6d59f5b6bed43804ea372c82ab89bef56f7da0a4cd4d710c9bc24a61b020cfff

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
Size

56KB
MD5

ec6ca99af8372e9e0aac3554e5a5ea66
SHA1

e2308f5ee966218ebca095ff08a496f8c50ca523
SHA256

6d59f5b6bed43804ea372c82ab89bef56f7da0a4cd4d710c9bc24a61b020cfff
SHA512

ff52449480f82c05ab160ccc242aa8f466e152a87f0886bb19adc8872b00bc28733676f252af459dc4675b5c6a35d7c917c79f6b38335bec9c953ca7685d82d2
SSDEEP

1536:wet+aF08bJKazAy4Y7wxpU41o3eqOlAh:8U0gzAy4Yk7q3eH0

Score

8^/10

discovery persistence

Malware Config

Signatures

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 36 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ati2evxx.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavsvc.exe	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVsvcUI.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rising.exe	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav.exe	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVFW.EXE.exe	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVwsc.exe	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVmonD.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVsrvXP.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.exe	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navapsvc.exe	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravtimer.exe	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVwsc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navapsvc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ati2evxx.exe	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rising.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVmon.exe	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVFW.EXE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVsvcUI.exe	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVmonD.exe	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravtimer.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavsvc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVsrvXP.exe	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\atielf.dat	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tpnc.bat	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wpcap.dll	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeRestorePrivilege	3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3948 wrote to memory of 2752	3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe	83
PID 3948 wrote to memory of 2752	3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe	83
PID 3948 wrote to memory of 2752	3948	ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe	83
PID 2752 wrote to memory of 2964	2752	cmd.exe	85
PID 2752 wrote to memory of 2964	2752	cmd.exe	85
PID 2752 wrote to memory of 2964	2752	cmd.exe	85
PID 2964 wrote to memory of 3108	2964	net.exe	86
PID 2964 wrote to memory of 3108	2964	net.exe	86
PID 2964 wrote to memory of 3108	2964	net.exe	86

C:\Users\Admin\AppData\Local\Temp\ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ec6ca99af8372e9e0aac3554e5a5ea66_JaffaCakes118.exe"
1⤵
- Event Triggered Execution: Image File Execution Options Injection
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\tpnc.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\net.exe
    net stop sharedaccess
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop sharedaccess
      4⤵
      System Location Discovery: System Language Discovery
      PID:3108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Credential Access

Discovery

Network Share Discovery

T1135

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\tpnc.bat

Filesize
21B

MD5
7b16cc4ebd5af5d255eeb8a7b487875b

SHA1
3f679d76efb21f7b2249ddc2a0d8a68d71220d16

SHA256
5040cfcc7def4d52830218981dc6cb729abe9eb3b1a38d8df5c56698336098b1

SHA512
7f16419eddc8cedb0e133fe482a958cf6997b8b30456a3f3949066e9279fef888e1297065850f77bdae189a5d93e6bc69eb6e33d73ef1e0d64642f2fb2ff61d0

Download Submit