bb20e5cccdda326bbbbe93769f2d6f9376b22d77ac2b700f482f8781475a9eb9

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 17:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d0217294cb34126c00166363d2b761d4_JaffaCakes118.exe
Size

89KB
MD5

d0217294cb34126c00166363d2b761d4
SHA1

2175176c26193f35374f1dab3787f15013f12cae
SHA256

bb20e5cccdda326bbbbe93769f2d6f9376b22d77ac2b700f482f8781475a9eb9
SHA512

5aa79a2f14ece86822cef4473f48a46ec6f2551c5d3d5bdb8c6b7d5ce25b964f3e3c8c7da24f3600eaf04ca9571e743f8e73ea7d54877e70d2493fcf99e69bbb
SSDEEP

1536:tP0XkV2OpqKBJ2625SCQtG372Na0CpZYwRw:htVZ7G372Nal7

Score

10^/10

discovery evasion execution persistence

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	2568	Rundll32.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Loads dropped DLL 9 IoCs

pid	Process
2772	Rundll32.exe
2772	Rundll32.exe
2772	Rundll32.exe
2772	Rundll32.exe
2568	Rundll32.exe
2568	Rundll32.exe
2568	Rundll32.exe
2568	Rundll32.exe
2568	Rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\system32\\system.exe"	Rundll32.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	Rundll32.exe
File opened (read-only)	\??\F:	Rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\whwlbctb.dll	d0217294cb34126c00166363d2b761d4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\jdambctb.dll	d0217294cb34126c00166363d2b761d4_JaffaCakes118.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\KAV\CDriver.sys	Rundll32.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2748	sc.exe
2100	sc.exe
1608	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d0217294cb34126c00166363d2b761d4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2772	Rundll32.exe
2772	Rundll32.exe
2772	Rundll32.exe
2772	Rundll32.exe
2772	Rundll32.exe
2568	Rundll32.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
480	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2688	d0217294cb34126c00166363d2b761d4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2772	2688	d0217294cb34126c00166363d2b761d4_JaffaCakes118.exe	30
PID 2688 wrote to memory of 2772	2688	d0217294cb34126c00166363d2b761d4_JaffaCakes118.exe	30
PID 2688 wrote to memory of 2772	2688	d0217294cb34126c00166363d2b761d4_JaffaCakes118.exe	30
PID 2688 wrote to memory of 2772	2688	d0217294cb34126c00166363d2b761d4_JaffaCakes118.exe	30
PID 2688 wrote to memory of 2772	2688	d0217294cb34126c00166363d2b761d4_JaffaCakes118.exe	30
PID 2688 wrote to memory of 2772	2688	d0217294cb34126c00166363d2b761d4_JaffaCakes118.exe	30
PID 2688 wrote to memory of 2772	2688	d0217294cb34126c00166363d2b761d4_JaffaCakes118.exe	30
PID 2772 wrote to memory of 2776	2772	Rundll32.exe	31
PID 2772 wrote to memory of 2776	2772	Rundll32.exe	31
PID 2772 wrote to memory of 2776	2772	Rundll32.exe	31
PID 2772 wrote to memory of 2776	2772	Rundll32.exe	31
PID 2772 wrote to memory of 2936	2772	Rundll32.exe	32
PID 2772 wrote to memory of 2936	2772	Rundll32.exe	32
PID 2772 wrote to memory of 2936	2772	Rundll32.exe	32
PID 2772 wrote to memory of 2936	2772	Rundll32.exe	32
PID 2772 wrote to memory of 2748	2772	Rundll32.exe	34
PID 2772 wrote to memory of 2748	2772	Rundll32.exe	34
PID 2772 wrote to memory of 2748	2772	Rundll32.exe	34
PID 2772 wrote to memory of 2748	2772	Rundll32.exe	34
PID 2772 wrote to memory of 2100	2772	Rundll32.exe	36
PID 2772 wrote to memory of 2100	2772	Rundll32.exe	36
PID 2772 wrote to memory of 2100	2772	Rundll32.exe	36
PID 2772 wrote to memory of 2100	2772	Rundll32.exe	36
PID 2776 wrote to memory of 2572	2776	net.exe	39
PID 2776 wrote to memory of 2572	2776	net.exe	39
PID 2776 wrote to memory of 2572	2776	net.exe	39
PID 2776 wrote to memory of 2572	2776	net.exe	39
PID 2936 wrote to memory of 2684	2936	net.exe	40
PID 2936 wrote to memory of 2684	2936	net.exe	40
PID 2936 wrote to memory of 2684	2936	net.exe	40
PID 2936 wrote to memory of 2684	2936	net.exe	40
PID 2772 wrote to memory of 1608	2772	Rundll32.exe	41
PID 2772 wrote to memory of 1608	2772	Rundll32.exe	41
PID 2772 wrote to memory of 1608	2772	Rundll32.exe	41
PID 2772 wrote to memory of 1608	2772	Rundll32.exe	41
PID 2688 wrote to memory of 2568	2688	d0217294cb34126c00166363d2b761d4_JaffaCakes118.exe	43
PID 2688 wrote to memory of 2568	2688	d0217294cb34126c00166363d2b761d4_JaffaCakes118.exe	43
PID 2688 wrote to memory of 2568	2688	d0217294cb34126c00166363d2b761d4_JaffaCakes118.exe	43
PID 2688 wrote to memory of 2568	2688	d0217294cb34126c00166363d2b761d4_JaffaCakes118.exe	43
PID 2688 wrote to memory of 2568	2688	d0217294cb34126c00166363d2b761d4_JaffaCakes118.exe	43
PID 2688 wrote to memory of 2568	2688	d0217294cb34126c00166363d2b761d4_JaffaCakes118.exe	43
PID 2688 wrote to memory of 2568	2688	d0217294cb34126c00166363d2b761d4_JaffaCakes118.exe	43

C:\Users\Admin\AppData\Local\Temp\d0217294cb34126c00166363d2b761d4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d0217294cb34126c00166363d2b761d4_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\SysWOW64\Rundll32.exe
  Rundll32 C:\Windows\system32\whwlbctb.dll Exucute
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      System Location Discovery: System Language Discovery
      PID:2572
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      System Location Discovery: System Language Discovery
      PID:2684
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2748
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2100
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" stop PolicyAgent
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1608
- C:\Windows\SysWOW64\Rundll32.exe
  Rundll32 C:\Windows\system32\jdambctb.dll Exucute
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\whwlbctb.dll

Filesize
58KB

MD5
30763ebfaff0473421206d5569c32a7b

SHA1
a643b405ef1f545bbae624109556e2c4d140134d

SHA256
6c7aeb8fef31a9bbb0730e509c82e1afb96cde86f2463eb23ce5e17b3ffcb3b4

SHA512
664597f61202fb3063299a26171afbc9f6e0b8a44f2edc755fb5b522f828d0c8b207ab84159fbb3904777f7e111b236bee8c103d3ecacb833e8bd68f685701dd

Download Submit
\Users\Admin\AppData\Local\Temp\EC90.tmp

Filesize
1.7MB

MD5
b5eb5bd3066959611e1f7a80fd6cc172

SHA1
6fb1532059212c840737b3f923a9c0b152c0887a

SHA256
1ffb68a66f28f604adcae9c135f8dcf301316ab7fda8ebd294583c56dd26f7cc

SHA512
6c0743e0ff4922e859ba66b68040ab994dbae33e80c63ce8c993ad31a0c7aad6c6467484da1550063214953cd641dbf597438dd0c02f24164505d88ca80ea1b6

Download Submit
\Windows\SysWOW64\jdambctb.dll

Filesize
20KB

MD5
26630355edc48414ca280c7cb61d5883

SHA1
cb52af12e093217ab2422a4270f884c298be68ae

SHA256
4e08867a74721bb32928e17d352721a1b4d32c1725b49858b8121c607b2a7e0c

SHA512
8df32824129d147b963f18b4264e6d05a4c201afaa83b2bb047d5943d0bf82401844d1c8e4541f9798e229163f343930db77f1bffcb732a52a1dd50548e944c7

Download Submit
memory/2688-9-0x0000000000A00000-0x0000000000A18000-memory.dmp

Filesize
96KB

Download