33db3dce9084c90d6632a6da16718ac9031c323e17226bade17d6d0e6f6baa64

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-09-2024 00:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e14d680a6472d32379ce8a51d5d88d56_JaffaCakes118.exe
Size

222KB
MD5

e14d680a6472d32379ce8a51d5d88d56
SHA1

bedef6f3bf78b34e5a4a66d2871deed0b6789145
SHA256

33db3dce9084c90d6632a6da16718ac9031c323e17226bade17d6d0e6f6baa64
SHA512

deaf8d70888d9719fa582e52d02577ccda07cc8cfffaa4df32d8bed1829294a63b59a2b4a6e8d833355a702f3b2bdceb0dac8962ca1480a89c9a3fa9a3f2473d
SSDEEP

6144:7sapZkI9bWFTz8oFkc4FhjUNgHRXTwPfwC:rkI1W5Fkc0ztT+wC

Score

8^/10

discovery persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\eCPRAYL6\Parameters\ServiceDll = "C:\\Windows\\system32\\Wi7aTl.pic"	thunder7.exe

Deletes itself 1 IoCs

pid	Process
2856	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
2544	thunder7.exe

Loads dropped DLL 8 IoCs

pid	Process
2100	e14d680a6472d32379ce8a51d5d88d56_JaffaCakes118.exe
2100	e14d680a6472d32379ce8a51d5d88d56_JaffaCakes118.exe
2100	e14d680a6472d32379ce8a51d5d88d56_JaffaCakes118.exe
2544	thunder7.exe
2544	thunder7.exe
2544	thunder7.exe
1996	svchost.exe
2856	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Wi7aTl.pic	thunder7.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\thunder7.exe	e14d680a6472d32379ce8a51d5d88d56_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e14d680a6472d32379ce8a51d5d88d56_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	thunder7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2544	thunder7.exe
2544	thunder7.exe
2544	thunder7.exe
2544	thunder7.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeBackupPrivilege	2544	thunder7.exe
Token: SeRestorePrivilege	2544	thunder7.exe
Token: SeDebugPrivilege	1996	svchost.exe
Token: SeBackupPrivilege	2856	rundll32.exe
Token: SeSecurityPrivilege	2856	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2544	2100	e14d680a6472d32379ce8a51d5d88d56_JaffaCakes118.exe	30
PID 2100 wrote to memory of 2544	2100	e14d680a6472d32379ce8a51d5d88d56_JaffaCakes118.exe	30
PID 2100 wrote to memory of 2544	2100	e14d680a6472d32379ce8a51d5d88d56_JaffaCakes118.exe	30
PID 2100 wrote to memory of 2544	2100	e14d680a6472d32379ce8a51d5d88d56_JaffaCakes118.exe	30
PID 2100 wrote to memory of 2544	2100	e14d680a6472d32379ce8a51d5d88d56_JaffaCakes118.exe	30
PID 2100 wrote to memory of 2544	2100	e14d680a6472d32379ce8a51d5d88d56_JaffaCakes118.exe	30
PID 2100 wrote to memory of 2544	2100	e14d680a6472d32379ce8a51d5d88d56_JaffaCakes118.exe	30
PID 1996 wrote to memory of 2856	1996	svchost.exe	32
PID 1996 wrote to memory of 2856	1996	svchost.exe	32
PID 1996 wrote to memory of 2856	1996	svchost.exe	32
PID 1996 wrote to memory of 2856	1996	svchost.exe	32
PID 1996 wrote to memory of 2856	1996	svchost.exe	32
PID 1996 wrote to memory of 2856	1996	svchost.exe	32
PID 1996 wrote to memory of 2856	1996	svchost.exe	32

C:\Users\Admin\AppData\Local\Temp\e14d680a6472d32379ce8a51d5d88d56_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e14d680a6472d32379ce8a51d5d88d56_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Program Files (x86)\thunder7.exe
  "C:\Program Files (x86)\thunder7.exe"
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2544

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k eCPRAYL6
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe c:\windows\system32\wi7atl.pic,main eCPRAYL6
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\thunder7.exe

Filesize
5.3MB

MD5
353b0d1b2bd06c00e8e3142c85916aa5

SHA1
c164e3c29d69d4bbd07a027e830fee47d47f7c74

SHA256
15c8db1dedcf5f90f04f0aa5bbd2f2dbe6606259e8d7733baf3b3f7d83eb2917

SHA512
9b0bcbeaed24adb5b0f220fe963b8b39fe76ff5c7e3acaf6a6341289fe4d42a8f5df86d653d4ae8c8c6642f2c3452d8d8dde1732e5db029d1ba27845d7b24810

Download Submit
\Users\Admin\AppData\Local\Temp\nsy82D8.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit