Analysis

  • max time kernel
    123s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    25/08/2024, 09:35

General

  • Target

    c073dc13278b3563542b80888b490e8f_JaffaCakes118.exe

  • Size

    200KB

  • MD5

    c073dc13278b3563542b80888b490e8f

  • SHA1

    1d6a54bf2ff1818931dcdc4235a4ada8247fc43d

  • SHA256

    078a4f6d1fc7ab17969f46111b4c9062ab54f21b214c7d2520b371f75be2ccf2

  • SHA512

    a4fde107254e3bbfb3c38ca7c0f25c5e2287a415fff2a6b0030c77304331c456f07eaec408363fd220ad38334976e4b76c03c9ebd457328f60574fa0605b23ea

  • SSDEEP

    6144:Ysui+5LM8X2TosROoVtW7vhOuw/TPhoS:YsGS1VtW7vhOuw/7hoS

Malware Config

Signatures

  • Disables service(s) 3 TTPs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 2 IoCs
  • Launches sc.exe 8 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Runs net.exe
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c073dc13278b3563542b80888b490e8f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c073dc13278b3563542b80888b490e8f_JaffaCakes118.exe"
    1⤵
    • Adds policy Run key to start application
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1956
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "Security Center"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2800
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "Security Center"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2744
    • C:\Windows\SysWOW64\sc.exe
      sc config wscsvc start= DISABLED
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2812
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2728
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2628
    • C:\Windows\SysWOW64\sc.exe
      sc config SharedAccess start= DISABLED
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2704
    • C:\Users\Admin\AppData\Local\Temp\kyw41f.exe
      C:\Users\Admin\AppData\Local\Temp\kyw41f.exe
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2832
      • C:\Windows\SysWOW64\net.exe
        net.exe stop "Security Center"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2924
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Security Center"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2980
      • C:\Windows\SysWOW64\sc.exe
        sc config wscsvc start= DISABLED
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2912
      • C:\Windows\SysWOW64\net.exe
        net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:344
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2364
      • C:\Windows\SysWOW64\sc.exe
        sc config SharedAccess start= DISABLED
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2072
      • C:\Users\Admin\AppData\Local\Temp\kyw41f.exe
        C:\Users\Admin\AppData\Local\Temp\kyw41f.exe -d4350F11B08CF16C9DE2FDAFD5B1F2AD8B6605C25005B0195264F6F10D83081EBCAB35676EE9B1D739BE22F87B7FC04275C9FC921983399C5360FB5C9A9D6244D9F19A00CB9ABC72A7F84DF569261B3A196904C3C7EF59B9E18BC51240AFC69129BCC424D0926319233F2F0A5DC1F6334DC167B4CF1BD4471182A672C8AFA9F5BD8D1F24BC083B708A094A5F1C711810FE73B2AD573731040BC3B5D3EFB1651B6B0E8A525FD8CF8E0EF8685CEC36DBA25B0DE6ED3C5D5BD75D0DCD85D6F2B4DA8B9C4909A2469D03C890854CD8201FCA970DE9DCEE8D347C85ABFBC3335879F49CF1E28D0D3675C9817F91781F5337337A1E54B531C6FEC55A50B2FB7E01B96FE09D62289ED75F9668279133F4C018C4BFB654E0AE3C128B53A0D95DC40F9BD97C19A738592D94377F2B9CDB3F8F7F40377BDBA7DFF82B99AE1D394EF651BE28C8FDE4F3923F219A4D2D30A50AB6F99514E73E4AE6FEF9B4BA4DE1166A24F118E4D392D60420C974BC9C9D0AF5684A720FA0C623974F00C51CAE5314B872A995C1420C027CF911AF1C28F62ED29DA8B2733250822918F88F9DF1B58C7E5E3051E3D65FF4CEC763F65E44447C99644F228F192EC0286CACD39
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2056
        • C:\Windows\SysWOW64\net.exe
          net.exe stop "Security Center"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2640
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Security Center"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1032
        • C:\Windows\SysWOW64\sc.exe
          sc config wscsvc start= DISABLED
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:2432
        • C:\Windows\SysWOW64\net.exe
          net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2060
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:792
        • C:\Windows\SysWOW64\sc.exe
          sc config SharedAccess start= DISABLED
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:2932
      • C:\Users\Admin\AppData\Local\Temp\kyw41f.exe
        C:\Users\Admin\AppData\Local\Temp\kyw41f.exe -d05164EA4F63167B80BFAA780F1B5AA58E731641D0358D94D6C05DFA0AD45BFD54831DFFF3045ED83DAA318B0FEB55D7E4380F21A6EC55509C0F98CF0B3CC8EE737B1FF530F1D967B0FF4E76E44B77361454320504BC0897ABD08CDA849A0BDC9D6B49F82BF94DB704085530701D7356E12DD7D59E9A08DBE173285C8CCBA36F4696EEF43ADEC75A64273DF86B1622D510EEDDCCDD3DDBCF3C54FD4B0D92920FB7721601D87E85E4728484A0012B7248ADFB54CE2D7F4AD68FAF01B8A4D7AE537C446A4A2396ECE244A3E961A21B122676AC02063023D39B62CC9FC7345F72EC95585ACA5F0413DFE3AC904931AC27025D3E5E8F6A1D97BC210B957CF1FF2E48E7080A805199E67D3CF21142D7A3D984B7FD275304071CA669BA84D0C76D8300898C60AE26223426D1D2B89E5FFEE629A15CDD81EADC2C0E20243403428A57B1094C983FAB76F08B57A876238A56AD81078456228F57535E5BAC0D0A752BF6DF2681C034E450B33EF7A7AE19EAB7942C5CE38A4FF65E1431E7758DEA451FCF134586CBB5C79277B90F2BF87088B782A867B6D705A8997433230F48C13C2C42F27EBB71EA20163D989F865154504A458B92546D53B307CCE3A
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1516
        • C:\Windows\SysWOW64\net.exe
          net.exe stop "Security Center"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2212
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Security Center"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2732
        • C:\Windows\SysWOW64\sc.exe
          sc config wscsvc start= DISABLED
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:2124
        • C:\Windows\SysWOW64\net.exe
          net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1996
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2596
        • C:\Windows\SysWOW64\sc.exe
          sc config SharedAccess start= DISABLED
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:1880
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\xq4xr07wv.bat
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2604

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\kyw41f.exe

    Filesize

    200KB

    MD5

    c073dc13278b3563542b80888b490e8f

    SHA1

    1d6a54bf2ff1818931dcdc4235a4ada8247fc43d

    SHA256

    078a4f6d1fc7ab17969f46111b4c9062ab54f21b214c7d2520b371f75be2ccf2

    SHA512

    a4fde107254e3bbfb3c38ca7c0f25c5e2287a415fff2a6b0030c77304331c456f07eaec408363fd220ad38334976e4b76c03c9ebd457328f60574fa0605b23ea

  • C:\Users\Admin\AppData\Local\Temp\xq4xr07wv.bat

    Filesize

    218B

    MD5

    d36b1960630a883513d357dfc80bf6b4

    SHA1

    fdca99228df2dea2cf2e47753f79c54b091f71b7

    SHA256

    d9fc6641f9a60c4473512bf8e41eb1a5d79b94ff9d68e27925b907fbb09bf2b6

    SHA512

    4e5794197147c357b682a0bd6013e0dd4a1adbad72d1b7b4211496a3e7807feac97a1e2cd5c78a8f92e6cb39d7afcdd142433933faa272fcd2c555bf16270992

  • memory/1516-48-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/1516-47-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/1516-46-0x0000000003050000-0x0000000003B0A000-memory.dmp

    Filesize

    10.7MB

  • memory/1956-25-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/1956-14-0x0000000005650000-0x0000000005688000-memory.dmp

    Filesize

    224KB

  • memory/1956-0-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/1956-3-0x0000000002F60000-0x0000000003A1A000-memory.dmp

    Filesize

    10.7MB

  • memory/1956-15-0x0000000005650000-0x0000000005688000-memory.dmp

    Filesize

    224KB

  • memory/2056-37-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/2056-34-0x00000000031C0000-0x0000000003C7A000-memory.dmp

    Filesize

    10.7MB

  • memory/2056-31-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/2056-36-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/2832-35-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/2832-42-0x0000000004590000-0x00000000045C8000-memory.dmp

    Filesize

    224KB

  • memory/2832-17-0x0000000002FA0000-0x0000000003A5A000-memory.dmp

    Filesize

    10.7MB

  • memory/2832-16-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/2832-30-0x0000000005760000-0x0000000005798000-memory.dmp

    Filesize

    224KB