ef7d43ada28a3ce27c5a88bfc93282f83179f4d8fe3732824696eec9a9de1c39

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15/09/2024, 05:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1cd9b6139c606264db62a2570d7d163_JaffaCakes118.exe
Size

79KB
MD5

e1cd9b6139c606264db62a2570d7d163
SHA1

3acb5dbb2e03d0b302b58b09a0d3cde77d5bf8ff
SHA256

ef7d43ada28a3ce27c5a88bfc93282f83179f4d8fe3732824696eec9a9de1c39
SHA512

098c9f0a24c1aa93533f9b040aebf8aaf7fe9e1828afe50eb9dccf2afb3b3866c633a8471fcd5543d40ed7777fa47653e46e3199a260760659594d6c11e6af11
SSDEEP

1536:GQuTga8X62MTaUMMnMMMMMQqvuOYQIYQD7eRxA3PtYqcb+sCcNyOa+Mys9H1TDr:FukHFUMMnMMMMMX7I7D7eRa3FYqcbf5U

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Event Triggered Execution: AppCert DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes.
persistence privilege_escalation

AppCert DLLs
T1546.009

Executes dropped EXE 1 IoCs

pid	Process
2748	umsveovoON.exe

Loads dropped DLL 2 IoCs

pid	Process
2312	e1cd9b6139c606264db62a2570d7d163_JaffaCakes118.exe
2312	e1cd9b6139c606264db62a2570d7d163_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1cd9b6139c606264db62a2570d7d163_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2312	e1cd9b6139c606264db62a2570d7d163_JaffaCakes118.exe
2312	e1cd9b6139c606264db62a2570d7d163_JaffaCakes118.exe
2748	umsveovoON.exe
2748	umsveovoON.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2312	e1cd9b6139c606264db62a2570d7d163_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2748	2312	e1cd9b6139c606264db62a2570d7d163_JaffaCakes118.exe	30
PID 2312 wrote to memory of 2748	2312	e1cd9b6139c606264db62a2570d7d163_JaffaCakes118.exe	30
PID 2312 wrote to memory of 2748	2312	e1cd9b6139c606264db62a2570d7d163_JaffaCakes118.exe	30
PID 2312 wrote to memory of 2748	2312	e1cd9b6139c606264db62a2570d7d163_JaffaCakes118.exe	30
PID 2748 wrote to memory of 1184	2748	umsveovoON.exe	21

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	umsveovoON.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	umsveovoON.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1184
- C:\Users\Admin\AppData\Local\Temp\e1cd9b6139c606264db62a2570d7d163_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e1cd9b6139c606264db62a2570d7d163_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\ProgramData\umsveovoON.exe
    C:\ProgramData\umsveovoON.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppCert DLLs

T1546.009

Privilege Escalation

Event Triggered Execution

T1546

AppCert DLLs

T1546.009

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\umsveovoON.exe

Filesize
1.2MB

MD5
090ea324bb98898ff37599f535af9009

SHA1
d84b8a7f41aabf28b387f70b13689046b2978f7a

SHA256
95953c1c35537af0db29209529976ddcb160b5b940f70357086a7dd5b023e833

SHA512
dba5766e6d47e3972a399b29855ae5910a17704ed990934eb0765ec6cdcf0474a765d5d6cae428ad7389b462a283d33b9e93c23077efa44630658c12db6b2319

Download Submit
memory/1184-11-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/2312-0-0x0000000000230000-0x000000000023E000-memory.dmp

Filesize
56KB

Download
memory/2312-2-0x0000000000400000-0x0000000000684000-memory.dmp

Filesize
2.5MB

Download
memory/2312-13-0x0000000000400000-0x0000000000684000-memory.dmp

Filesize
2.5MB

Download
memory/2312-9-0x0000000000400000-0x000000000091E000-memory.dmp

Filesize
5.1MB

Download
memory/2748-15-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download