8f4a57ee6a05931d82a004b550da1a74aa7fd8e304187ad4a2a12d528f3a675b

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
29-08-2024 00:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7ec37391178150012ae735dc3abee6d_JaffaCakes118.exe
Size

263KB
MD5

c7ec37391178150012ae735dc3abee6d
SHA1

345183c486b0804fcebdbe3c3bc29b904428b321
SHA256

8f4a57ee6a05931d82a004b550da1a74aa7fd8e304187ad4a2a12d528f3a675b
SHA512

821e0cb4e5b507d634a2e77f559444e32406b29b2622c1fa963f9c8ef791f88284e451ed080e48046665cda667b017828b75c7f491b0bbb7ad1861f4bc9709b0
SSDEEP

6144:ZQw50E5dmhLlCVb2UkV2kLJglqQbIjrzAws8d1x:e5mwhls6UkPLipbw0wp

Score

10^/10

discovery persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe"	c7ec37391178150012ae735dc3abee6d_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2908	yalwtnq.exe

Loads dropped DLL 2 IoCs

pid	Process
2772	c7ec37391178150012ae735dc3abee6d_JaffaCakes118.exe
2772	c7ec37391178150012ae735dc3abee6d_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2772-0-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral1/memory/2908-18-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/files/0x0008000000016dc7-15.dat	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig = "C:\\Users\\Admin\\yalwtnq.exe \\u"	c7ec37391178150012ae735dc3abee6d_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\secupdat.dat	c7ec37391178150012ae735dc3abee6d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\secupdat.dat	c7ec37391178150012ae735dc3abee6d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\secupdat.dat	yalwtnq.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2908 set thread context of 2896	2908	yalwtnq.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7ec37391178150012ae735dc3abee6d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yalwtnq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2908	2772	c7ec37391178150012ae735dc3abee6d_JaffaCakes118.exe	30
PID 2772 wrote to memory of 2908	2772	c7ec37391178150012ae735dc3abee6d_JaffaCakes118.exe	30
PID 2772 wrote to memory of 2908	2772	c7ec37391178150012ae735dc3abee6d_JaffaCakes118.exe	30
PID 2772 wrote to memory of 2908	2772	c7ec37391178150012ae735dc3abee6d_JaffaCakes118.exe	30
PID 2772 wrote to memory of 2632	2772	c7ec37391178150012ae735dc3abee6d_JaffaCakes118.exe	31
PID 2772 wrote to memory of 2632	2772	c7ec37391178150012ae735dc3abee6d_JaffaCakes118.exe	31
PID 2772 wrote to memory of 2632	2772	c7ec37391178150012ae735dc3abee6d_JaffaCakes118.exe	31
PID 2772 wrote to memory of 2632	2772	c7ec37391178150012ae735dc3abee6d_JaffaCakes118.exe	31
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33
PID 2908 wrote to memory of 2896	2908	yalwtnq.exe	33

C:\Users\Admin\AppData\Local\Temp\c7ec37391178150012ae735dc3abee6d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c7ec37391178150012ae735dc3abee6d_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Users\Admin\yalwtnq.exe
  \u
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\1281.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1281.bat

Filesize
117B

MD5
7e3756788b110fa485274a308cfa8a08

SHA1
16e928f6a45c1aa0a397fa8ede25be9dd957c35d

SHA256
8ab37ffe40e47bde2e5b857058a8ebe819856cf4977a8ccb64df40cd720fa57c

SHA512
44c9980df3250082ec6d3591ee322e3f4eb2ea8144c939b1fd37764313e320449f4d99185c0fa5394b0a2784f2b781abf2f204427e291b7c61807dc22722189b

Download Submit
C:\Users\Admin\yalwtnq.exe

Filesize
19KB

MD5
2ca219ed3b56a820c3351d615edd951b

SHA1
b94cee70f69981198caf030ee4693a57c3b19ef2

SHA256
48ac6970f3cfe35e9385223792371412a5677f20ed31e569ab7e1c5422c92193

SHA512
a3cf0bebd6d335f51d04671eed1caf2734c670b7e53c6c685f32064971986328e46c9581abd4a77690c8a6c9a4263c0b4af63c59d1f96844a2dea6784bc5b18b

Download Submit
C:\Windows\SysWOW64\secupdat.dat

Filesize
70KB

MD5
3a33f16c29f6f6118ec4889fe6f44e63

SHA1
08d5421805030769834a7368d06c8edd58b16f81

SHA256
74efec74d9189a90e822a1d3961102454ca1f0447560bd9b605184fd01f7f944

SHA512
a0541c26ed7aae9d2c7916996e0a138db71723a0f8a8ad05d71ed4b31be7867a8a08cdc537ced6ba764169d976821da09a05f7ed7a0aff4c6d781d310d9c66c5

Download Submit
memory/2772-1-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2772-0-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2772-7-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2772-17-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/2772-16-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/2772-27-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2896-55-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-90-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-33-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-34-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-35-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-36-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-37-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-56-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-59-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-54-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-53-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-52-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-51-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-50-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-49-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-48-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-47-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-46-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-45-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-44-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-43-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-42-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-41-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-40-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-147-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2896-31-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-38-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-39-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-57-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-58-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-91-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-32-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-89-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-88-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-87-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-86-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-85-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-84-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-83-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-82-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-81-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-80-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-79-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-78-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-77-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-76-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-75-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-74-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-73-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-72-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-71-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-70-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-69-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-68-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-67-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-66-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-65-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-64-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-63-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-62-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-61-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2896-60-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2908-18-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2908-143-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2908-29-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads