e9739463a3fe85e79297d0413c395879c13bf1f278f769af290adfb99fc9ac51

Analysis

max time kernel
141s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
14/09/2024, 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfa83bae7ff5c35dd80f3021c70cca39_JaffaCakes118.exe
Size

149KB
MD5

dfa83bae7ff5c35dd80f3021c70cca39
SHA1

0326e15d4c31d975dec3ffd69edefada303abfc1
SHA256

e9739463a3fe85e79297d0413c395879c13bf1f278f769af290adfb99fc9ac51
SHA512

c25db09fd6843495f6ad7fa0db8c446ded459a8e0efc3986fd7da47ac42cc859a33c9cdc5774122aaad1c4e88146b14d8a280e41e3a2ba9beca8338318b41788
SSDEEP

3072:MLtfI7ZVLOnb6Y42ftsKp3TGaP3pd0MtzLdfkiYK8IZI70z6wwXIS3:SAVLga2VsC3yaP3kWzub86wRS3

Score

7^/10

defense_evasion discovery upx vmprotect

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
1252	MPB7BB.tmp
2240	MPB7CB.tmp
2088	MPB7CC.tmp
2092	MPB7DB.tmp
2872	MPB80A.tmp
2472	MPB7F9.tmp
2820	ctfmon.exe

Loads dropped DLL 23 IoCs

pid	Process
1952	dfa83bae7ff5c35dd80f3021c70cca39_JaffaCakes118.exe
1952	dfa83bae7ff5c35dd80f3021c70cca39_JaffaCakes118.exe
1952	dfa83bae7ff5c35dd80f3021c70cca39_JaffaCakes118.exe
1252	MPB7BB.tmp
1952	dfa83bae7ff5c35dd80f3021c70cca39_JaffaCakes118.exe
1252	MPB7BB.tmp
1252	MPB7BB.tmp
1252	MPB7BB.tmp
2088	MPB7CC.tmp
2088	MPB7CC.tmp
2088	MPB7CC.tmp
2088	MPB7CC.tmp
2728	WerFault.exe
2728	WerFault.exe
2092	MPB7DB.tmp
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2728	WerFault.exe
2240	MPB7CB.tmp
2504	rundll32.exe
2744	WerFault.exe
2728	WerFault.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000174af-12.dat	upx
behavioral1/files/0x00080000000174f5-32.dat	upx
behavioral1/memory/2240-42-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/2092-40-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2092-73-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2240-84-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/2240-91-0x0000000000400000-0x0000000000419000-memory.dmp	upx

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000500000001941f-67.dat	vmprotect
behavioral1/files/0x00090000000174f5-85.dat	vmprotect

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\nvuais1.dat	MPB7DB.tmp
File created	C:\Windows\SysWOW64\nvuais1.dat	MPB7DB.tmp
File created	C:\Windows\SysWOW64\nvuais3.dat	MPB7DB.tmp
File opened for modification	C:\Windows\SysWOW64\nvuais5.dat	MPB7DB.tmp
File created	C:\Windows\SysWOW64\mvewia.dat	MPB7DB.tmp
File opened for modification	C:\Windows\SysWOW64\nvuais2.dat	MPB7DB.tmp
File created	C:\Windows\SysWOW64\nvuais2.dat	MPB7DB.tmp
File opened for modification	C:\Windows\SysWOW64\nvuais3.dat	MPB7DB.tmp
File opened for modification	C:\Windows\SysWOW64\nvuais4.dat	MPB7DB.tmp
File created	C:\Windows\SysWOW64\nvuais4.dat	MPB7DB.tmp
File created	C:\Windows\SysWOW64\nvuais5.dat	MPB7DB.tmp
File created	C:\Windows\SysWOW64\hwhtwfnyu.dll	MPB7DB.tmp

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ctfmon.exe	MPB7CB.tmp
File opened for modification	C:\Windows\ctfmon.exe	MPB7CB.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2744	2472	WerFault.exe	34
2728	2872	WerFault.exe	35

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MPB7BB.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MPB7F9.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MPB7DB.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MPB80A.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MPB7CB.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfa83bae7ff5c35dd80f3021c70cca39_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MPB7CC.tmp

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2240	MPB7CB.tmp
2240	MPB7CB.tmp
2092	MPB7DB.tmp
2240	MPB7CB.tmp
2240	MPB7CB.tmp
2240	MPB7CB.tmp
2240	MPB7CB.tmp
2240	MPB7CB.tmp
2240	MPB7CB.tmp
2240	MPB7CB.tmp

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
2092	MPB7DB.tmp
472	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	2092	MPB7DB.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2092	MPB7DB.tmp
2240	MPB7CB.tmp

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 1252	1952	dfa83bae7ff5c35dd80f3021c70cca39_JaffaCakes118.exe	30
PID 1952 wrote to memory of 1252	1952	dfa83bae7ff5c35dd80f3021c70cca39_JaffaCakes118.exe	30
PID 1952 wrote to memory of 1252	1952	dfa83bae7ff5c35dd80f3021c70cca39_JaffaCakes118.exe	30
PID 1952 wrote to memory of 1252	1952	dfa83bae7ff5c35dd80f3021c70cca39_JaffaCakes118.exe	30
PID 1952 wrote to memory of 2088	1952	dfa83bae7ff5c35dd80f3021c70cca39_JaffaCakes118.exe	31
PID 1952 wrote to memory of 2088	1952	dfa83bae7ff5c35dd80f3021c70cca39_JaffaCakes118.exe	31
PID 1952 wrote to memory of 2088	1952	dfa83bae7ff5c35dd80f3021c70cca39_JaffaCakes118.exe	31
PID 1952 wrote to memory of 2088	1952	dfa83bae7ff5c35dd80f3021c70cca39_JaffaCakes118.exe	31
PID 1252 wrote to memory of 2240	1252	MPB7BB.tmp	32
PID 1252 wrote to memory of 2240	1252	MPB7BB.tmp	32
PID 1252 wrote to memory of 2240	1252	MPB7BB.tmp	32
PID 1252 wrote to memory of 2240	1252	MPB7BB.tmp	32
PID 1252 wrote to memory of 2092	1252	MPB7BB.tmp	33
PID 1252 wrote to memory of 2092	1252	MPB7BB.tmp	33
PID 1252 wrote to memory of 2092	1252	MPB7BB.tmp	33
PID 1252 wrote to memory of 2092	1252	MPB7BB.tmp	33
PID 2088 wrote to memory of 2472	2088	MPB7CC.tmp	34
PID 2088 wrote to memory of 2472	2088	MPB7CC.tmp	34
PID 2088 wrote to memory of 2472	2088	MPB7CC.tmp	34
PID 2088 wrote to memory of 2472	2088	MPB7CC.tmp	34
PID 2088 wrote to memory of 2872	2088	MPB7CC.tmp	35
PID 2088 wrote to memory of 2872	2088	MPB7CC.tmp	35
PID 2088 wrote to memory of 2872	2088	MPB7CC.tmp	35
PID 2088 wrote to memory of 2872	2088	MPB7CC.tmp	35
PID 2472 wrote to memory of 2744	2472	MPB7F9.tmp	36
PID 2472 wrote to memory of 2744	2472	MPB7F9.tmp	36
PID 2472 wrote to memory of 2744	2472	MPB7F9.tmp	36
PID 2472 wrote to memory of 2744	2472	MPB7F9.tmp	36
PID 2872 wrote to memory of 2728	2872	MPB80A.tmp	37
PID 2872 wrote to memory of 2728	2872	MPB80A.tmp	37
PID 2872 wrote to memory of 2728	2872	MPB80A.tmp	37
PID 2872 wrote to memory of 2728	2872	MPB80A.tmp	37
PID 2092 wrote to memory of 2504	2092	MPB7DB.tmp	38
PID 2092 wrote to memory of 2504	2092	MPB7DB.tmp	38
PID 2092 wrote to memory of 2504	2092	MPB7DB.tmp	38
PID 2092 wrote to memory of 2504	2092	MPB7DB.tmp	38
PID 2092 wrote to memory of 2504	2092	MPB7DB.tmp	38
PID 2092 wrote to memory of 2504	2092	MPB7DB.tmp	38
PID 2092 wrote to memory of 2504	2092	MPB7DB.tmp	38
PID 2092 wrote to memory of 2740	2092	MPB7DB.tmp	39
PID 2092 wrote to memory of 2740	2092	MPB7DB.tmp	39
PID 2092 wrote to memory of 2740	2092	MPB7DB.tmp	39
PID 2092 wrote to memory of 2740	2092	MPB7DB.tmp	39
PID 2240 wrote to memory of 2820	2240	MPB7CB.tmp	41
PID 2240 wrote to memory of 2820	2240	MPB7CB.tmp	41
PID 2240 wrote to memory of 2820	2240	MPB7CB.tmp	41
PID 2240 wrote to memory of 2820	2240	MPB7CB.tmp	41

C:\Users\Admin\AppData\Local\Temp\dfa83bae7ff5c35dd80f3021c70cca39_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dfa83bae7ff5c35dd80f3021c70cca39_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Users\Admin\AppData\Local\Temp\MPB7BB.tmp
  "C:\Users\Admin\AppData\Local\Temp\MPB7BB.tmp"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Users\Admin\AppData\Local\Temp\MPB7CB.tmp
    "C:\Users\Admin\AppData\Local\Temp\MPB7CB.tmp"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Windows\ctfmon.exe
      "C:\Windows\ctfmon.exe"
      4⤵
      Executes dropped EXE
      PID:2820
- - C:\Users\Admin\AppData\Local\Temp\MPB7DB.tmp
    "C:\Users\Admin\AppData\Local\Temp\MPB7DB.tmp"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe c:\Progra~1\dnf\hwhtwfnyu.dll Porn
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2504
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\MPB7DB.tmp
      4⤵
      System Location Discovery: System Language Discovery
      PID:2740
- C:\Users\Admin\AppData\Local\Temp\MPB7CC.tmp
  "C:\Users\Admin\AppData\Local\Temp\MPB7CC.tmp"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Users\Admin\AppData\Local\Temp\MPB7F9.tmp
    "C:\Users\Admin\AppData\Local\Temp\MPB7F9.tmp"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 36
      4⤵
      Loads dropped DLL
      Program crash
      PID:2744
- - C:\Users\Admin\AppData\Local\Temp\MPB80A.tmp
    "C:\Users\Admin\AppData\Local\Temp\MPB80A.tmp"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 36
      4⤵
      Loads dropped DLL
      Program crash
      PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MPB7CC.tmp

Filesize
57KB

MD5
dbb47069663b801ef8fc5f6ab098c4ac

SHA1
60a5c9d63f828368cec34b19be3b59764f74d781

SHA256
18c1d903591a377090c9f5680bc9c8dc9d3fc080858993a25b496d8d2df0a3ca

SHA512
54e1d4e4b25db5d583ba3430ec5a509780765ef40ba9753ed4dd97da8d2f41f14b6f45882628a34d8ec534d47d9ed263c6f1b05241d85959ac5910a3d9927222

Download Submit
C:\Users\Admin\AppData\Local\Temp\MPB7DB.tmp

Filesize
47KB

MD5
0e2cffd13f27acbe271de175ccf89311

SHA1
f4efce84fb4ac4e2b0c38a5fb9084826da98a7e1

SHA256
dd39e226d5c0b26a1e5487b7c8913f45f351754de86f477794b2fe8ebdf2279c

SHA512
ba7a8b7fbab4dacb27031028e655474c28aee93f96b32be2f94032c58d04eea621e83b180967398ae7b8665d258b8258985e97caee6c8feadd3391a59f6cf8cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MPB7F9.tmp

Filesize
29KB

MD5
01d023ac473868353482dd369ce56b68

SHA1
0259385566e3b81ab43b35d7361225be873c1705

SHA256
7336b1fde53f37d60180c713816838fc2f89f5089a8f11fb845c6ab5427e8e4c

SHA512
ed2c80a06ef3cd5b9277ecc183f9a6e756de174390205bda2e282333c541501630237d53682c2ebab29e739412201eb02412e5a6c5c2f6ddc86b1ff7f48da2f9

Download Submit
C:\Windows\ctfmon.exe

Filesize
189KB

MD5
f2c7bb8acc97f92e987a2d4087d021b1

SHA1
7eb0139d2175739b3ccb0d1110067820be6abd29

SHA256
142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

SHA512
2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

Download Submit
\Users\Admin\AppData\Local\Temp\259443609n02.dll

Filesize
66KB

MD5
7424b87bf53e9be336b70a2680c03d11

SHA1
7fbe42c5133a047d926a31292bed12ea7acc59ac

SHA256
93d0980ace121510a8998d178e9ccb1193dcf7b160377d22a7912c5d8705ef6c

SHA512
c0a240aab791a0f4610ff4b60dee1357248210a550f4ebe0d1514cdb66248dc7cd6ce9d4ce74af0c283170043f6afcccc73057f8765dd5f6db5a362299df36da

Download Submit
\Users\Admin\AppData\Local\Temp\MPB7BB.tmp

Filesize
90KB

MD5
9dfdc63ac76d513dc2d7c9c85452a1fd

SHA1
c68b804e5b2b126fa0f95eda692e164371e84d43

SHA256
6e4201ff82fc6a69602b93b08f042433dd87cd29a05cfe2b23f612adf4806b4d

SHA512
bae0216901843513d0616dd3052718af5b2fbf7d249791409155dc0930a78db2d2da7b12b0b6692dab6ec7dc0ccd63afb94632f27d230476a78dc981acd90824

Download Submit
\Users\Admin\AppData\Local\Temp\MPB7CB.tmp

Filesize
37KB

MD5
6aad6ff264f247bc254a6a879ecebefe

SHA1
aaafbb67b467105d80be75e7002fd173abbb6836

SHA256
43c0491ac35fbd56127221af8531561311e552bd02407a4e850de34e6da88554

SHA512
5e9be8b4402fdaf478c0f7a023dd9ea332f695fe209cc7346d5f5dc83a31d845cfe6619c66369a5e177921fb151459850b3367c980938644ced4a1a724e22a14

Download Submit
\Users\Admin\AppData\Local\Temp\MPB80A.tmp

Filesize
25KB

MD5
29115e38c37da7cb72f63d70812357dc

SHA1
bac9dbfef7ab06c18469b199beed478633abae4d

SHA256
79b57dafa55dd5be31d98ec2f8682ad8194268f9bfb66c5401bf77213dc46fae

SHA512
23c43cf67daefd11feb490386d3b4a965ae17e333873e8662b17094958adaec3cf8ab471e557606839751b2ba213b1736c287bceeff9a36d991a11d12e32f4b1

Download Submit
\Windows\SysWOW64\hwhtwfnyu.dll

Filesize
84KB

MD5
c9b9e5f6fcca9f2fef09c4d5f877f296

SHA1
d77a29b7eb1e2c8d25167552386a27dde5746894

SHA256
fe017e521c63aef9439cc761be661cfaae7d8afc993f1eeacaf7b37805d6966d

SHA512
184397ecfb2a5f21344587e9dd602e4f2a3eed17de32a589c32357cebf70f183756c4e76df84c1a98a88905493b33d090fbc3c645b84ab14f77c093d6f9da97f

Download Submit
memory/2088-41-0x0000000000020000-0x0000000000034000-memory.dmp

Filesize
80KB

Download
memory/2088-43-0x0000000000020000-0x0000000000034000-memory.dmp

Filesize
80KB

Download
memory/2092-40-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2092-73-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2240-42-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2240-84-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2240-91-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2472-53-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2872-52-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download