06c1b7afa6c27b0ac07cb34e525bc9d02475313295dead32f644353e6a50a240

Analysis

max time kernel
141s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/09/2024, 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
Size

28KB
MD5

dfb206e935cd7590d15ea653dc1786e8
SHA1

8f04c4191e460046e04393d660b79fc6dad9af43
SHA256

06c1b7afa6c27b0ac07cb34e525bc9d02475313295dead32f644353e6a50a240
SHA512

1983027c0864abfe7d6007fa37b6ac0adc6deca6d8d4eee20ca60ae346697e08e1cc34eaa01d290b48f9c7bb489412297aebe409eaf16eca19bd33427e30a1ea
SSDEEP

768:jy+DGhusVP40Tv2RVmhQpvch93hkSYFnbcuyD7U0Nc:jyzusVAm2RVmksySYFnouy8Uc

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\m:	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
File opened (read-only)	\??\t:	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
File opened (read-only)	\??\w:	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
File opened (read-only)	\??\q:	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
File opened (read-only)	\??\r:	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
File opened (read-only)	\??\s:	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
File opened (read-only)	\??\x:	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
File opened (read-only)	\??\g:	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
File opened (read-only)	\??\j:	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
File opened (read-only)	\??\k:	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
File opened (read-only)	\??\p:	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
File opened (read-only)	\??\u:	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
File opened (read-only)	\??\z:	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
File opened (read-only)	\??\e:	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
File opened (read-only)	\??\i:	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
File opened (read-only)	\??\n:	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
File opened (read-only)	\??\o:	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
File opened (read-only)	\??\h:	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
File opened (read-only)	\??\l:	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
File opened (read-only)	\??\v:	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
File opened (read-only)	\??\y:	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\259433500.CPL	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\rgdltecq\ngoifz.pif	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\rgdltecq\ngoifz.pif	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32\ = "C:\\Windows\\SysWow64\\259433500.CPL"	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
Token: SeDebugPrivilege	2204	dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dfb206e935cd7590d15ea653dc1786e8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\259433500.CPL

Filesize
12.1MB

MD5
88b442f19a5ef5d6ccf029047d2fb2f6

SHA1
4e03907090a1532f9d080d6236b455ee972da3f8

SHA256
fad2584d3338cecb0e4e868d617fd7a663ae6ff7dc670bfa816fbf5e331c78e3

SHA512
b849788bd9a7d235bbcf15a2b3de4c7c36ab54cd39475f06cc943f2d146b411e18a577596586836c1d2b9273b5a0c221cdda59c6cc16aad7995981f253bc8371

Download Submit
memory/2204-1-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2204-5-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download