eb6e6cdc1938ce18d7ab7b222ef38e6c82ccc78244f63b93d2b94c46c8ad12e2

Analysis

max time kernel
142s
max time network
153s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d49024573cb0763c1b33259ddbf4dd72_JaffaCakes118.exe
Size

182KB
MD5

d49024573cb0763c1b33259ddbf4dd72
SHA1

01d977d66d665978ea921ee04c874ca7d16c3dbb
SHA256

eb6e6cdc1938ce18d7ab7b222ef38e6c82ccc78244f63b93d2b94c46c8ad12e2
SHA512

2a868b0a7fb7370363ee2e8d22eca5fd603035a1b11ca8b7736f48111068af6ef5fc0c94db7a96b341e24f63a26e5e0622eb5758215348360b5693bc2d2c28b1
SSDEEP

3072:0rkR5Qp0mB63UtF1xZTV6HT7bIq1j1FbbTS/GzDMts:04R5Z2BtIgm5S/YIq

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2740	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1960	~1tmp.exe

Loads dropped DLL 4 IoCs

pid	Process
2740	cmd.exe
1960	~1tmp.exe
1960	~1tmp.exe
1960	~1tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\SCPolicySvc = "C:\\Users\\Admin\\AppData\\Local\\SCPolicySvc.exe"	regedit.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1960 set thread context of 2056	1960	~1tmp.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d49024573cb0763c1b33259ddbf4dd72_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~1tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2876	regedit.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2212	DllHost.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2740	3028	d49024573cb0763c1b33259ddbf4dd72_JaffaCakes118.exe	30
PID 3028 wrote to memory of 2740	3028	d49024573cb0763c1b33259ddbf4dd72_JaffaCakes118.exe	30
PID 3028 wrote to memory of 2740	3028	d49024573cb0763c1b33259ddbf4dd72_JaffaCakes118.exe	30
PID 3028 wrote to memory of 2740	3028	d49024573cb0763c1b33259ddbf4dd72_JaffaCakes118.exe	30
PID 2740 wrote to memory of 1960	2740	cmd.exe	33
PID 2740 wrote to memory of 1960	2740	cmd.exe	33
PID 2740 wrote to memory of 1960	2740	cmd.exe	33
PID 2740 wrote to memory of 1960	2740	cmd.exe	33
PID 2740 wrote to memory of 1960	2740	cmd.exe	33
PID 2740 wrote to memory of 1960	2740	cmd.exe	33
PID 2740 wrote to memory of 1960	2740	cmd.exe	33
PID 1960 wrote to memory of 2056	1960	~1tmp.exe	34
PID 1960 wrote to memory of 2056	1960	~1tmp.exe	34
PID 1960 wrote to memory of 2056	1960	~1tmp.exe	34
PID 1960 wrote to memory of 2056	1960	~1tmp.exe	34
PID 1960 wrote to memory of 2056	1960	~1tmp.exe	34
PID 1960 wrote to memory of 2056	1960	~1tmp.exe	34
PID 1960 wrote to memory of 2056	1960	~1tmp.exe	34
PID 1960 wrote to memory of 2056	1960	~1tmp.exe	34
PID 1960 wrote to memory of 2056	1960	~1tmp.exe	34
PID 1960 wrote to memory of 2056	1960	~1tmp.exe	34
PID 1960 wrote to memory of 2056	1960	~1tmp.exe	34
PID 1960 wrote to memory of 2056	1960	~1tmp.exe	34
PID 2056 wrote to memory of 2876	2056	svchost.exe	35
PID 2056 wrote to memory of 2876	2056	svchost.exe	35
PID 2056 wrote to memory of 2876	2056	svchost.exe	35
PID 2056 wrote to memory of 2876	2056	svchost.exe	35
PID 2056 wrote to memory of 2876	2056	svchost.exe	35
PID 2056 wrote to memory of 2876	2056	svchost.exe	35
PID 2056 wrote to memory of 2876	2056	svchost.exe	35

C:\Users\Admin\AppData\Local\Temp\d49024573cb0763c1b33259ddbf4dd72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d49024573cb0763c1b33259ddbf4dd72_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~1tmp.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Users\Admin\AppData\Local\Temp\~1tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\~1tmp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe "C:\Users\Admin\AppData\Local\Temp\~1tmp.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2056
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit.exe /s C:\Users\Admin\AppData\Local\Temp\~dfds3.reg
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:2876

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.jpg

Filesize
93KB

MD5
a866b90d4e6cdc07f7280d08ed460b06

SHA1
0d8eca4be5a97006543781a51b8c4b550d3b23c7

SHA256
61ec47c2b5643218f48e9ceaab066587096aa3b533a4111b5c6e2b1157a870c0

SHA512
32ca80b99932edae0453bca3bad91a88cb5faa33d86186c700c4fd54856998f4a378a00fb559f07a9cf401cbdb979e466e5368697898fb7e45ff3dbaace26a49

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1tmp.bat

Filesize
22KB

MD5
0108e55ab532a94c1ba1bb0d5219a2fe

SHA1
7d6df8d9845565bf67770f9d959af1fed97cdeeb

SHA256
a136e649403a74e71c1a5c576122872bf8da0b83acb5a3c6af84ee539a846279

SHA512
146864c2ff402e514cea6a0d009633b0c738fb885950b87784809f0077ebd5018f2558153e582095e005bc7dfd36c542666c67fc1b7375a91338c37b893af2fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1tmp.exe

Filesize
17KB

MD5
15949ab0fb07a6c6453e4cd7638eceaa

SHA1
a334ece66da7112a552cf2fb5819c47b775b98e7

SHA256
867690628fcaa53a77e86513a57e127b9941e30de16558d2e0085016ea1a13fb

SHA512
d0ea903f8f60aabac48450841fd8f2a323f583bc628199315376c4275c6da15c0bf3de2ee5246f7a5903e5b05468f31a6fe1d313d840e02895f4b57c323649c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\~dfds3.reg

Filesize
174B

MD5
ae75b08df616c4f3354de9c0ee28e0b9

SHA1
4cde0ec9154b4b5aae605d37fe75af64d88fec2c

SHA256
351637002f89350491aacd1f9a22b084b46093630a5d2b1e536b3d12b8585240

SHA512
99e432dc4b43cf3e0bbc184063bbc759c7617f9553cb960e600ea8f95d78a248035c2338ef1a498718df167c28cd749dcd4a95821913bdd32306acd268a9ac53

Download Submit
C:\Users\Admin\AppData\Local\Temp\~winhp.tmp

Filesize
65B

MD5
8cc0cf83bdf486c953f716fb4b93c64b

SHA1
9c7bca352736ae41a6258646444b37d624668c37

SHA256
641f9f606750430a36099f4df5ea903ff8cd7cc4b2ca88aca93fe5bbc2c95fe4

SHA512
281f9888ae225e323f02abf3a981a5faca586bee6f7922dcaf7cfdc6de18018781daf81e13246c5997fb8e7146b1cad325f8f9bc56a9958811b5f1802a41a852

Download Submit
C:\Users\Admin\AppData\Local\Temp\~winhp.tmp

Filesize
4KB

MD5
2be064f48a055a26202c86fc075640eb

SHA1
c8bde7ea195c1ad7a15c7141d58310b3a6cc8858

SHA256
80816c46c49e47d4e048a6a00c1816b39b7c68de298fef029eade88f1592376a

SHA512
4ef352bd51fb25940f3064e8412df0f2b206758d478c2e1dc154783215b8a6e25d70d26d686815b6ab18a465d5860b73c349b50fc1c9eb258c46c30356f5b017

Download Submit
memory/1960-1089-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1960-1076-0x0000000000020000-0x0000000000027000-memory.dmp

Filesize
28KB

Download
memory/1960-1075-0x0000000000020000-0x0000000000027000-memory.dmp

Filesize
28KB

Download
memory/1960-1073-0x0000000000020000-0x0000000000027000-memory.dmp

Filesize
28KB

Download
memory/2056-1083-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2056-1092-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2056-1090-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2056-1079-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2056-1088-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2056-1081-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2056-1087-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2056-1085-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2212-1066-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2212-1078-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2212-1062-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/2740-1061-0x0000000002420000-0x0000000002422000-memory.dmp

Filesize
8KB

Download
memory/2740-1064-0x0000000002430000-0x0000000002437000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads