497672dab60854b17467d7e01d86e5c700107b806ce6f184abf0425770d12710

Analysis

max time kernel
147s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
29/08/2024, 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8d439a18c7f9b7012c905ee33c73d27_JaffaCakes118.exe
Size

218KB
MD5

c8d439a18c7f9b7012c905ee33c73d27
SHA1

cc9854482b3fd438ead81386db265b22bec849bc
SHA256

497672dab60854b17467d7e01d86e5c700107b806ce6f184abf0425770d12710
SHA512

c2dc99c5ada3ad7d72da5682fa7d85c638f3e58739cdc82ca2ea2841434a8fc738b383024e256b2332db3d3fd83e196456e81fb0fcfa1c8d599f7798da71ea02
SSDEEP

6144:ZJUvv6VR/NVTId+emMj91W2cu2MIv6VR/i:ZJEW/Dhebx1B2MIW/i

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 11 IoCs

pid	Process
2520	msnplus.exe
2252	windows.exe
2740	windows.exe
2892	windows.exe
2652	windows.exe
2968	windows.exe
2696	windows.exe
1068	windows.exe
2300	windows.exe
2008	windows.exe
2020	windows.exe

Loads dropped DLL 22 IoCs

pid	Process
1980	c8d439a18c7f9b7012c905ee33c73d27_JaffaCakes118.exe
1980	c8d439a18c7f9b7012c905ee33c73d27_JaffaCakes118.exe
1980	c8d439a18c7f9b7012c905ee33c73d27_JaffaCakes118.exe
1980	c8d439a18c7f9b7012c905ee33c73d27_JaffaCakes118.exe
2252	windows.exe
2252	windows.exe
2740	windows.exe
2740	windows.exe
2892	windows.exe
2892	windows.exe
2652	windows.exe
2652	windows.exe
2968	windows.exe
2968	windows.exe
2696	windows.exe
2696	windows.exe
1068	windows.exe
1068	windows.exe
2300	windows.exe
2300	windows.exe
2008	windows.exe
2008	windows.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft System = "C:\\WINDOWS\\System32\\regedit.exe"	msnplus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Startup = "C:\\WINDOWS\\System32\\msnplus.exe"	msnplus.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File created	C:\Windows\SysWOW64\windows.exe	windows.exe
File created	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File created	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File created	C:\Windows\SysWOW64\windows.exe	windows.exe
File created	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File created	C:\Windows\SysWOW64\windows.exe	windows.exe
File created	\??\c:\windows\SysWOW64\windows.exe	c8d439a18c7f9b7012c905ee33c73d27_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File created	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File created	C:\Windows\SysWOW64\windows.exe	windows.exe
File created	\??\c:\windows\SysWOW64\msnplus.exe	c8d439a18c7f9b7012c905ee33c73d27_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\windows.exe	windows.exe
File created	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c8d439a18c7f9b7012c905ee33c73d27_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnplus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	msnplus.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	msnplus.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	windows.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2520	msnplus.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 2520	1980	c8d439a18c7f9b7012c905ee33c73d27_JaffaCakes118.exe	30
PID 1980 wrote to memory of 2520	1980	c8d439a18c7f9b7012c905ee33c73d27_JaffaCakes118.exe	30
PID 1980 wrote to memory of 2520	1980	c8d439a18c7f9b7012c905ee33c73d27_JaffaCakes118.exe	30
PID 1980 wrote to memory of 2520	1980	c8d439a18c7f9b7012c905ee33c73d27_JaffaCakes118.exe	30
PID 1980 wrote to memory of 2252	1980	c8d439a18c7f9b7012c905ee33c73d27_JaffaCakes118.exe	31
PID 1980 wrote to memory of 2252	1980	c8d439a18c7f9b7012c905ee33c73d27_JaffaCakes118.exe	31
PID 1980 wrote to memory of 2252	1980	c8d439a18c7f9b7012c905ee33c73d27_JaffaCakes118.exe	31
PID 1980 wrote to memory of 2252	1980	c8d439a18c7f9b7012c905ee33c73d27_JaffaCakes118.exe	31
PID 2252 wrote to memory of 2740	2252	windows.exe	33
PID 2252 wrote to memory of 2740	2252	windows.exe	33
PID 2252 wrote to memory of 2740	2252	windows.exe	33
PID 2252 wrote to memory of 2740	2252	windows.exe	33
PID 2740 wrote to memory of 2892	2740	windows.exe	34
PID 2740 wrote to memory of 2892	2740	windows.exe	34
PID 2740 wrote to memory of 2892	2740	windows.exe	34
PID 2740 wrote to memory of 2892	2740	windows.exe	34
PID 2892 wrote to memory of 2652	2892	windows.exe	35
PID 2892 wrote to memory of 2652	2892	windows.exe	35
PID 2892 wrote to memory of 2652	2892	windows.exe	35
PID 2892 wrote to memory of 2652	2892	windows.exe	35
PID 2652 wrote to memory of 2968	2652	windows.exe	36
PID 2652 wrote to memory of 2968	2652	windows.exe	36
PID 2652 wrote to memory of 2968	2652	windows.exe	36
PID 2652 wrote to memory of 2968	2652	windows.exe	36
PID 2968 wrote to memory of 2696	2968	windows.exe	37
PID 2968 wrote to memory of 2696	2968	windows.exe	37
PID 2968 wrote to memory of 2696	2968	windows.exe	37
PID 2968 wrote to memory of 2696	2968	windows.exe	37
PID 2696 wrote to memory of 1068	2696	windows.exe	38
PID 2696 wrote to memory of 1068	2696	windows.exe	38
PID 2696 wrote to memory of 1068	2696	windows.exe	38
PID 2696 wrote to memory of 1068	2696	windows.exe	38
PID 1068 wrote to memory of 2300	1068	windows.exe	39
PID 1068 wrote to memory of 2300	1068	windows.exe	39
PID 1068 wrote to memory of 2300	1068	windows.exe	39
PID 1068 wrote to memory of 2300	1068	windows.exe	39
PID 2300 wrote to memory of 2008	2300	windows.exe	40
PID 2300 wrote to memory of 2008	2300	windows.exe	40
PID 2300 wrote to memory of 2008	2300	windows.exe	40
PID 2300 wrote to memory of 2008	2300	windows.exe	40
PID 2008 wrote to memory of 2020	2008	windows.exe	41
PID 2008 wrote to memory of 2020	2008	windows.exe	41
PID 2008 wrote to memory of 2020	2008	windows.exe	41
PID 2008 wrote to memory of 2020	2008	windows.exe	41

C:\Users\Admin\AppData\Local\Temp\c8d439a18c7f9b7012c905ee33c73d27_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c8d439a18c7f9b7012c905ee33c73d27_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\SysWOW64\msnplus.exe
  "C:\Windows\System32\msnplus.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2520
- C:\Windows\SysWOW64\windows.exe
  "C:\Windows\System32\windows.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\SysWOW64\windows.exe
    C:\Windows\system32\windows.exe 532 "C:\Windows\SysWOW64\windows.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\SysWOW64\windows.exe
      C:\Windows\system32\windows.exe 528 "C:\Windows\SysWOW64\windows.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2892
    - - C:\Windows\SysWOW64\windows.exe
        
        C:\Windows\system32\windows.exe 536 "C:\Windows\SysWOW64\windows.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
      - C:\Windows\SysWOW64\windows.exe
        
        C:\Windows\system32\windows.exe 540 "C:\Windows\SysWOW64\windows.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\windows.exe
        
        C:\Windows\system32\windows.exe 548 "C:\Windows\SysWOW64\windows.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\windows.exe
        
        C:\Windows\system32\windows.exe 544 "C:\Windows\SysWOW64\windows.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\SysWOW64\windows.exe
        
        C:\Windows\system32\windows.exe 560 "C:\Windows\SysWOW64\windows.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\windows.exe
        
        C:\Windows\system32\windows.exe 556 "C:\Windows\SysWOW64\windows.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\windows.exe
        
        C:\Windows\system32\windows.exe 552 "C:\Windows\SysWOW64\windows.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\windows.exe

Filesize
151KB

MD5
dc5d5cb528a44120a30c5bce90ba1f9e

SHA1
53dd156cab192488e40af613aa449004e2f89162

SHA256
b76e32478a2d82e778ba104344638a44f5fc447511bced91123de1e4b297644f

SHA512
14db907815fe02ff01c0665b280eff9e3312b2051fd7a220e29c01f5190ea1eac285f4687c3c7437e02800e17b684b324e4559ed4be3fbdd109bc19cf98043aa

Download Submit
\Windows\SysWOW64\msnplus.exe

Filesize
57KB

MD5
a73ade8c4edbfc99215a4f57e720a589

SHA1
022c99663f6801a6b126301f87f2b75d6f8f94d5

SHA256
14f84a9163c8495bae331ae39d2e0c09ea264b3208d7541d9e280b89237a343d

SHA512
94178db609a39929f5e8888669e0dc74b66b6f6c7d3bf947fe3e66562c463b490ac74b5859719b138a6ad588b0381ae30389d80d8de55d99262ec610daac34ae

Download Submit
memory/1068-63-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1980-17-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2008-76-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2020-82-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2252-24-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2300-69-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2520-23-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2652-43-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2696-56-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2740-30-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2892-37-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2968-50-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads