cee904317b22abb6e23c271b24d214781ecacbb52475f20a0492037c1e731abe

Analysis

max time kernel
115s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4c1cfad41d227dd314eed3b49440fab_JaffaCakes118.exe
Size

69KB
MD5

d4c1cfad41d227dd314eed3b49440fab
SHA1

d857cccfec1580769108a6222ac9b02070c419f6
SHA256

cee904317b22abb6e23c271b24d214781ecacbb52475f20a0492037c1e731abe
SHA512

4fb6501be34d7c5b586d4e8f057e6377f5afe0d49dc9423fe62fa1e407ea7e3af2fd59b81e25205721b8d77bcfdc53b77f9459ef2c5a0715ab2c3c03b768e69d
SSDEEP

1536:Rx6/BPWgTFNICb9DGiv5SAMc2masLQA6u8L:W/BOuNJ9Dl5DMY1f8

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1464	cmd.exe

Executes dropped EXE 7 IoCs

pid	Process
2080	firewall.exe
1824	winamp.exe
3048	Isass.exe
2420	winamp.exe
2668	Isass.exe
1692	winamp.exe
1392	lssas.exe

Loads dropped DLL 14 IoCs

pid	Process
2068	d4c1cfad41d227dd314eed3b49440fab_JaffaCakes118.exe
2068	d4c1cfad41d227dd314eed3b49440fab_JaffaCakes118.exe
2080	firewall.exe
2080	firewall.exe
1824	winamp.exe
1824	winamp.exe
3048	Isass.exe
3048	Isass.exe
2420	winamp.exe
2420	winamp.exe
2668	Isass.exe
2668	Isass.exe
1692	winamp.exe
1692	winamp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows DLL Loader = "C:\\Windows\\system32\\lssas.exe"	lssas.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winamp.exe	firewall.exe
File opened for modification	C:\Windows\SysWOW64\Isass.exe	winamp.exe
File opened for modification	C:\Windows\SysWOW64\winamp.exe	Isass.exe
File opened for modification	C:\Windows\SysWOW64\Isass.exe	winamp.exe
File created	C:\Windows\SysWOW64\Isass.exe	winamp.exe
File created	C:\Windows\SysWOW64\kgxuqfx.bat	Isass.exe
File created	C:\Windows\SysWOW64\winamp.exe	Isass.exe
File opened for modification	C:\Windows\SysWOW64\winamp.exe	Isass.exe
File created	C:\Windows\SysWOW64\lssas.exe	winamp.exe
File created	C:\Windows\SysWOW64\firewall.exe	d4c1cfad41d227dd314eed3b49440fab_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\firewall.exe	d4c1cfad41d227dd314eed3b49440fab_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mzmi.bat	winamp.exe
File created	C:\Windows\SysWOW64\winamp.exe	Isass.exe
File created	C:\Windows\SysWOW64\jizkq.bat	Isass.exe
File opened for modification	C:\Windows\SysWOW64\lssas.exe	winamp.exe
File created	C:\Windows\SysWOW64\tlwk.bat	winamp.exe
File opened for modification	C:\Windows\SysWOW64\winamp.exe	firewall.exe
File created	C:\Windows\SysWOW64\kumifq.bat	firewall.exe
File created	C:\Windows\SysWOW64\Isass.exe	winamp.exe
File created	C:\Windows\SysWOW64\uqzfmx.bat	winamp.exe
File created	C:\Windows\SysWOW64\lssas.exe	lssas.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Isass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winamp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winamp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Isass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	firewall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winamp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4c1cfad41d227dd314eed3b49440fab_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lssas.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 1464	2068	d4c1cfad41d227dd314eed3b49440fab_JaffaCakes118.exe	29
PID 2068 wrote to memory of 1464	2068	d4c1cfad41d227dd314eed3b49440fab_JaffaCakes118.exe	29
PID 2068 wrote to memory of 1464	2068	d4c1cfad41d227dd314eed3b49440fab_JaffaCakes118.exe	29
PID 2068 wrote to memory of 1464	2068	d4c1cfad41d227dd314eed3b49440fab_JaffaCakes118.exe	29
PID 2068 wrote to memory of 2080	2068	d4c1cfad41d227dd314eed3b49440fab_JaffaCakes118.exe	31
PID 2068 wrote to memory of 2080	2068	d4c1cfad41d227dd314eed3b49440fab_JaffaCakes118.exe	31
PID 2068 wrote to memory of 2080	2068	d4c1cfad41d227dd314eed3b49440fab_JaffaCakes118.exe	31
PID 2068 wrote to memory of 2080	2068	d4c1cfad41d227dd314eed3b49440fab_JaffaCakes118.exe	31
PID 2080 wrote to memory of 2844	2080	firewall.exe	32
PID 2080 wrote to memory of 2844	2080	firewall.exe	32
PID 2080 wrote to memory of 2844	2080	firewall.exe	32
PID 2080 wrote to memory of 2844	2080	firewall.exe	32
PID 2080 wrote to memory of 1824	2080	firewall.exe	34
PID 2080 wrote to memory of 1824	2080	firewall.exe	34
PID 2080 wrote to memory of 1824	2080	firewall.exe	34
PID 2080 wrote to memory of 1824	2080	firewall.exe	34
PID 1824 wrote to memory of 2652	1824	winamp.exe	35
PID 1824 wrote to memory of 2652	1824	winamp.exe	35
PID 1824 wrote to memory of 2652	1824	winamp.exe	35
PID 1824 wrote to memory of 2652	1824	winamp.exe	35
PID 1824 wrote to memory of 3048	1824	winamp.exe	37
PID 1824 wrote to memory of 3048	1824	winamp.exe	37
PID 1824 wrote to memory of 3048	1824	winamp.exe	37
PID 1824 wrote to memory of 3048	1824	winamp.exe	37
PID 3048 wrote to memory of 2396	3048	Isass.exe	38
PID 3048 wrote to memory of 2396	3048	Isass.exe	38
PID 3048 wrote to memory of 2396	3048	Isass.exe	38
PID 3048 wrote to memory of 2396	3048	Isass.exe	38
PID 3048 wrote to memory of 2420	3048	Isass.exe	40
PID 3048 wrote to memory of 2420	3048	Isass.exe	40
PID 3048 wrote to memory of 2420	3048	Isass.exe	40
PID 3048 wrote to memory of 2420	3048	Isass.exe	40
PID 2420 wrote to memory of 588	2420	winamp.exe	41
PID 2420 wrote to memory of 588	2420	winamp.exe	41
PID 2420 wrote to memory of 588	2420	winamp.exe	41
PID 2420 wrote to memory of 588	2420	winamp.exe	41
PID 2420 wrote to memory of 2668	2420	winamp.exe	43
PID 2420 wrote to memory of 2668	2420	winamp.exe	43
PID 2420 wrote to memory of 2668	2420	winamp.exe	43
PID 2420 wrote to memory of 2668	2420	winamp.exe	43
PID 2668 wrote to memory of 1520	2668	Isass.exe	44
PID 2668 wrote to memory of 1520	2668	Isass.exe	44
PID 2668 wrote to memory of 1520	2668	Isass.exe	44
PID 2668 wrote to memory of 1520	2668	Isass.exe	44
PID 2668 wrote to memory of 1692	2668	Isass.exe	46
PID 2668 wrote to memory of 1692	2668	Isass.exe	46
PID 2668 wrote to memory of 1692	2668	Isass.exe	46
PID 2668 wrote to memory of 1692	2668	Isass.exe	46
PID 1692 wrote to memory of 2352	1692	winamp.exe	47
PID 1692 wrote to memory of 2352	1692	winamp.exe	47
PID 1692 wrote to memory of 2352	1692	winamp.exe	47
PID 1692 wrote to memory of 2352	1692	winamp.exe	47
PID 1692 wrote to memory of 1392	1692	winamp.exe	49
PID 1692 wrote to memory of 1392	1692	winamp.exe	49
PID 1692 wrote to memory of 1392	1692	winamp.exe	49
PID 1692 wrote to memory of 1392	1692	winamp.exe	49

