75d540d98233069e7f65f4f7dfda60ebd2fe308ca518b96057a9432ffa8a8248

Analysis

max time kernel
142s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 21:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

defa25f93f0cb000166a1ed5b9a6f176_JaffaCakes118.exe
Size

2.1MB
MD5

defa25f93f0cb000166a1ed5b9a6f176
SHA1

70e5fd8b8082569e26c75292b48ce768cfcd8a73
SHA256

75d540d98233069e7f65f4f7dfda60ebd2fe308ca518b96057a9432ffa8a8248
SHA512

a6069c296f948a13d8a46a68ec37ab0fd6d55f0a21d40b94e2edea0a60488329b218f208821a0ef4593707ed0a6bed5f6299ce95eacc60c9f99ee85c1d2f716e
SSDEEP

49152:e7wShyV2kelsdPhYtQry+6s/XxM3KYNDA/gk2SrTJs:eMSkV2ke2GO6s/hYtDIHrts

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2116	install.exe
2812	isass.exe
2196	sro timer control-orj.exe

Loads dropped DLL 14 IoCs

pid	Process
2876	defa25f93f0cb000166a1ed5b9a6f176_JaffaCakes118.exe
2116	install.exe
2116	install.exe
2116	install.exe
2116	install.exe
2116	install.exe
2812	isass.exe
2812	isass.exe
2812	isass.exe
2116	install.exe
2196	sro timer control-orj.exe
2196	sro timer control-orj.exe
2812	isass.exe
2196	sro timer control-orj.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Admin\\AppData\\Local\\isass.exe \""	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	defa25f93f0cb000166a1ed5b9a6f176_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	isass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sro timer control-orj.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2632	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2116	install.exe
2116	install.exe
2116	install.exe
2116	install.exe
2116	install.exe
2116	install.exe
2196	sro timer control-orj.exe
2196	sro timer control-orj.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2196	sro timer control-orj.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2812	isass.exe
2196	sro timer control-orj.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2116	2876	defa25f93f0cb000166a1ed5b9a6f176_JaffaCakes118.exe	30
PID 2876 wrote to memory of 2116	2876	defa25f93f0cb000166a1ed5b9a6f176_JaffaCakes118.exe	30
PID 2876 wrote to memory of 2116	2876	defa25f93f0cb000166a1ed5b9a6f176_JaffaCakes118.exe	30
PID 2876 wrote to memory of 2116	2876	defa25f93f0cb000166a1ed5b9a6f176_JaffaCakes118.exe	30
PID 2876 wrote to memory of 2116	2876	defa25f93f0cb000166a1ed5b9a6f176_JaffaCakes118.exe	30
PID 2876 wrote to memory of 2116	2876	defa25f93f0cb000166a1ed5b9a6f176_JaffaCakes118.exe	30
PID 2876 wrote to memory of 2116	2876	defa25f93f0cb000166a1ed5b9a6f176_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2812	2116	install.exe	31
PID 2116 wrote to memory of 2812	2116	install.exe	31
PID 2116 wrote to memory of 2812	2116	install.exe	31
PID 2116 wrote to memory of 2812	2116	install.exe	31
PID 2116 wrote to memory of 2812	2116	install.exe	31
PID 2116 wrote to memory of 2812	2116	install.exe	31
PID 2116 wrote to memory of 2812	2116	install.exe	31
PID 2116 wrote to memory of 2196	2116	install.exe	32
PID 2116 wrote to memory of 2196	2116	install.exe	32
PID 2116 wrote to memory of 2196	2116	install.exe	32
PID 2116 wrote to memory of 2196	2116	install.exe	32
PID 2116 wrote to memory of 2196	2116	install.exe	32
PID 2116 wrote to memory of 2196	2116	install.exe	32
PID 2116 wrote to memory of 2196	2116	install.exe	32
PID 2812 wrote to memory of 2552	2812	isass.exe	33
PID 2812 wrote to memory of 2552	2812	isass.exe	33
PID 2812 wrote to memory of 2552	2812	isass.exe	33
PID 2812 wrote to memory of 2552	2812	isass.exe	33
PID 2812 wrote to memory of 2552	2812	isass.exe	33
PID 2812 wrote to memory of 2552	2812	isass.exe	33
PID 2812 wrote to memory of 2552	2812	isass.exe	33
PID 2552 wrote to memory of 2620	2552	cmd.exe	35
PID 2552 wrote to memory of 2620	2552	cmd.exe	35
PID 2552 wrote to memory of 2620	2552	cmd.exe	35
PID 2552 wrote to memory of 2620	2552	cmd.exe	35
PID 2552 wrote to memory of 2620	2552	cmd.exe	35
PID 2552 wrote to memory of 2620	2552	cmd.exe	35
PID 2552 wrote to memory of 2620	2552	cmd.exe	35
PID 2620 wrote to memory of 2632	2620	cmd.exe	36
PID 2620 wrote to memory of 2632	2620	cmd.exe	36
PID 2620 wrote to memory of 2632	2620	cmd.exe	36
PID 2620 wrote to memory of 2632	2620	cmd.exe	36
PID 2620 wrote to memory of 2632	2620	cmd.exe	36
PID 2620 wrote to memory of 2632	2620	cmd.exe	36
PID 2620 wrote to memory of 2632	2620	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\defa25f93f0cb000166a1ed5b9a6f176_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\defa25f93f0cb000166a1ed5b9a6f176_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\install.exe
  "C:\Users\Admin\AppData\Local\Temp\install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Users\Admin\AppData\Local\isass.exe
    "C:\Users\Admin\AppData\Local\isass.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\setup.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V lsass /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2620
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V lsass /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2632
- - C:\Users\Admin\AppData\Local\sro timer control-orj.exe
    "C:\Users\Admin\AppData\Local\sro timer control-orj.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\setup.bat

Filesize
143B

MD5
330d9a81f808b287b999c76c1d932ed6

SHA1
95146f6f084c39395e2fae892af065e85fddb8d1

SHA256
4e2ba5afae8aedfb7664f479ff30667dbabee99f63c922206df98ff56456a03f

SHA512
4abd3d3c6b40ae046366604fdfabdc2c97a54cd4c4046452014fb1087353d216b2920650cc2d147fd6c1a79fd7d73d7cd46a8ada0a5c70de70b87b480034e812

Download Submit
C:\Users\Admin\AppData\Local\ntldr.dll

Filesize
186KB

MD5
3b3f633865e78b077471b52a8e08c7ae

SHA1
49867697fe9f6dd2025ec2081e0c8606257e008a

SHA256
76230baac105470e82f2fdedc13865d9f46c7349ffcc66e239b95893ea433fd4

SHA512
77b9d6eaf413ecb24d552fbe7985ed6d277123eee1b4294db0dc52d5bc396de9c445dc53254f964dfe0ade21e2c54cba17ac6e3008c6935387fbd3e8f1442a1b

Download Submit
C:\Users\Admin\AppData\Local\sro timer control-orj.exe

Filesize
635KB

MD5
4eb85486b06138bdfb356f7a1aef33cb

SHA1
6fe7e5c86dae21173c2a73ef7918b98f248fd441

SHA256
01ad891686462e1b6e23d7bfc5f1db5b03945a4b90d28f59575c65a7dd52a4d1

SHA512
68a56ae213081093b1caee06f8a3925eea0bf5131c4db06fb5925ba06e1129bd47f0abcc1a0e889c749e1cb0a32b175647b1adb5dbfc41f46282c953584e8ee9

Download Submit
\Users\Admin\AppData\Local\Temp\install.exe

Filesize
1.7MB

MD5
c0366be45f52ef5ce640d206acf1268d

SHA1
b46d3d653d594358efcc335dfe354effc121b80e

SHA256
8eefaf6e60db63cd4352fe7e7a3af954f4b78f3d24384a05d2dd10ce588b06e6

SHA512
416e0432d7074866d11a30f6b3b088274b6ed7fb6df3772a6138bb56e584e931767dec739b192f98c3b304a8af6450fc71cdfac8ea31e86ee5e58a7fa272a771

Download Submit
\Users\Admin\AppData\Local\isass.exe

Filesize
540KB

MD5
fda5bef8a3efd39b9f54ac1615634532

SHA1
7360ceeb2d01fdbd426b9cac849f5add692f9114

SHA256
8d1bad9a798732af2b36e2c02668693aaf834b0738e72e1d5e83efa3f8ca3ed1

SHA512
56819e7771989a10bd70c5d54988746d06183a538dd8cd1a70b0f1a4c43c9ce85cea372675ad6cfcb49baf071e22104b49459f1bccaac12f78b2372b4fc3c2a5

Download Submit
memory/2116-35-0x0000000000400000-0x00000000005B1000-memory.dmp

Filesize
1.7MB

Download
memory/2196-49-0x0000000000B30000-0x0000000000B62000-memory.dmp

Filesize
200KB

Download
memory/2196-50-0x0000000000B30000-0x0000000000B62000-memory.dmp

Filesize
200KB

Download
memory/2812-38-0x00000000003A0000-0x00000000003D2000-memory.dmp

Filesize
200KB

Download
memory/2812-51-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2812-52-0x00000000003A0000-0x00000000003D2000-memory.dmp

Filesize
200KB

Download
memory/2876-0-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2876-7-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download