48e57b12313b12037ba091db96400ebf378df395604f5cb1e0d92731ce8f8b17

Analysis

max time kernel
150s
max time network
138s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d389970080fef743e933eef3d587bf1c_JaffaCakes118.exe
Size

165KB
MD5

d389970080fef743e933eef3d587bf1c
SHA1

d339440645149a96cc72954a6c4c206be69a9ba8
SHA256

48e57b12313b12037ba091db96400ebf378df395604f5cb1e0d92731ce8f8b17
SHA512

15d96b09933cc3f957f1eed92717ab3fe166587858b81d856f764d5e6bac24bfaa5f2e40c5ca79deb6ea8d1a578b4d98b35ffab8b84b12b143c440f0fd09452e
SSDEEP

3072:YVjIwa4frcMU0xS2BsKb2E6XrYL0tP/rcCPXMqm6FZA3BUXOfTPuhSk39Md9fKu8:Zwa4g7YD2ns0tPLcqmj2hSy6fKuKF

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3036	cmd.exe

Executes dropped EXE 4 IoCs

pid	Process
2812	tposdsvc.exe
2228	Breathe.dat
3004	TPONSCR.exe
2568	SVCHOST.EXE

Loads dropped DLL 4 IoCs

pid	Process
2812	tposdsvc.exe
2812	tposdsvc.exe
2812	tposdsvc.exe
2812	tposdsvc.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2240-0-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/files/0x002b0000000171a9-5.dat	upx
behavioral1/memory/2812-12-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/files/0x0006000000017553-20.dat	upx
behavioral1/memory/3004-38-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/2228-36-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2812-33-0x0000000002280000-0x00000000022C0000-memory.dmp	upx
behavioral1/files/0x000700000001754e-28.dat	upx
behavioral1/memory/2812-27-0x0000000002240000-0x000000000227C000-memory.dmp	upx
behavioral1/memory/2228-41-0x00000000003E0000-0x00000000003EF000-memory.dmp	upx
behavioral1/files/0x0006000000017559-44.dat	upx
behavioral1/memory/2568-47-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2240-51-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/2812-54-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/2240-55-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/2228-57-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/3004-58-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/2568-60-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ThinksPower = "C:\\Windows\\TPOSDSVC.exe"	d389970080fef743e933eef3d587bf1c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ThinksPower = "C:\\Windows\\TPOSDSVC.exe"	tposdsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SVCHOST.EXE	Breathe.dat
File opened for modification	\??\c:\windows\tposdsvc.exe	d389970080fef743e933eef3d587bf1c_JaffaCakes118.exe
File created	\??\c:\windows\tposdsvc.exe	d389970080fef743e933eef3d587bf1c_JaffaCakes118.exe
File opened for modification	\??\c:\windows\tposdsvc.exe	tposdsvc.exe
File created	\??\c:\windows\tposdsvc.exe	tposdsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d389970080fef743e933eef3d587bf1c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tposdsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Breathe.dat
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TPONSCR.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	SVCHOST.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	2568	SVCHOST.EXE
Token: SeIncBasePriorityPrivilege	2568	SVCHOST.EXE
Token: 33	2568	SVCHOST.EXE
Token: SeIncBasePriorityPrivilege	2568	SVCHOST.EXE
Token: 33	2568	SVCHOST.EXE
Token: SeIncBasePriorityPrivilege	2568	SVCHOST.EXE
Token: 33	2568	SVCHOST.EXE
Token: SeIncBasePriorityPrivilege	2568	SVCHOST.EXE
Token: 33	2568	SVCHOST.EXE
Token: SeIncBasePriorityPrivilege	2568	SVCHOST.EXE
Token: 33	2568	SVCHOST.EXE
Token: SeIncBasePriorityPrivilege	2568	SVCHOST.EXE
Token: 33	2568	SVCHOST.EXE
Token: SeIncBasePriorityPrivilege	2568	SVCHOST.EXE
Token: SeIncBasePriorityPrivilege	2240	d389970080fef743e933eef3d587bf1c_JaffaCakes118.exe
Token: 33	2568	SVCHOST.EXE
Token: SeIncBasePriorityPrivilege	2568	SVCHOST.EXE
Token: 33	2568	SVCHOST.EXE
Token: SeIncBasePriorityPrivilege	2568	SVCHOST.EXE
Token: 33	2568	SVCHOST.EXE
Token: SeIncBasePriorityPrivilege	2568	SVCHOST.EXE
Token: 33	2568	SVCHOST.EXE
Token: SeIncBasePriorityPrivilege	2568	SVCHOST.EXE
Token: 33	2568	SVCHOST.EXE
Token: SeIncBasePriorityPrivilege	2568	SVCHOST.EXE
Token: 33	2568	SVCHOST.EXE
Token: SeIncBasePriorityPrivilege	2568	SVCHOST.EXE
Token: 33	2568	SVCHOST.EXE
Token: SeIncBasePriorityPrivilege	2568	SVCHOST.EXE
Token: 33	2568	SVCHOST.EXE
Token: SeIncBasePriorityPrivilege	2568	SVCHOST.EXE
Token: 33	2568	SVCHOST.EXE
Token: SeIncBasePriorityPrivilege	2568	SVCHOST.EXE
Token: 33	2568	SVCHOST.EXE
Token: SeIncBasePriorityPrivilege	2568	SVCHOST.EXE
Token: 33	2568	SVCHOST.EXE
Token: SeIncBasePriorityPrivilege	2568	SVCHOST.EXE
Token: 33	2568	SVCHOST.EXE
Token: SeIncBasePriorityPrivilege	2568	SVCHOST.EXE
Token: 33	2568	SVCHOST.EXE
Token: SeIncBasePriorityPrivilege	2568	SVCHOST.EXE
Token: 33	2568	SVCHOST.EXE
Token: SeIncBasePriorityPrivilege	2568	SVCHOST.EXE
Token: 33	2568	SVCHOST.EXE
Token: SeIncBasePriorityPrivilege	2568	SVCHOST.EXE
Token: 33	2568	SVCHOST.EXE
Token: SeIncBasePriorityPrivilege	2568	SVCHOST.EXE
Token: 33	2568	SVCHOST.EXE
Token: SeIncBasePriorityPrivilege	2568	SVCHOST.EXE
Token: 33	2568	SVCHOST.EXE
Token: SeIncBasePriorityPrivilege	2568	SVCHOST.EXE
Token: 33	2568	SVCHOST.EXE
Token: SeIncBasePriorityPrivilege	2568	SVCHOST.EXE
Token: 33	2568	SVCHOST.EXE
Token: SeIncBasePriorityPrivilege	2568	SVCHOST.EXE
Token: 33	2568	SVCHOST.EXE
Token: SeIncBasePriorityPrivilege	2568	SVCHOST.EXE
Token: 33	2568	SVCHOST.EXE
Token: SeIncBasePriorityPrivilege	2568	SVCHOST.EXE
Token: 33	2568	SVCHOST.EXE
Token: SeIncBasePriorityPrivilege	2568	SVCHOST.EXE
Token: 33	2568	SVCHOST.EXE
Token: SeIncBasePriorityPrivilege	2568	SVCHOST.EXE
Token: 33	2568	SVCHOST.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2568	SVCHOST.EXE
2568	SVCHOST.EXE
2568	SVCHOST.EXE
2568	SVCHOST.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2812	2240	d389970080fef743e933eef3d587bf1c_JaffaCakes118.exe	30
PID 2240 wrote to memory of 2812	2240	d389970080fef743e933eef3d587bf1c_JaffaCakes118.exe	30
PID 2240 wrote to memory of 2812	2240	d389970080fef743e933eef3d587bf1c_JaffaCakes118.exe	30
PID 2240 wrote to memory of 2812	2240	d389970080fef743e933eef3d587bf1c_JaffaCakes118.exe	30
PID 2812 wrote to memory of 2228	2812	tposdsvc.exe	31
PID 2812 wrote to memory of 2228	2812	tposdsvc.exe	31
PID 2812 wrote to memory of 2228	2812	tposdsvc.exe	31
PID 2812 wrote to memory of 2228	2812	tposdsvc.exe	31
PID 2812 wrote to memory of 3004	2812	tposdsvc.exe	32
PID 2812 wrote to memory of 3004	2812	tposdsvc.exe	32
PID 2812 wrote to memory of 3004	2812	tposdsvc.exe	32
PID 2812 wrote to memory of 3004	2812	tposdsvc.exe	32
PID 2228 wrote to memory of 2568	2228	Breathe.dat	33
PID 2228 wrote to memory of 2568	2228	Breathe.dat	33
PID 2228 wrote to memory of 2568	2228	Breathe.dat	33
PID 2228 wrote to memory of 2568	2228	Breathe.dat	33
PID 2240 wrote to memory of 3036	2240	d389970080fef743e933eef3d587bf1c_JaffaCakes118.exe	35
PID 2240 wrote to memory of 3036	2240	d389970080fef743e933eef3d587bf1c_JaffaCakes118.exe	35
PID 2240 wrote to memory of 3036	2240	d389970080fef743e933eef3d587bf1c_JaffaCakes118.exe	35
PID 2240 wrote to memory of 3036	2240	d389970080fef743e933eef3d587bf1c_JaffaCakes118.exe	35

C:\Users\Admin\AppData\Local\Temp\d389970080fef743e933eef3d587bf1c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d389970080fef743e933eef3d587bf1c_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240
- \??\c:\windows\tposdsvc.exe
  c:\windows\tposdsvc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Users\Admin\AppData\Local\Temp\Breathe.dat
    C:\Users\Admin\AppData\Local\Temp\Breathe.dat
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Windows\SVCHOST.EXE
      "C:\Windows\SVCHOST.EXE"BNEHETETEPCNCCCCETEJCECBEPEIENEGEAEKCBECEOEMCNCECDCDCGCCETEJCCCDCHCDCMCBEHETEMELFBCJCDCDCDCDCDFBCECICGCDCDCDCDCDCDFBCEFB
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2568
- - C:\Users\Admin\AppData\Local\Temp\TPONSCR.exe
    C:\Users\Admin\AppData\Local\Temp\TPONSCR.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D38997~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Breathe.dat

Filesize
75KB

MD5
b193b70c59aca88a2d38b0893216cbbd

SHA1
380248073cf59f12e94c6e1cb1467beb95b52338

SHA256
7f88fc6722837c0e232693067b5dbba5dc8c2d9beead78909eba01bea8aba4f0

SHA512
331549140870a373862b3a2da3097ad7e2d18c79311830a81268cba21ce67f028498e00ebe70e53245477e246629cfe4259270cba3d4ba0927d34a790e56c9d5

Download Submit
C:\Windows\SVCHOST.EXE

Filesize
17KB

MD5
8665728e1e2b1c19f649bfb3aecf55f3

SHA1
bfdca780cbbaea63f4ee0fe3e4afbe5728b866e2

SHA256
7356dc7b6a49668aca0075f525ca197ea137fd3b3fa321a648b8a390101385ab

SHA512
489d74834ea3181e534dfab6a3e56a3ed38cc59029468228f2992dd8fac5ba18e86ce257393ae4762c3855778117d1eb4c645dbd5249984c55d09676845668a6

Download Submit
C:\Windows\tposdsvc.exe

Filesize
165KB

MD5
d389970080fef743e933eef3d587bf1c

SHA1
d339440645149a96cc72954a6c4c206be69a9ba8

SHA256
48e57b12313b12037ba091db96400ebf378df395604f5cb1e0d92731ce8f8b17

SHA512
15d96b09933cc3f957f1eed92717ab3fe166587858b81d856f764d5e6bac24bfaa5f2e40c5ca79deb6ea8d1a578b4d98b35ffab8b84b12b143c440f0fd09452e

Download Submit
\Users\Admin\AppData\Local\Temp\TPONSCR.exe

Filesize
82KB

MD5
81cc5b1ed9fe1cc742de9e829dc5f62e

SHA1
21c06f596b8f8f35cf48214ca8d0e6bd979e863d

SHA256
0ddd9f50196b066e5fa03efc167d7e743c0f2ca217a75ef8d3f126799e28f3fd

SHA512
19ab59b44d7ab6f3fde9f667a98c4e47deb954bdd1698cae4cb1601d508f13cc2436ddc9424b8bdec7a8d16b7f340817f59584b892e15fa3042e0881afa93061

Download Submit
memory/2228-46-0x00000000003E0000-0x00000000003EF000-memory.dmp

Filesize
60KB

Download
memory/2228-41-0x00000000003E0000-0x00000000003EF000-memory.dmp

Filesize
60KB

Download
memory/2228-59-0x00000000003E0000-0x00000000003EF000-memory.dmp

Filesize
60KB

Download
memory/2228-36-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2228-57-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2240-10-0x0000000001EE0000-0x0000000001F13000-memory.dmp

Filesize
204KB

Download
memory/2240-53-0x0000000001EE0000-0x0000000001F13000-memory.dmp

Filesize
204KB

Download
memory/2240-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-52-0x0000000001EE0000-0x0000000001F13000-memory.dmp

Filesize
204KB

Download
memory/2240-11-0x0000000001EE0000-0x0000000001F13000-memory.dmp

Filesize
204KB

Download
memory/2240-51-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-47-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2568-60-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2812-27-0x0000000002240000-0x000000000227C000-memory.dmp

Filesize
240KB

Download
memory/2812-33-0x0000000002280000-0x00000000022C0000-memory.dmp

Filesize
256KB

Download
memory/2812-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2812-34-0x0000000002240000-0x000000000227C000-memory.dmp

Filesize
240KB

Download
memory/2812-56-0x0000000002240000-0x000000000227C000-memory.dmp

Filesize
240KB

Download
memory/2812-35-0x0000000002240000-0x0000000002280000-memory.dmp

Filesize
256KB

Download
memory/2812-12-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-58-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3004-38-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads