4a521febae3f7300e9232613f86e396cb498bba34813dada818dd076b741fceb

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-09-2024 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0ef6f0918e52efaea280dac53989603_JaffaCakes118.exe
Size

396KB
MD5

e0ef6f0918e52efaea280dac53989603
SHA1

133c07681b08f1e0e606cfdb075a9b7654f65ca8
SHA256

4a521febae3f7300e9232613f86e396cb498bba34813dada818dd076b741fceb
SHA512

12258e35f40c5f661688c02506879a77c603ed6370aa6c4f97a39a2a614877ca01d8a13814759520e1c1f6f5928f07debdf38c7be48cc7c5d62e8a1ce98f78f0
SSDEEP

12288:Nbti6v7MUMBGiKva6AcWE6C/idBoTHOSDGP+f/n:ltiEMkiyZAcWE6rdGCSDGmfP

Score

10^/10

discovery evasion persistence trojan upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\w34yae5u45uhyrt5.exe"	rdt66jud56u.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\w34yae5u45uhyrt5.exe"	rdt66jud56u.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{VwMNWke1-5dpp-CjdB-fU30-SvSpp9tNZwHU}	rdt66jud56u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{VwMNWke1-5dpp-CjdB-fU30-SvSpp9tNZwHU}\I78heaLDnoZYDzg = "\"C:\\Users\\Admin\\AppData\\Roaming\\w34yae5u45uhyrt5.exe\" /ActiveX"	rdt66jud56u.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	rdt66jud56u.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 2 IoCs

pid	Process
828	rdt66jud56u.exe
2700	rdt66jud56u.exe

Loads dropped DLL 7 IoCs

pid	Process
2492	e0ef6f0918e52efaea280dac53989603_JaffaCakes118.exe
2492	e0ef6f0918e52efaea280dac53989603_JaffaCakes118.exe
2492	e0ef6f0918e52efaea280dac53989603_JaffaCakes118.exe
2492	e0ef6f0918e52efaea280dac53989603_JaffaCakes118.exe
2492	e0ef6f0918e52efaea280dac53989603_JaffaCakes118.exe
828	rdt66jud56u.exe
2700	rdt66jud56u.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2492-0-0x0000000000400000-0x000000000053A000-memory.dmp	upx
behavioral1/files/0x0009000000016de9-36.dat	upx
behavioral1/memory/2492-40-0x0000000000400000-0x000000000053A000-memory.dmp	upx
behavioral1/memory/2700-47-0x0000000000400000-0x000000000049C000-memory.dmp	upx
behavioral1/memory/2700-48-0x0000000000400000-0x000000000049C000-memory.dmp	upx
behavioral1/memory/828-51-0x0000000000400000-0x000000000053A000-memory.dmp	upx
behavioral1/memory/2700-49-0x0000000000400000-0x000000000049C000-memory.dmp	upx
behavioral1/memory/2700-46-0x0000000000400000-0x000000000049C000-memory.dmp	upx
behavioral1/memory/2700-45-0x0000000000400000-0x000000000049C000-memory.dmp	upx
behavioral1/memory/2700-43-0x0000000000400000-0x000000000049C000-memory.dmp	upx
behavioral1/memory/2700-57-0x0000000000400000-0x000000000049C000-memory.dmp	upx
behavioral1/memory/2700-58-0x0000000000400000-0x000000000049C000-memory.dmp	upx
behavioral1/memory/2700-60-0x0000000000400000-0x000000000049C000-memory.dmp	upx
behavioral1/memory/2700-62-0x0000000000400000-0x000000000049C000-memory.dmp	upx
behavioral1/memory/2700-64-0x0000000000400000-0x000000000049C000-memory.dmp	upx
behavioral1/memory/2700-66-0x0000000000400000-0x000000000049C000-memory.dmp	upx
behavioral1/memory/2700-68-0x0000000000400000-0x000000000049C000-memory.dmp	upx
behavioral1/memory/2700-70-0x0000000000400000-0x000000000049C000-memory.dmp	upx
behavioral1/memory/2700-72-0x0000000000400000-0x000000000049C000-memory.dmp	upx
behavioral1/memory/2700-74-0x0000000000400000-0x000000000049C000-memory.dmp	upx
behavioral1/memory/2700-76-0x0000000000400000-0x000000000049C000-memory.dmp	upx
behavioral1/memory/2700-78-0x0000000000400000-0x000000000049C000-memory.dmp	upx
behavioral1/memory/2700-80-0x0000000000400000-0x000000000049C000-memory.dmp	upx
behavioral1/memory/2700-82-0x0000000000400000-0x000000000049C000-memory.dmp	upx
behavioral1/memory/2700-84-0x0000000000400000-0x000000000049C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\5stur4urs45ju = "C:\\Users\\Admin\\AppData\\Roaming\\rdt66jud56u.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\I78heaLDnoZYDzg = "C:\\Users\\Admin\\AppData\\Roaming\\w34yae5u45uhyrt5.exe"	rdt66jud56u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\I78heaLDnoZYDzg = "C:\\Users\\Admin\\AppData\\Roaming\\w34yae5u45uhyrt5.exe"	rdt66jud56u.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdt66jud56u.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	rdt66jud56u.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 828 set thread context of 2700	828	rdt66jud56u.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rdt66jud56u.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0ef6f0918e52efaea280dac53989603_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rdt66jud56u.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2492	e0ef6f0918e52efaea280dac53989603_JaffaCakes118.exe
828	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe
2700	rdt66jud56u.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2328	2492	e0ef6f0918e52efaea280dac53989603_JaffaCakes118.exe	31
PID 2492 wrote to memory of 2328	2492	e0ef6f0918e52efaea280dac53989603_JaffaCakes118.exe	31
PID 2492 wrote to memory of 2328	2492	e0ef6f0918e52efaea280dac53989603_JaffaCakes118.exe	31
PID 2492 wrote to memory of 2328	2492	e0ef6f0918e52efaea280dac53989603_JaffaCakes118.exe	31
PID 2328 wrote to memory of 2856	2328	cmd.exe	33
PID 2328 wrote to memory of 2856	2328	cmd.exe	33
PID 2328 wrote to memory of 2856	2328	cmd.exe	33
PID 2328 wrote to memory of 2856	2328	cmd.exe	33
PID 2492 wrote to memory of 828	2492	e0ef6f0918e52efaea280dac53989603_JaffaCakes118.exe	34
PID 2492 wrote to memory of 828	2492	e0ef6f0918e52efaea280dac53989603_JaffaCakes118.exe	34
PID 2492 wrote to memory of 828	2492	e0ef6f0918e52efaea280dac53989603_JaffaCakes118.exe	34
PID 2492 wrote to memory of 828	2492	e0ef6f0918e52efaea280dac53989603_JaffaCakes118.exe	34
PID 828 wrote to memory of 2700	828	rdt66jud56u.exe	35
PID 828 wrote to memory of 2700	828	rdt66jud56u.exe	35
PID 828 wrote to memory of 2700	828	rdt66jud56u.exe	35
PID 828 wrote to memory of 2700	828	rdt66jud56u.exe	35
PID 828 wrote to memory of 2700	828	rdt66jud56u.exe	35
PID 828 wrote to memory of 2700	828	rdt66jud56u.exe	35
PID 828 wrote to memory of 2700	828	rdt66jud56u.exe	35
PID 828 wrote to memory of 2700	828	rdt66jud56u.exe	35
PID 828 wrote to memory of 2700	828	rdt66jud56u.exe	35

C:\Users\Admin\AppData\Local\Temp\e0ef6f0918e52efaea280dac53989603_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e0ef6f0918e52efaea280dac53989603_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\259447212.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "5stur4urs45ju" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\rdt66jud56u.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2856
- C:\Users\Admin\AppData\Roaming\rdt66jud56u.exe
  "C:\Users\Admin\AppData\Roaming\rdt66jud56u.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:828
- - C:\Users\Admin\AppData\Roaming\rdt66jud56u.exe
    C:\Users\Admin\AppData\Roaming\rdt66jud56u.exe
    3⤵
    - Modifies WinLogon for persistence
    - Boot or Logon Autostart Execution: Active Setup
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Modifies WinLogon
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259447212.bat

Filesize
144B

MD5
65eeac27df79bacb998372ee71453edc

SHA1
7a755eae5b89c7ac2c79b9e67184788f84390976

SHA256
dfe19a43addc0791805bb20f0fd46d6f110456a0dc1a29dc8464646980f4cfb6

SHA512
8d00674a04309c0baf3e09cc25d96c0946c99537e16f99834a20602e0742e15191d3afd38f5c2b2e160f0ee0f161788f0c94f77856f2be80995a2a1398f73d51

Download Submit
C:\Users\Admin\AppData\Roaming\rdt66jud56u.exe

Filesize
396KB

MD5
e0ef6f0918e52efaea280dac53989603

SHA1
133c07681b08f1e0e606cfdb075a9b7654f65ca8

SHA256
4a521febae3f7300e9232613f86e396cb498bba34813dada818dd076b741fceb

SHA512
12258e35f40c5f661688c02506879a77c603ed6370aa6c4f97a39a2a614877ca01d8a13814759520e1c1f6f5928f07debdf38c7be48cc7c5d62e8a1ce98f78f0

Download Submit
\Users\Admin\AppData\Roaming\dwlGina3.dll

Filesize
93KB

MD5
1173123287198dce1eb831f04e28352c

SHA1
39d650f4297c990a7ffaa7dc3b6d0ef903c9bd14

SHA256
65d4582e135c774d9c827ae08de8b77f199ee934f13d1a0537df4f5d18f590ba

SHA512
e9fdb6e808b0f3ed850fb364d48609a9726fd41ad138594fc04f8d48d5672aec3aaa76af236f07c4263c053dc539f99009e74491adb03c885190dcce78f0cede

Download Submit
memory/828-51-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2492-35-0x0000000003D10000-0x0000000003E4A000-memory.dmp

Filesize
1.2MB

Download
memory/2492-40-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2492-0-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2700-57-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2700-62-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2700-46-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2700-45-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2700-43-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2700-55-0x00000000002B0000-0x00000000002CC000-memory.dmp

Filesize
112KB

Download
memory/2700-48-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2700-47-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2700-58-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2700-59-0x00000000002B0000-0x00000000002CC000-memory.dmp

Filesize
112KB

Download
memory/2700-60-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2700-49-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2700-64-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2700-66-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2700-68-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2700-70-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2700-72-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2700-74-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2700-76-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2700-78-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2700-80-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2700-82-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2700-84-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download