699458fb3e81e91a5b7b4b34a758dcfecf62c196b434b93184f6982ae725f29b

Analysis

max time kernel
142s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15/09/2024, 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1592ecc5789dfe24045e99f767b454e_JaffaCakes118.exe
Size

706KB
MD5

e1592ecc5789dfe24045e99f767b454e
SHA1

fd26e3c78e4900b4b1988d2316ad31c92c2d664a
SHA256

699458fb3e81e91a5b7b4b34a758dcfecf62c196b434b93184f6982ae725f29b
SHA512

5dd78fdb32cc409c2e4c7d910283e4429a6096b4e3500eeabe2c36ab35484ffa5d90428ff9f044375d220fdc60b81206877a22c553eeac25b466bcb4da16b715
SSDEEP

12288:4oC/S1rUvPN+DfXw4l+WZ1I77MoDqF3Z4mxxfHkfZESXP:41S1A+Dfhl31Y7DWQmXfkfL

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2992	2.exe
2652	McShield.exe

Loads dropped DLL 2 IoCs

pid	Process
1984	e1592ecc5789dfe24045e99f767b454e_JaffaCakes118.exe
1984	e1592ecc5789dfe24045e99f767b454e_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e1592ecc5789dfe24045e99f767b454e_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\EYFTWX.DAT	2.exe
File created	C:\Windows\McShield.exe	2.exe
File opened for modification	C:\Windows\McShield.exe	2.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1592ecc5789dfe24045e99f767b454e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	McShield.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2992	2.exe
Token: SeDebugPrivilege	2652	McShield.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2652	McShield.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2652	McShield.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2992	1984	e1592ecc5789dfe24045e99f767b454e_JaffaCakes118.exe	30
PID 1984 wrote to memory of 2992	1984	e1592ecc5789dfe24045e99f767b454e_JaffaCakes118.exe	30
PID 1984 wrote to memory of 2992	1984	e1592ecc5789dfe24045e99f767b454e_JaffaCakes118.exe	30
PID 1984 wrote to memory of 2992	1984	e1592ecc5789dfe24045e99f767b454e_JaffaCakes118.exe	30
PID 2652 wrote to memory of 2640	2652	McShield.exe	32
PID 2652 wrote to memory of 2640	2652	McShield.exe	32
PID 2652 wrote to memory of 2640	2652	McShield.exe	32
PID 2652 wrote to memory of 2640	2652	McShield.exe	32

C:\Users\Admin\AppData\Local\Temp\e1592ecc5789dfe24045e99f767b454e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e1592ecc5789dfe24045e99f767b454e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2992

C:\Windows\McShield.exe
C:\Windows\McShield.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\EYFTWX.DAT

Filesize
55KB

MD5
6853cba3ccc11699c2d840f41c10393f

SHA1
80a430dcc2cb34b05d433f0f63b8ef8a6a09bbe3

SHA256
0bcf3f4ff7862cd885003b8ecc4d424a2fd418fd64412ffe95a9c4221cc3de59

SHA512
a02fef8b7c721459fa6f081a1208bf8dd84d957663b4d711b9f6f1731deedf977e5a391ec7481797da7a594c3dd133e84865133855dcdbe6da2128887270114c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.exe

Filesize
799KB

MD5
64758c8c58296223cdeed48687e460c9

SHA1
019734c3bfe0e8c8e20cc06da8579c6e5c4a7b20

SHA256
20cab8d661116d1907ea20b228b95a3184196706550070ff14a7806f4d6d702f

SHA512
5f64a3a43ca9636378eab47ba77b5cbd3934b9eb00ce40e350dc7c91ba218d935f1c358e899c8677629f2ec19f7c97078544278c9aa43f3ca431912347a179b4

Download Submit
memory/1984-0-0x0000000001000000-0x00000000010C1000-memory.dmp

Filesize
772KB

Download
memory/1984-1-0x00000000006F0000-0x0000000000744000-memory.dmp

Filesize
336KB

Download
memory/1984-5-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1984-9-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1984-8-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/1984-7-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/1984-6-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/1984-4-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/1984-3-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/1984-2-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/1984-11-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/1984-10-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/1984-14-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/1984-23-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/1984-22-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/1984-21-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/1984-20-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/1984-19-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/1984-18-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/1984-17-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/1984-16-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/1984-15-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/1984-13-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/1984-12-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/1984-54-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/1984-55-0x00000000006F0000-0x0000000000744000-memory.dmp

Filesize
336KB

Download
memory/1984-53-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/1984-52-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/1984-51-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/1984-50-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/1984-49-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/1984-48-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/1984-47-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/1984-46-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/1984-45-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/1984-44-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/1984-43-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/1984-42-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/1984-41-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/1984-40-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/1984-39-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/1984-38-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/1984-37-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/1984-36-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/1984-35-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/1984-34-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/1984-33-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/1984-32-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/1984-31-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/1984-30-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/1984-29-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/1984-28-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/1984-27-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/1984-26-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/1984-25-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/1984-24-0x0000000001000000-0x00000000010C1000-memory.dmp

Filesize
772KB

Download
memory/1984-62-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/1984-61-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/1984-60-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/1984-59-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1984-58-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1984-57-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/1984-56-0x0000000003130000-0x0000000003133000-memory.dmp

Filesize
12KB

Download
memory/1984-79-0x00000000006F0000-0x0000000000744000-memory.dmp

Filesize
336KB

Download
memory/1984-82-0x0000000001000000-0x00000000010C1000-memory.dmp

Filesize
772KB

Download
memory/2652-81-0x00000000003E0000-0x00000000003F3000-memory.dmp

Filesize
76KB

Download
memory/2652-83-0x00000000003E0000-0x00000000003F3000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads