1126d9448c73a6c4cc1f5768f58f2c773eda5e7c067b7f7891627881458a4bc2

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe
Size

540KB
MD5

d2d5bda273a33dea2d46b1ff551bf52c
SHA1

6eb3bb72524ac8f34045245e2ad54454f941329f
SHA256

1126d9448c73a6c4cc1f5768f58f2c773eda5e7c067b7f7891627881458a4bc2
SHA512

af8fb47c178a1ac4b854a6eb2aa3756c4bd09e63794d489cfa800af2540f1249ea5757ca34612c13bef8aacf8f843450b001a6b872a86b29ddcdf7fa5b172387
SSDEEP

12288:LMg1Q3ZJw/fNT8Occmh38qY4kNNGtZMCl3jHq:QsQ37wXNJccYiMtZnl3jH

Score

7^/10

discovery

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3052	tcpsvcip.exe
264	tcpsvcip.exe

Loads dropped DLL 2 IoCs

pid	Process
2572	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe
2572	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tcpsvcip.exe	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\set.ini	tcpsvcip.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tcpsvcip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tcpsvcip.exe

Modifies registry class 27 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{064D3F52-9BF0-4CEC-6923-65D7692365D7}\Version\ = "1.0"	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{064D3F52-9BF0-4CEC-6923-65D7692365D7}\VersionIndependentProgID\ = "MSScriptControl.ScriptControl"	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{064D3F52-9BF0-4CEC-6923-65D7692365D7}\ = "ScriptControl Object"	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{064D3F52-9BF0-4CEC-6923-65D7692365D7}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{064D3F52-9BF0-4CEC-6923-65D7692365D7}\TypeLib\ = "{0E59F1D2-1FBE-11D0-8FF2-00A0D10038BC}"	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{064D3F52-9BF0-4CEC-6923-65D7692365D7}\MiscStatus\1\ = "132499"	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{064D3F52-9BF0-4CEC-6923-65D7692365D7}\ProgID	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{064D3F52-9BF0-4CEC-6923-65D7692365D7}\Programmable	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{064D3F52-9BF0-4CEC-6923-65D7692365D7}\ToolboxBitmap32\ = "\"C:\\Windows\\SysWOW64\\msscript.ocx\",102"	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{064D3F52-9BF0-4CEC-6923-65D7692365D7}	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{064D3F52-9BF0-4CEC-6923-65D7692365D7}\Control	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{064D3F52-9BF0-4CEC-6923-65D7692365D7}\MiscStatus\ = "0"	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{064D3F52-9BF0-4CEC-6923-65D7692365D7}\VersionIndependentProgID	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{064D3F52-9BF0-4CEC-6923-65D7692365D7}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{064D3F52-9BF0-4CEC-6923-65D7692365D7}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{064D3F52-9BF0-4CEC-6923-65D7692365D7}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{064D3F52-9BF0-4CEC-6923-65D7692365D7}\InprocServer32\ = "C:\\Windows\\SysWOW64\\msscript.ocx"	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{064D3F52-9BF0-4CEC-6923-65D7692365D7}\ProgID\ = "MSScriptControl.ScriptControl.1"	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{064D3F52-9BF0-4CEC-6923-65D7692365D7}\Version	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{064D3F52-9BF0-4CEC-6923-65D7692365D7}\Implemented Categories	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{064D3F52-9BF0-4CEC-6923-65D7692365D7}\MiscStatus	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{064D3F52-9BF0-4CEC-6923-65D7692365D7}\TypeLib	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{064D3F52-9BF0-4CEC-6923-65D7692365D7}\InprocServer32	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{064D3F52-9BF0-4CEC-6923-65D7692365D7}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{064D3F52-9BF0-4CEC-6923-65D7692365D7}\MiscStatus\1	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{064D3F52-9BF0-4CEC-6923-65D7692365D7}\ToolboxBitmap32	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{064D3F52-9BF0-4CEC-6923-65D7692365D7}\InprocServer32\ThreadingModel = "Apartment"	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2572	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2572	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe
Token: 33	2572	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2572	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2572	2368	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe	30
PID 2368 wrote to memory of 2572	2368	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe	30
PID 2368 wrote to memory of 2572	2368	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe	30
PID 2368 wrote to memory of 2572	2368	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe	30
PID 2368 wrote to memory of 2572	2368	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe	30
PID 2368 wrote to memory of 2572	2368	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe	30
PID 2368 wrote to memory of 2572	2368	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe	30
PID 2572 wrote to memory of 3052	2572	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe	31
PID 2572 wrote to memory of 3052	2572	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe	31
PID 2572 wrote to memory of 3052	2572	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe	31
PID 2572 wrote to memory of 3052	2572	d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d2d5bda273a33dea2d46b1ff551bf52c_JaffaCakes118.exe"
  2⤵
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\SysWOW64\tcpsvcip.exe
    "C:\Windows\system32\tcpsvcip.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3052

C:\Windows\SysWOW64\tcpsvcip.exe
C:\Windows\SysWOW64\tcpsvcip.exe luomin
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\tcpsvcip.exe

Filesize
39KB

MD5
6881cdba8ad96a92359473efa64ad855

SHA1
4a6e5362a8c6b9d091e2e57a5b9571d4700da9cf

SHA256
83eae1f3f769c4948cee0669931735bcd75e84d8a5d86c8cb2f631bee448053d

SHA512
f11320cba27db1e0bfd36a8cc46ccc0d8223908b6a6bd92899323509953b817127a48e617fc297eb5ba36be272bc5b5177bab45e80b2b3d6d2638659befa7462

Download Submit
memory/264-32-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2368-1-0x0000000000250000-0x000000000030F000-memory.dmp

Filesize
764KB

Download
memory/2368-29-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2368-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2572-4-0x0000000000310000-0x0000000000374000-memory.dmp

Filesize
400KB

Download
memory/2572-9-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2572-10-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2572-14-0x0000000000310000-0x0000000000374000-memory.dmp

Filesize
400KB

Download
memory/2572-13-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2572-12-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2572-16-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2572-11-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2572-19-0x00000000002E0000-0x00000000002ED000-memory.dmp

Filesize
52KB

Download
memory/2572-3-0x000000000045F000-0x0000000000460000-memory.dmp

Filesize
4KB

Download
memory/2572-27-0x0000000000310000-0x0000000000374000-memory.dmp

Filesize
400KB

Download
memory/2572-26-0x00000000002E0000-0x00000000002ED000-memory.dmp

Filesize
52KB

Download
memory/2572-2-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3052-31-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download