4dcbe8b15e0ee97161e3dbd754d51306c6080a09aa613588ba58a05d6ec87fb0

Analysis

max time kernel
148s
max time network
145s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07-09-2024 00:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0bf082b6fa86397d21de881f51782c8_JaffaCakes118.exe
Size

540KB
MD5

d0bf082b6fa86397d21de881f51782c8
SHA1

04bee51904dd5296447c78aea94f8ef902889787
SHA256

4dcbe8b15e0ee97161e3dbd754d51306c6080a09aa613588ba58a05d6ec87fb0
SHA512

544e743f5c484d6b7d003318caa79ddd5cbf61aedadde802be4eaa0cb99a8c10fadd5af76f07fd3ba5527b3586ecebef2cb891d9762f1986008032bbfb8630b1
SSDEEP

12288:tO0JRpI6W52V+DjWAgPD9RiuzLnmO8ilaYjcgAiJAiYuCXm:AOWzDjWA+TiuzLnmO8ilaYjcriJAiYnW

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7KOJN26H-1U22-2QPE-E616-8SH3P2Q4A3U7}\StubPath = "C:\\Windows\\System32\\Defender.exe.exe Restart"	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7KOJN26H-1U22-2QPE-E616-8SH3P2Q4A3U7}	iexplore.exe

Executes dropped EXE 1 IoCs

pid	Process
2720	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2568	d0bf082b6fa86397d21de881f51782c8_JaffaCakes118.exe
2568	d0bf082b6fa86397d21de881f51782c8_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\System32\\Defender.exe.exe"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\System32\\Defender.exe.exe"	iexplore.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Defender.exe.exe	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\Defender.exe.exe	iexplore.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2568 set thread context of 2720	2568	d0bf082b6fa86397d21de881f51782c8_JaffaCakes118.exe	33

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d0bf082b6fa86397d21de881f51782c8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2720	svchost.exe
2720	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	svchost.exe
Token: SeDebugPrivilege	2720	svchost.exe
Token: SeDebugPrivilege	2720	svchost.exe
Token: SeDebugPrivilege	2720	svchost.exe
Token: SeDebugPrivilege	2952	iexplore.exe
Token: SeDebugPrivilege	2952	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2576	2568	d0bf082b6fa86397d21de881f51782c8_JaffaCakes118.exe	30
PID 2568 wrote to memory of 2576	2568	d0bf082b6fa86397d21de881f51782c8_JaffaCakes118.exe	30
PID 2568 wrote to memory of 2576	2568	d0bf082b6fa86397d21de881f51782c8_JaffaCakes118.exe	30
PID 2568 wrote to memory of 2576	2568	d0bf082b6fa86397d21de881f51782c8_JaffaCakes118.exe	30
PID 2576 wrote to memory of 2976	2576	csc.exe	32
PID 2576 wrote to memory of 2976	2576	csc.exe	32
PID 2576 wrote to memory of 2976	2576	csc.exe	32
PID 2576 wrote to memory of 2976	2576	csc.exe	32
PID 2568 wrote to memory of 2720	2568	d0bf082b6fa86397d21de881f51782c8_JaffaCakes118.exe	33
PID 2568 wrote to memory of 2720	2568	d0bf082b6fa86397d21de881f51782c8_JaffaCakes118.exe	33
PID 2568 wrote to memory of 2720	2568	d0bf082b6fa86397d21de881f51782c8_JaffaCakes118.exe	33
PID 2568 wrote to memory of 2720	2568	d0bf082b6fa86397d21de881f51782c8_JaffaCakes118.exe	33
PID 2568 wrote to memory of 2720	2568	d0bf082b6fa86397d21de881f51782c8_JaffaCakes118.exe	33
PID 2568 wrote to memory of 2720	2568	d0bf082b6fa86397d21de881f51782c8_JaffaCakes118.exe	33
PID 2568 wrote to memory of 2720	2568	d0bf082b6fa86397d21de881f51782c8_JaffaCakes118.exe	33
PID 2568 wrote to memory of 2720	2568	d0bf082b6fa86397d21de881f51782c8_JaffaCakes118.exe	33
PID 2568 wrote to memory of 2720	2568	d0bf082b6fa86397d21de881f51782c8_JaffaCakes118.exe	33
PID 2568 wrote to memory of 2720	2568	d0bf082b6fa86397d21de881f51782c8_JaffaCakes118.exe	33
PID 2568 wrote to memory of 2720	2568	d0bf082b6fa86397d21de881f51782c8_JaffaCakes118.exe	33
PID 2568 wrote to memory of 2720	2568	d0bf082b6fa86397d21de881f51782c8_JaffaCakes118.exe	33
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34
PID 2720 wrote to memory of 2952	2720	svchost.exe	34

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:336

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:476
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:612
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1640
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:496
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:688
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:768
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:828
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1164
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:864
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:976
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:268
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:860
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1076
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1112
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:840
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2320
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2212
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:492
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:500

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:396

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\d0bf082b6fa86397d21de881f51782c8_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d0bf082b6fa86397d21de881f51782c8_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rw1bt39k.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAF05.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAF04.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2976
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAF05.tmp

Filesize
1KB

MD5
fa4da3b6885a08bb300fb93c1fb524fd

SHA1
def6bbf63b5cb968376ff83f0a2f2879de2aec6b

SHA256
aacbc36991d0ab65a29422f85db56763e8dfac98c263d6b5b33faddd743ebd1f

SHA512
06f8f3f213b079f0b151ac9790a18530782a6c604c751ba641a175d2faeef9de83e4ebfde26cd1ba5221bb2de648fe15399c72a2b4af84d0095ec07d4241f308

Download Submit
C:\Users\Admin\AppData\Local\Temp\rw1bt39k.dll

Filesize
5KB

MD5
e20c69e09f8ffc1be8b65adfa9fb448e

SHA1
4dbf1a986f831379f99f12249df188cd3d280eb1

SHA256
a23e814ca99e81e784ba06171fb6bfeee048554638a4e71f1800c7b5e8c282a4

SHA512
9d72478b19f5b48d98414ddec652cf2dcbc9866db6edd2f99e9ea36932a0819e9c7dc76e066064f3f473f7f607d06923c3c4435dc9016590406f765ac7d691d3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCAF04.tmp

Filesize
652B

MD5
c48209dddd6ef34a752a844aacfc703c

SHA1
b88d778f240a400105524c4ab90d898b9f9da7ab

SHA256
7e20505853706fac03683e6ec576357968a190340acbb366ceded1b6f07a8fd1

SHA512
ea2dee8c6a8fb6278f04fc1fc9e500a326e5d63955c8405612b520dc0bfebbae703940009058edd423496e52cf756f7fc9053192a70b89558c6dc92536451961

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rw1bt39k.0.cs

Filesize
4KB

MD5
2216d197bc442e875016eba15c07a937

SHA1
37528e21ea3271b85d276c6bd003e6c60c81545d

SHA256
2e9e3da7bfa1334706550bb4d6269bf3e64cbbc09fa349af52eb22f32aebb4af

SHA512
7d7bdc3bf83ac0a29e917ead899dcaa1b47ee2660f405fe4883ca2a2546f7924265e1d75a2ea02c0e34fac4d2bb82bbaaa88d06c240afad4e9fd49337cd04d3f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rw1bt39k.cmdline

Filesize
206B

MD5
40762edb956c0b0012840456fa0c3261

SHA1
4abcbbf866ca27f7346e3f42a60e1138d89936e5

SHA256
a1abdeee868ce05005680ed8b613ab701208f507e097243bb3dffa40969537e1

SHA512
0e3ef471027613e6c788a6504589cb9ef5aa192d6830e1f7bdae74035be6b14ef250ba90828ec40a4f27b6a84f5b9221df1fa971f110300553a81aff021d8e7d

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
12KB

MD5
ff9b996b9ade7d195f1987ac14942bb5

SHA1
e4ad29fe240cdf1757a6bbecafe5b603b4f197b8

SHA256
b730bb91e6ed17be27f9badd4b41398020b5ef50b26bd702a92e92cf53e5edf4

SHA512
48d4201f8b43ed4fb1d678253cde247693f5e73b0df7e7b32ad6652c2cb01b9ec12744c9a9bce0114558d9a0a0dc28efd948172a6ea8c301262661d2492eb202

Download Submit
memory/256-71-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2568-0-0x00000000743E1000-0x00000000743E2000-memory.dmp

Filesize
4KB

Download
memory/2568-2-0x00000000743E0000-0x000000007498B000-memory.dmp

Filesize
5.7MB

Download
memory/2568-1-0x00000000743E0000-0x000000007498B000-memory.dmp

Filesize
5.7MB

Download
memory/2568-45-0x00000000743E0000-0x000000007498B000-memory.dmp

Filesize
5.7MB

Download
memory/2576-9-0x00000000743E0000-0x000000007498B000-memory.dmp

Filesize
5.7MB

Download
memory/2576-16-0x00000000743E0000-0x000000007498B000-memory.dmp

Filesize
5.7MB

Download
memory/2720-35-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2720-43-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2720-39-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2720-37-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2720-33-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2720-31-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2720-27-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2720-29-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2720-44-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2720-41-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2720-46-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2720-48-0x0000000010410000-0x0000000010441000-memory.dmp

Filesize
196KB

Download
memory/2720-56-0x0000000000280000-0x000000000028A000-memory.dmp

Filesize
40KB

Download
memory/2720-57-0x0000000000280000-0x000000000028A000-memory.dmp

Filesize
40KB

Download
memory/2720-63-0x0000000000310000-0x000000000031A000-memory.dmp

Filesize
40KB

Download
memory/2720-64-0x0000000000310000-0x000000000031A000-memory.dmp

Filesize
40KB

Download
memory/2720-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2720-70-0x0000000010450000-0x000000001045A000-memory.dmp

Filesize
40KB

Download
memory/2720-10612-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download