ec75806a9a46dcba221a1ec85e61bf1d76c0d28c800b56af7d042edcdc4e6b6c

Analysis

max time kernel
150s
max time network
133s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe
Size

312KB
MD5

eb9d712db4b0f8a173f6fd5c493c6c5d
SHA1

7683f50f60b9aac555c6e96774813de469e3c947
SHA256

ec75806a9a46dcba221a1ec85e61bf1d76c0d28c800b56af7d042edcdc4e6b6c
SHA512

c57d2a9fb7eabf7ddb9d7fd4fef255d1a64d4c1a7ebfc7eb84c32d3a09a32e2b6af99dac4e3c5554fe6d7a6acc7c815b7d00e215bf849034367fe01a1205c855
SSDEEP

6144:CaUNxXFIZW84aKqRROWHKe4Df+DKt3MghUOr5dBbTI9B14R:Dmx13Rqnj4OKt8ghUyVbE

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2800	dNmCcEjDkJp09100.exe

Executes dropped EXE 1 IoCs

pid	Process
2800	dNmCcEjDkJp09100.exe

Loads dropped DLL 2 IoCs

pid	Process
2240	eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe
2240	eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\dNmCcEjDkJp09100 = "C:\\ProgramData\\dNmCcEjDkJp09100\\dNmCcEjDkJp09100.exe"	dNmCcEjDkJp09100.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	dNmCcEjDkJp09100.exe
File opened (read-only)	\??\K:	dNmCcEjDkJp09100.exe
File opened (read-only)	\??\L:	dNmCcEjDkJp09100.exe
File opened (read-only)	\??\Q:	dNmCcEjDkJp09100.exe
File opened (read-only)	\??\V:	dNmCcEjDkJp09100.exe
File opened (read-only)	\??\W:	dNmCcEjDkJp09100.exe
File opened (read-only)	\??\R:	dNmCcEjDkJp09100.exe
File opened (read-only)	\??\Z:	dNmCcEjDkJp09100.exe
File opened (read-only)	\??\J:	dNmCcEjDkJp09100.exe
File opened (read-only)	\??\M:	dNmCcEjDkJp09100.exe
File opened (read-only)	\??\P:	dNmCcEjDkJp09100.exe
File opened (read-only)	\??\S:	dNmCcEjDkJp09100.exe
File opened (read-only)	\??\X:	dNmCcEjDkJp09100.exe
File opened (read-only)	\??\Y:	dNmCcEjDkJp09100.exe
File opened (read-only)	\??\G:	dNmCcEjDkJp09100.exe
File opened (read-only)	\??\H:	dNmCcEjDkJp09100.exe
File opened (read-only)	\??\I:	dNmCcEjDkJp09100.exe
File opened (read-only)	\??\N:	dNmCcEjDkJp09100.exe
File opened (read-only)	\??\O:	dNmCcEjDkJp09100.exe
File opened (read-only)	\??\T:	dNmCcEjDkJp09100.exe
File opened (read-only)	\??\U:	dNmCcEjDkJp09100.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dNmCcEjDkJp09100.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	dNmCcEjDkJp09100.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2240	eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe
2800	dNmCcEjDkJp09100.exe
2240	eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe
2240	eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe
2800	dNmCcEjDkJp09100.exe
2240	eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe
2800	dNmCcEjDkJp09100.exe
2240	eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe
2800	dNmCcEjDkJp09100.exe
2240	eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe
2800	dNmCcEjDkJp09100.exe
2240	eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe
2800	dNmCcEjDkJp09100.exe
2240	eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe
2800	dNmCcEjDkJp09100.exe
2240	eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe
2800	dNmCcEjDkJp09100.exe
2240	eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe
2800	dNmCcEjDkJp09100.exe
2240	eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe
2800	dNmCcEjDkJp09100.exe
2240	eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe
2800	dNmCcEjDkJp09100.exe
2240	eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe
2800	dNmCcEjDkJp09100.exe
2240	eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe
2800	dNmCcEjDkJp09100.exe
2240	eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe
2800	dNmCcEjDkJp09100.exe
2240	eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe
2800	dNmCcEjDkJp09100.exe
2240	eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe
2800	dNmCcEjDkJp09100.exe
2240	eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe
2800	dNmCcEjDkJp09100.exe
2240	eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe
2800	dNmCcEjDkJp09100.exe
2240	eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe
2800	dNmCcEjDkJp09100.exe
2240	eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe
2800	dNmCcEjDkJp09100.exe
2240	eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe
2800	dNmCcEjDkJp09100.exe
2240	eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe
2800	dNmCcEjDkJp09100.exe
2240	eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe
2800	dNmCcEjDkJp09100.exe
2240	eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe
2800	dNmCcEjDkJp09100.exe
2240	eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe
2800	dNmCcEjDkJp09100.exe
2240	eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe
2800	dNmCcEjDkJp09100.exe
2240	eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe
2800	dNmCcEjDkJp09100.exe
2240	eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe
2800	dNmCcEjDkJp09100.exe
2240	eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe
2800	dNmCcEjDkJp09100.exe
2240	eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe
2800	dNmCcEjDkJp09100.exe
2240	eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe
2800	dNmCcEjDkJp09100.exe
2240	eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2240	eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe
Token: SeDebugPrivilege	2800	dNmCcEjDkJp09100.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2800	dNmCcEjDkJp09100.exe
2800	dNmCcEjDkJp09100.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2800	dNmCcEjDkJp09100.exe
2800	dNmCcEjDkJp09100.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2800	dNmCcEjDkJp09100.exe
2800	dNmCcEjDkJp09100.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2800	2240	eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe	31
PID 2240 wrote to memory of 2800	2240	eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe	31
PID 2240 wrote to memory of 2800	2240	eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe	31
PID 2240 wrote to memory of 2800	2240	eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240
- C:\ProgramData\dNmCcEjDkJp09100\dNmCcEjDkJp09100.exe
  "C:\ProgramData\dNmCcEjDkJp09100\dNmCcEjDkJp09100.exe" "C:\Users\Admin\AppData\Local\Temp\eb9d712db4b0f8a173f6fd5c493c6c5d_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\dNmCcEjDkJp09100\dNmCcEjDkJp09100.exe

Filesize
312KB

MD5
92bc45fb1e73c720e53cf821749a40c7

SHA1
66575bc87cf7269ded744546358989da3054f82c

SHA256
b92ddf96d8c3bb305712b2f50bca079d45e70211f951303281a5e51250555397

SHA512
c92c71574928421f6d80ec55937284b08ba2bbe5151f9e63be0f29fe9d06967aa59dc65c4c4498cfb99e4d822a2ef3b3b39154f78af73dd1fceecdd6ca2384a6

Download Submit
memory/2240-27-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2240-29-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2240-3-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2240-2-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2240-60-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2240-1-0x0000000076F40000-0x0000000076F41000-memory.dmp

Filesize
4KB

Download
memory/2240-0-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2240-17-0x0000000002330000-0x0000000002433000-memory.dmp

Filesize
1.0MB

Download
memory/2800-23-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2800-28-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2800-24-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2800-30-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2800-45-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2800-18-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download