 wrote to memory of 2584 2744 1systemsmss.exe 32 PID 2744 wrote to memory of 2584 2744 1systemsmss.exe 32 PID 2744 wrote to memory of 2584 2744 1systemsmss.exe 32 PID 2584 wrote to memory of 2768 2584 cmd.exe 34 PID 2584 wrote to memory of 2768 2584 cmd.exe 34 PID 2584 wrote to memory of 2768 2584 cmd.exe 34 PID 2584 wrote to memory of 2768 2584 cmd.exe 34 PID 2584 wrote to memory of 2692 2584 cmd.exe 35 PID 2584 wrote to memory of 2692 2584 cmd.exe 35 PID 2584 wrote to memory of 2692 2584 cmd.exe 35 PID 2584 wrote to memory of 2692 2584 cmd.exe 35 PID 2584 wrote to memory of 2552 2584 cmd.exe 36 PID 2584 wrote to memory of 2552 2584 cmd.exe 36 PID 2584 wrote to memory of 2552 2584 cmd.exe 36 PID 2584 wrote to memory of 2552 2584 cmd.exe 36 PID 2584 wrote to memory of 2632 2584 cmd.exe 37 PID 2584 wrote to memory of 2632 2584 cmd.exe 37 PID 2584 wrote to memory of 2632 2584 cmd.exe 37 PID 2584 wrote to memory of 2632 2584 cmd.exe 37 PID 2972 wrote to memory of 2376 2972 svnhost.exe 39 PID 2972 wrote to memory of 2376 2972 svnhost.exe 39 PID 2972 wrote to memory of 2376 2972 svnhost.exe 39 PID 2972 wrote to memory of 2376 2972 svnhost.exe 39 PID 2972 wrote to memory of 2244 2972 svnhost.exe 40 PID 2972 wrote to memory of 2244 2972 svnhost.exe 40 PID 2972 wrote to memory of 2244 2972 svnhost.exe 40 PID 2972 wrote to memory of 2244 2972 svnhost.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bec12049d6f62ae123ebfe16da23e621_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\System64\1systemsmss.exe"C:\Windows\System64\1systemsmss.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s "C:\Windows\Zont911\Regedit.reg"3⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:2816
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\Zont911\Tupe.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\chcp.comChcp 12514⤵
- System Location Discovery: System Language Discovery
PID:2768
-
-
C:\Windows\System64\svnhost.exe"C:\Windows\System64\svnhost.exe" /silentinstall4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2692
-
-
C:\Windows\System64\svnhost.exe"C:\Windows\System64\svnhost.exe" /firewall4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2552
-
-
C:\Windows\System64\svnhost.exe"C:\Windows\System64\svnhost.exe" /start4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2632
-
-
-
-
C:\Windows\System64\svnhost.exeC:\Windows\System64\svnhost.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\System64\systemsmss.exeC:\Windows\System64\systemsmss.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2376
-
-
C:\Windows\System64\systemsmss.exeC:\Windows\System64\systemsmss.exe /tray2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2244
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.1MB
MD5bd458a26931f960f13958510e88a61a8
SHA1be9fff29f269d649688e941e97ac03e669571837
SHA256d295538301a5513d3e605e43586e48504ec22f87666a31ef06f697b5c9b611f3
SHA512afe9e6209ade2846f31efb7b9977d42b28cd082eb0a4b9c4ba4b9c91d528afbc7efe748be0c78c938d042dc9d200c23d2f0552a7498ab23becac828df53245e7
-
Filesize
378KB
MD5d43fa82fab5337ce20ad14650085c5d9
SHA1678aa092075ff65b6815ffc2d8fdc23af8425981
SHA256c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b
SHA512103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d
-
Filesize
1.6MB
MD5dab4646806dfca6d0e0b4d80fa9209d6
SHA18244dfe22ec2090eee89dad103e6b2002059d16a
SHA256cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587
SHA512aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7
-
Filesize
11KB
MD54803ac63a1fa3104bfb5a47e7d9cb491
SHA173a4b0ed984b08c72f517230b7e65847f5f1061b
SHA2565e13554c986d006ec1a272ccec4cd02b4da2f538cc13e9ab35fa997ff4aa2d29
SHA512c7dcef96a84d05b7a105dcb7dad75ac04dae201f5437289b8b5913796cff927c4a5296adcca1aa3171ed7e0d5a1e80ec970fedfb0e75248789cb3e661c9abc3f
-
Filesize
281B
MD5691f040de6d335962416b319dcd416dc
SHA1db49109c0917910f7fce8b6de690a1c7e2026226
SHA256605d0b9c2fd1972c4ee60d8eefd336be636884dcdf54a4e5f2829c46e80fdcea
SHA512f34ba36bdeaa43a1265ec69acfa0f199f2b4d5d90b4ea890327478f4f48ec7597d660b922dd1e149de3a1ff9b48c79e4c9c53e8a482b4cb5842bc0976f93bf89
-
Filesize
6.2MB
MD5bec12049d6f62ae123ebfe16da23e621
SHA17805c1de5b986c7a6e14954ea39a474355878adb
SHA2566e22d752ea8c85e6427bd81fcea004cb41d91210856483c772210700d983fc6d
SHA512190e3e2306de5a054d01b89a2ad124099b6692eae9d9255d052ce76cc93bdd016d6257c058d3ea75af20811cb8922b97c1e4fe58f2fd8f86374a0e28c47c9b0f
-
Filesize
6.0MB
MD5e437e8730f2163cba2552a5a374a885a
SHA1514497f668ae7b80a698bd8cda6de2dcf104e450
SHA256dde1cc7b34ad434fb515b4b315c2ec22a74e3b1b4d50fe83421fab4d6055b3a6
SHA512e924929176c60f00bfd45f0ec991279d4bbb96be4f5f270e636594d4faad681c318cbc9374dd2126170e18f7b4e9db54b193c147b452655c2806921d8c76c445