C:\Users\Admin\AppData\Local\Temp\d4c1cfad41d227dd314eed3b49440fab_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d4c1cfad41d227dd314eed3b49440fab_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\dtrl.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1464
- C:\Windows\SysWOW64\firewall.exe
  C:\Windows\system32\firewall.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\SysWOW64\kumifq.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2844
- - C:\Windows\SysWOW64\winamp.exe
    C:\Windows\system32\winamp.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1824
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Windows\SysWOW64\mzmi.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2652
  - - C:\Windows\SysWOW64\Isass.exe
      C:\Windows\system32\Isass.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3048
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\SysWOW64\jizkq.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2396
    - - C:\Windows\SysWOW64\winamp.exe
        
        C:\Windows\system32\winamp.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2420
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\SysWOW64\uqzfmx.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:588
      - C:\Windows\SysWOW64\Isass.exe
        
        C:\Windows\system32\Isass.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\SysWOW64\kgxuqfx.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Windows\SysWOW64\winamp.exe
        
        C:\Windows\system32\winamp.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\SysWOW64\tlwk.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\lssas.exe
        
        C:\Windows\system32\lssas.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dtrl.bat

Filesize
240B

MD5
4d56e44cc56ea0d3a6dbe87ce73ab35f

SHA1
6a6673fbfe6dca9ffee287be8bc6714adc28e479

SHA256
0278e5fbc6cb2c3f3ae7cdf302b2c3c50603e2f42075018203bb59248c5208cf

SHA512
ec7a8ab3b5678efc212edea6b5ee7c2070a4f9e1c297184ff5dd55b6cf076640188e8155e1701de98d9ec4d6c522dd13f40268fe4155a6cb658a429c5f6a9a2d

Download Submit
C:\Windows\SysWOW64\firewall.exe

Filesize
69KB

MD5
d4c1cfad41d227dd314eed3b49440fab

SHA1
d857cccfec1580769108a6222ac9b02070c419f6

SHA256
cee904317b22abb6e23c271b24d214781ecacbb52475f20a0492037c1e731abe

SHA512
4fb6501be34d7c5b586d4e8f057e6377f5afe0d49dc9423fe62fa1e407ea7e3af2fd59b81e25205721b8d77bcfdc53b77f9459ef2c5a0715ab2c3c03b768e69d

Download Submit
C:\Windows\SysWOW64\jizkq.bat

Filesize
118B

MD5
14afce77cc0ad39e1b504e5a144da285

SHA1
3812bae4a985277cd55255f982608c5039095144

SHA256
2dd7ca0476766dd2e1d8ea05faf98480a04c9642ffb37da11119487fc9af0229

SHA512
0847eb55f976b1c2950193720a9e33d6a1cf4d281791a59ddd3e8ea026bad20376878e972adeeb3ad8f6378ae2b78b9168ac2cb0342848627ea5ed9fdb5980af

Download Submit
C:\Windows\SysWOW64\kgxuqfx.bat

Filesize
120B

MD5
4fa5243cbcb8645ea9c33020d8d444e9

SHA1
f5811dfc17f1f9ab65c07e14363264274cfd3e9d

SHA256
5dbe8caa4705e470b20417aa2516a7546e764ffe848ab375fc22708feac01b5a

SHA512
2e331175f8dc2afe4e2e33bd30fe7308d6b5ef504a5cf344b37111f04e2fc9be75676e9ad22038967f968200c401420538f97ca58a6a2496e9aaeacdccd20544

Download Submit
C:\Windows\SysWOW64\kumifq.bat

Filesize
128B

MD5
41622c3eb9d099569354ebbb9e1cf2d1

SHA1
c5c6c2262f41ea7ff0169172c62c77ea6e2a4993

SHA256
41c9f4e267d2c1dc022bc3526450e52c6b8e7e4ab736e57726d18f9e2df846c2

SHA512
c28bc01c88631a84ef7dd47061269cd9efee66bf6ae46305e61265ba33a0956c235278cc78936df9837d5c3e4656c03146796ea2262254a2d0044d80551e9808

Download Submit
C:\Windows\SysWOW64\mzmi.bat

Filesize
120B

MD5
cb1d45a87d6ae2be30bc6192dd32c72e

SHA1
91737c8b351ce11738253028a3b9b1e4ba69918c

SHA256
a9c322799c1e4edaa0d368e35002b28e458af072acb11ef71cd6bccb55182fa7

SHA512
8559bebf8bf45156318faa23e29fc7bba6b12d0b1b5a9ad7a0d34dced8f0981f2619ec3c179891a50eb2f90f5039640318082bbbd495b601701fcbf0086ec285

Download Submit
C:\Windows\SysWOW64\tlwk.bat

Filesize
120B

MD5
2efad73822766246d10336a1f7ac3175

SHA1
66260352f09b7ddbc305eaf886134d07a2822711

SHA256
c65e0bfacbbcb01df84938ebfc00714f979a2f2d32703c2d4c1b2b5073c20a05

SHA512
6ef46d6a6c19b64e3238c8e9de07cec6c03fa533d64c1bf5c5fea3ab38bf05e5c254fd35cc0530b672654d28a1fca5217761026c83df2f393c8672148da924e9

Download Submit
C:\Windows\SysWOW64\uqzfmx.bat

Filesize
122B

MD5
d3d6e14a27262baf008a75affd80d081

SHA1
b7571d10bf6cee9610f27009fbf284d2aed2c407

SHA256
ae9dbac8f7062e1a92485447a6dbad783debb7f513c9e6583653f85baff583c3

SHA512
2043d74f6e22e59c898813ff748e0646cabef7cd73a53ff93df1d5841233bf08a1c7faebd0a2f7dbacffe17b35bd0e895f6b7817b7269d862f62df56762d81b1

Download Submit
memory/1392-162-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1692-157-0x00000000026A0000-0x00000000026C8000-memory.dmp

Filesize
160KB

Download
memory/1692-159-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1692-156-0x00000000026A0000-0x00000000026C8000-memory.dmp

Filesize
160KB

Download
memory/1824-67-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2068-19-0x0000000002690000-0x00000000026B8000-memory.dmp

Filesize
160KB

Download
memory/2068-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2068-21-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2080-43-0x00000000021D0000-0x00000000021F8000-memory.dmp

Filesize
160KB

Download
memory/2080-44-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2080-22-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2420-106-0x0000000002690000-0x00000000026B8000-memory.dmp

Filesize
160KB

Download
memory/2420-113-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2668-134-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2668-112-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3048-88-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads