5f60950528295a7885e1241258ea283d44ea9f3960e8b62300e2231f340afd04

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe
Size

144KB
MD5

dea8f56582d91ae4605f7162a006aeae
SHA1

96a38ffacfb0ac8a369ce03cffb6c1f2b4893fa6
SHA256

5f60950528295a7885e1241258ea283d44ea9f3960e8b62300e2231f340afd04
SHA512

2ba4e9e84e75828cfa5bbc5d1c0d16b2f308fb5ff4557dc8cee5550701a3f77be6ff6580249872205374c7d8156cb37fba8b7b4df892992508666009bf603b6a
SSDEEP

1536:/fQDBTn64E8RtIacmqWQuGMZ0jkLcDBTn64E8RtIacGDBTn64E8RtIacRjDKyEXd:3QDQ/0cd2jLwrecqOMpV+WR36rHuG

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe C:\\Windows\\system32\\drivers\\svchost.exe"	svchost.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\svchost.exe	dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Setup.exe	dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
1996	svchost.exe
2752	Setup.exe

Loads dropped DLL 6 IoCs

pid	Process
2360	dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe
2360	dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe
1996	svchost.exe
1996	svchost.exe
1996	svchost.exe
2360	dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mmil.htm	svchost.exe
File opened for modification	C:\Windows\SysWOW64\gogo.txt	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2280	taskkill.exe
2880	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1996	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2280	taskkill.exe
Token: SeDebugPrivilege	2880	taskkill.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2360	dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe
1996	svchost.exe
1996	svchost.exe
1996	svchost.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2280	2360	dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe	30
PID 2360 wrote to memory of 2280	2360	dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe	30
PID 2360 wrote to memory of 2280	2360	dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe	30
PID 2360 wrote to memory of 2280	2360	dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe	30
PID 2360 wrote to memory of 2280	2360	dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe	30
PID 2360 wrote to memory of 2280	2360	dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe	30
PID 2360 wrote to memory of 2280	2360	dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe	30
PID 2360 wrote to memory of 1996	2360	dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe	32
PID 2360 wrote to memory of 1996	2360	dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe	32
PID 2360 wrote to memory of 1996	2360	dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe	32
PID 2360 wrote to memory of 1996	2360	dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe	32
PID 2360 wrote to memory of 1996	2360	dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe	32
PID 2360 wrote to memory of 1996	2360	dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe	32
PID 2360 wrote to memory of 1996	2360	dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe	32
PID 2360 wrote to memory of 2752	2360	dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe	34
PID 2360 wrote to memory of 2752	2360	dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe	34
PID 2360 wrote to memory of 2752	2360	dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe	34
PID 2360 wrote to memory of 2752	2360	dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe	34
PID 2360 wrote to memory of 2752	2360	dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe	34
PID 2360 wrote to memory of 2752	2360	dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe	34
PID 2360 wrote to memory of 2752	2360	dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe	34
PID 2360 wrote to memory of 2880	2360	dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe	35
PID 2360 wrote to memory of 2880	2360	dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe	35
PID 2360 wrote to memory of 2880	2360	dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe	35
PID 2360 wrote to memory of 2880	2360	dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe	35
PID 2360 wrote to memory of 2880	2360	dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe	35
PID 2360 wrote to memory of 2880	2360	dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe	35
PID 2360 wrote to memory of 2880	2360	dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe	35

C:\Users\Admin\AppData\Local\Temp\dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im teatimer.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2280
- C:\Windows\SysWOW64\drivers\svchost.exe
  C:\Windows\system32\drivers\svchost.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1996
- C:\Windows\SysWOW64\drivers\Setup.exe
  C:\Windows\system32\drivers\Setup.exe
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im teatimer.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\gogo.txt

Filesize
103B

MD5
31c3bc3c45356f6ea4c15a33f8fb07e6

SHA1
cce751aeed4fdb0bc1998f1d843f67843bbba097

SHA256
42e5cf549911281f6ce3855c39c3e2befa9235a9b747c39f27371edfaa3599c7

SHA512
0983c80387384f5174fe72a5950401a7a08e526fd763f7b6fabdbb56c4a00663b7e89d6438e0870a786c46023829ed6b317a5d84bc1e06a0a732be2757bde3ca

Download Submit
C:\Windows\SysWOW64\mmil.htm

Filesize
1KB

MD5
078f390e61743e960b72f3b9764020e1

SHA1
29ca97b6cf71dffe3664d882720d0313ac5f601d

SHA256
c3b6ff1c45839c61dd47b6e18c15f38bcd1af17a38927d6713b94e487eedc0a9

SHA512
4d8fbbeb08c5205a1f44f08930442bfa584a2efde7095be564c70d6035d0b67a6b059f936d19a75ef742e930342a7f6c67a3b6716d85ab289fff61ac9fe63e58

Download Submit
C:\Windows\SysWOW64\mmil.htm

Filesize
1KB

MD5
54713dd09c46e12ce4334e0b7f8cccdd

SHA1
8cea369627b2f8d66ba10d2243c8780ee7ac4140

SHA256
c132d8c863bc066010f75eceae2a8b48ea5be682caf53ee0ed5c2848a9f94461

SHA512
43ce00f861bc3191b01ab658e049a6123c54848a8f170853d851392176347b28ad1fb51e854c1a64b6e728f92e3661b6037702ed8172319b55f54c8b983c2a88

Download Submit
\Windows\SysWOW64\drivers\Setup.exe

Filesize
48KB

MD5
54370209b8485a8652aa0d28f98ebd30

SHA1
6c03a3003869bb062e55a428001cb36769869cc0

SHA256
4a6f321d2f5ba8803eda2f12d7abf99681d023fe1c4e5677f425136836327526

SHA512
085048823e7e250e284b1b9758bbc50d1762c9e33be89501845e48d6c322f63644f4b89ba91fdff85144556af002aee4729eea4ed41cb57461bf449bea151813

Download Submit
\Windows\SysWOW64\drivers\svchost.exe

Filesize
56KB

MD5
5c749b6329c23b51ec2010d4769f124e

SHA1
63c4b66297efc2807bdb5d37131a552455f0c90a

SHA256
cacc67a8acd397c9135876fef7d773ab4c465aa1dee07068eb20ceec358e7e96

SHA512
abf0d7a64153f5c3e436524c8196229d074832de76862509d023d7bf2faa84a5b9fa6b2ef7f75d1fdddf4dd0260135730cd3c32dfce200edfd47cffc7a135e1a

Download Submit
memory/1996-17-0x0000000004680000-0x00000000056E2000-memory.dmp

Filesize
16.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads