4611720595e7135ac2727fababd0cc0ea238fcfb01e44222d805de94fc8a9967

Analysis

max time kernel
19s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 06:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eabf85f17e04e702dd5a3c52a27810a7_JaffaCakes118.exe
Size

1.4MB
MD5

eabf85f17e04e702dd5a3c52a27810a7
SHA1

1c566c56e479c460f52926890c0cc9ae10da2d0c
SHA256

4611720595e7135ac2727fababd0cc0ea238fcfb01e44222d805de94fc8a9967
SHA512

b3dc128968e5090e5eda3bf978e9475587c42c8995f2f7b4d4b9450706558c91815ded2e840b792f6ac9e137250e258e5ce5520e7f48bde8f253b47e7e990b34
SSDEEP

24576:21dHXRwSGDxmaSgmPbTqH7S/LNeIYTzOr+nLBV6t9nBahpj10Yd:21dHhwSGDIax7oezOqtVYEh0S

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2780	dxwg.exe
2172	µØÏÂ³ÇÓëÓÂÊ¿.exe

Loads dropped DLL 13 IoCs

pid	Process
2716	eabf85f17e04e702dd5a3c52a27810a7_JaffaCakes118.exe
2716	eabf85f17e04e702dd5a3c52a27810a7_JaffaCakes118.exe
2780	dxwg.exe
2780	dxwg.exe
2780	dxwg.exe
2716	eabf85f17e04e702dd5a3c52a27810a7_JaffaCakes118.exe
2716	eabf85f17e04e702dd5a3c52a27810a7_JaffaCakes118.exe
2172	µØÏÂ³ÇÓëÓÂÊ¿.exe
2172	µØÏÂ³ÇÓëÓÂÊ¿.exe
2172	µØÏÂ³ÇÓëÓÂÊ¿.exe
2172	µØÏÂ³ÇÓëÓÂÊ¿.exe
2780	dxwg.exe
2172	µØÏÂ³ÇÓëÓÂÊ¿.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\369774CA.cfg	dxwg.exe
File opened for modification	C:\Windows\SysWOW64\369774CA.dll	dxwg.exe
File created	C:\Windows\SysWOW64\YingInstall\409.ini	eabf85f17e04e702dd5a3c52a27810a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\d7ba6e.drv	dxwg.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\WAIGUA\dxwg.exe	eabf85f17e04e702dd5a3c52a27810a7_JaffaCakes118.exe
File opened for modification	C:\Program Files\WAIGUA\dxwg.exe	eabf85f17e04e702dd5a3c52a27810a7_JaffaCakes118.exe
File created	C:\Program Files\WAIGUA\µØÏÂ³ÇÓëÓÂÊ¿.exe	eabf85f17e04e702dd5a3c52a27810a7_JaffaCakes118.exe
File opened for modification	C:\Program Files\WAIGUA\µØÏÂ³ÇÓëÓÂÊ¿.exe	eabf85f17e04e702dd5a3c52a27810a7_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Ying-UnInstall.exe	eabf85f17e04e702dd5a3c52a27810a7_JaffaCakes118.exe
File opened for modification	C:\Windows\Ying-UnInstall.exe	eabf85f17e04e702dd5a3c52a27810a7_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eabf85f17e04e702dd5a3c52a27810a7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxwg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	µØÏÂ³ÇÓëÓÂÊ¿.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{369774CA-7CB4-4A3F-A9A9-77D6BC53CB3B}\InprocServer32\ThreadingModel = "Apartment"	dxwg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLsID\{369774CA-7CB4-4A3F-A9A9-77D6BC53CB3B}\InprocServer32	dxwg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	dxwg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLsID	dxwg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{369774CA-7CB4-4A3F-A9A9-77D6BC53CB3B}	dxwg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{369774CA-7CB4-4A3F-A9A9-77D6BC53CB3B}\InprocServer32	dxwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{369774CA-7CB4-4A3F-A9A9-77D6BC53CB3B}\InprocServer32\ = "369774CA.dll"	dxwg.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2780	dxwg.exe
2780	dxwg.exe
2780	dxwg.exe
2172	µØÏÂ³ÇÓëÓÂÊ¿.exe
2172	µØÏÂ³ÇÓëÓÂÊ¿.exe
2780	dxwg.exe
2780	dxwg.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
464	Process not Found
464	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeBackupPrivilege	2780	dxwg.exe
Token: SeRestorePrivilege	2780	dxwg.exe
Token: SeBackupPrivilege	2780	dxwg.exe
Token: SeRestorePrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe
Token: SeDebugPrivilege	2780	dxwg.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2780	dxwg.exe
2780	dxwg.exe
2780	dxwg.exe
2780	dxwg.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2716	eabf85f17e04e702dd5a3c52a27810a7_JaffaCakes118.exe
2716	eabf85f17e04e702dd5a3c52a27810a7_JaffaCakes118.exe
2716	eabf85f17e04e702dd5a3c52a27810a7_JaffaCakes118.exe
2716	eabf85f17e04e702dd5a3c52a27810a7_JaffaCakes118.exe
2172	µØÏÂ³ÇÓëÓÂÊ¿.exe
2172	µØÏÂ³ÇÓëÓÂÊ¿.exe
2172	µØÏÂ³ÇÓëÓÂÊ¿.exe
2172	µØÏÂ³ÇÓëÓÂÊ¿.exe
2780	dxwg.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2780	2716	eabf85f17e04e702dd5a3c52a27810a7_JaffaCakes118.exe	29
PID 2716 wrote to memory of 2780	2716	eabf85f17e04e702dd5a3c52a27810a7_JaffaCakes118.exe	29
PID 2716 wrote to memory of 2780	2716	eabf85f17e04e702dd5a3c52a27810a7_JaffaCakes118.exe	29
PID 2716 wrote to memory of 2780	2716	eabf85f17e04e702dd5a3c52a27810a7_JaffaCakes118.exe	29
PID 2716 wrote to memory of 2780	2716	eabf85f17e04e702dd5a3c52a27810a7_JaffaCakes118.exe	29
PID 2716 wrote to memory of 2780	2716	eabf85f17e04e702dd5a3c52a27810a7_JaffaCakes118.exe	29
PID 2716 wrote to memory of 2780	2716	eabf85f17e04e702dd5a3c52a27810a7_JaffaCakes118.exe	29
PID 2716 wrote to memory of 2172	2716	eabf85f17e04e702dd5a3c52a27810a7_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2172	2716	eabf85f17e04e702dd5a3c52a27810a7_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2172	2716	eabf85f17e04e702dd5a3c52a27810a7_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2172	2716	eabf85f17e04e702dd5a3c52a27810a7_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2172	2716	eabf85f17e04e702dd5a3c52a27810a7_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2172	2716	eabf85f17e04e702dd5a3c52a27810a7_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2172	2716	eabf85f17e04e702dd5a3c52a27810a7_JaffaCakes118.exe	30
PID 2780 wrote to memory of 388	2780	dxwg.exe	31
PID 2780 wrote to memory of 388	2780	dxwg.exe	31
PID 2780 wrote to memory of 388	2780	dxwg.exe	31
PID 2780 wrote to memory of 388	2780	dxwg.exe	31
PID 2780 wrote to memory of 388	2780	dxwg.exe	31
PID 2780 wrote to memory of 388	2780	dxwg.exe	31
PID 2780 wrote to memory of 388	2780	dxwg.exe	31

C:\Users\Admin\AppData\Local\Temp\eabf85f17e04e702dd5a3c52a27810a7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eabf85f17e04e702dd5a3c52a27810a7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Program Files\WAIGUA\dxwg.exe
  "C:\Program Files\WAIGUA\dxwg.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\PROGRA~1\WAIGUA\dxwg.exe >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:388
- C:\Program Files\WAIGUA\µØÏÂ³ÇÓëÓÂÊ¿.exe
  "C:\Program Files\WAIGUA\µØÏÂ³ÇÓëÓÂÊ¿.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WAIGUA\µØÏÂ³ÇÓëÓÂÊ¿.exe

Filesize
602KB

MD5
ad949753c842bf4dbb5792e3363afdba

SHA1
260459aedb18dc7d8e8a9e9c45c959cd42051bce

SHA256
2bd05be4ee1934c60fe2f948aeef5479995c378acb87674d3ccd7f7910636f74

SHA512
6705efd42d5e7ea54d89f7203ac059398bd652bc19551c17c907806fbc82e15572b178a470fce1d93b8287e290cde8e5059213ca5f093518da46a6fbdb6e5c65

Download Submit
\Program Files\WAIGUA\dxwg.exe

Filesize
20KB

MD5
3b594227f57c21e9d65dfc1ed7c8a2bd

SHA1
34d92bfe1f57ac52be7b14af978164ae6de2ba1e

SHA256
4622f0264eccdf483871f4d6cef80624507fe1ba241b56b1660fc8126d4eba7d

SHA512
efb78302120a117cf7d1e604a5ed2942e14ae62b613ce8fa1b2623d911cc1807d44530cf25da30bdb954270e3255a5984a447a12b776c67f461c07f86adff37d

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
1.0MB

MD5
1081d7eb7a17faedfa588b93fc85365e

SHA1
884e264fa37bfb9e71d24f3f5c7554fdf94a8b9f

SHA256
0351d055cf1e194302ab125cc93208a8c733efb45dc301ca6e7e2a4051f411e0

SHA512
1ff9e7c495b9e005c8d3b56219794c31d804fe1944429e3d4fe013fd8fcb3f51c02b588748c7d9d869fdb115851932e8db4e6792aecd9c83f28237702582ba81

Download Submit
\Windows\SysWOW64\369774CA.dll

Filesize
160KB

MD5
c189d82cb272f3bfa4f71dea0cf63233

SHA1
f3382bd9dae377921dcb11acaded065593ac13e4

SHA256
b6e540c6f674aa7d1cd4490b5401f22ec0d61f891afbbaa09a293ce898d2462c

SHA512
19ad7d950c436b35e226fdc8c1bdb4f68bed8ab84cfa528ac4612ac710825a99abf0d9333ecab51b6ed61e30239d21a61f9bf3f899e999825425790376934406

Download Submit
memory/2172-42-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2172-62-0x00000000002C0000-0x00000000002D4000-memory.dmp

Filesize
80KB

Download
memory/2172-61-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2716-31-0x00000000005E0000-0x00000000005F9000-memory.dmp

Filesize
100KB

Download
memory/2716-41-0x00000000005E0000-0x00000000005F9000-memory.dmp

Filesize
100KB

Download
memory/2780-58-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2780-63-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2780-64-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download