d45ecd813753f71f8cc83550644bbcf13539c672b731a74be8aeb1e7c9452e56

Analysis

max time kernel
147s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 15:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe
Size

259KB
MD5

ebae0f7205be00ee7d576833574a4553
SHA1

09104faf56af1ce877c0a2ef2ef1445bdd3538de
SHA256

d45ecd813753f71f8cc83550644bbcf13539c672b731a74be8aeb1e7c9452e56
SHA512

a5eeda74e1d83a80bd730edb215c95a5f5d68391295dc75477106d93e832101be5555537a7f0554b3f8bad74df99a42cce57271976fa7f7a886e69f3978dcc43
SSDEEP

6144:EfmHJPPBGCidJZvqJ3M0Gr1f4Nc9vRhGIL:XPPBvir4Gr1f4e

Score

10^/10

discovery evasion upx

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 8 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\msn.exe = "C:\\Users\\Admin\\AppData\\Roaming\\msn.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\msn.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msn.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Executes dropped EXE 2 IoCs

pid	Process
2140	msn.exe
2720	notepad.exe

Loads dropped DLL 3 IoCs

pid	Process
3044	ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe
3044	ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe
3044	ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3044-0-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/3044-19-0x0000000000400000-0x0000000000490000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msn.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2556	reg.exe
2548	reg.exe
1532	reg.exe
2672	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2140	msn.exe
Token: SeCreateTokenPrivilege	2140	msn.exe
Token: SeAssignPrimaryTokenPrivilege	2140	msn.exe
Token: SeLockMemoryPrivilege	2140	msn.exe
Token: SeIncreaseQuotaPrivilege	2140	msn.exe
Token: SeMachineAccountPrivilege	2140	msn.exe
Token: SeTcbPrivilege	2140	msn.exe
Token: SeSecurityPrivilege	2140	msn.exe
Token: SeTakeOwnershipPrivilege	2140	msn.exe
Token: SeLoadDriverPrivilege	2140	msn.exe
Token: SeSystemProfilePrivilege	2140	msn.exe
Token: SeSystemtimePrivilege	2140	msn.exe
Token: SeProfSingleProcessPrivilege	2140	msn.exe
Token: SeIncBasePriorityPrivilege	2140	msn.exe
Token: SeCreatePagefilePrivilege	2140	msn.exe
Token: SeCreatePermanentPrivilege	2140	msn.exe
Token: SeBackupPrivilege	2140	msn.exe
Token: SeRestorePrivilege	2140	msn.exe
Token: SeShutdownPrivilege	2140	msn.exe
Token: SeDebugPrivilege	2140	msn.exe
Token: SeAuditPrivilege	2140	msn.exe
Token: SeSystemEnvironmentPrivilege	2140	msn.exe
Token: SeChangeNotifyPrivilege	2140	msn.exe
Token: SeRemoteShutdownPrivilege	2140	msn.exe
Token: SeUndockPrivilege	2140	msn.exe
Token: SeSyncAgentPrivilege	2140	msn.exe
Token: SeEnableDelegationPrivilege	2140	msn.exe
Token: SeManageVolumePrivilege	2140	msn.exe
Token: SeImpersonatePrivilege	2140	msn.exe
Token: SeCreateGlobalPrivilege	2140	msn.exe
Token: 31	2140	msn.exe
Token: 32	2140	msn.exe
Token: 33	2140	msn.exe
Token: 34	2140	msn.exe
Token: 35	2140	msn.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2140	msn.exe
2140	msn.exe
2140	msn.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2140	3044	ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe	28
PID 3044 wrote to memory of 2140	3044	ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe	28
PID 3044 wrote to memory of 2140	3044	ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe	28
PID 3044 wrote to memory of 2140	3044	ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe	28
PID 3044 wrote to memory of 2720	3044	ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe	29
PID 3044 wrote to memory of 2720	3044	ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe	29
PID 3044 wrote to memory of 2720	3044	ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe	29
PID 3044 wrote to memory of 2720	3044	ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe	29
PID 2140 wrote to memory of 2624	2140	msn.exe	30
PID 2140 wrote to memory of 2624	2140	msn.exe	30
PID 2140 wrote to memory of 2624	2140	msn.exe	30
PID 2140 wrote to memory of 2624	2140	msn.exe	30
PID 2140 wrote to memory of 2508	2140	msn.exe	31
PID 2140 wrote to memory of 2508	2140	msn.exe	31
PID 2140 wrote to memory of 2508	2140	msn.exe	31
PID 2140 wrote to memory of 2508	2140	msn.exe	31
PID 2140 wrote to memory of 2072	2140	msn.exe	32
PID 2140 wrote to memory of 2072	2140	msn.exe	32
PID 2140 wrote to memory of 2072	2140	msn.exe	32
PID 2140 wrote to memory of 2072	2140	msn.exe	32
PID 2140 wrote to memory of 2232	2140	msn.exe	35
PID 2140 wrote to memory of 2232	2140	msn.exe	35
PID 2140 wrote to memory of 2232	2140	msn.exe	35
PID 2140 wrote to memory of 2232	2140	msn.exe	35
PID 2508 wrote to memory of 2548	2508	cmd.exe	38
PID 2508 wrote to memory of 2548	2508	cmd.exe	38
PID 2508 wrote to memory of 2548	2508	cmd.exe	38
PID 2508 wrote to memory of 2548	2508	cmd.exe	38
PID 2624 wrote to memory of 2556	2624	cmd.exe	39
PID 2624 wrote to memory of 2556	2624	cmd.exe	39
PID 2624 wrote to memory of 2556	2624	cmd.exe	39
PID 2624 wrote to memory of 2556	2624	cmd.exe	39
PID 2232 wrote to memory of 1532	2232	cmd.exe	40
PID 2232 wrote to memory of 1532	2232	cmd.exe	40
PID 2232 wrote to memory of 1532	2232	cmd.exe	40
PID 2232 wrote to memory of 1532	2232	cmd.exe	40
PID 2072 wrote to memory of 2672	2072	cmd.exe	41
PID 2072 wrote to memory of 2672	2072	cmd.exe	41
PID 2072 wrote to memory of 2672	2072	cmd.exe	41
PID 2072 wrote to memory of 2672	2072	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\msn.exe
  "C:\Users\Admin\AppData\Local\Temp\msn.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\msn.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\msn.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\msn.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\msn.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\msn.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\msn.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\msn.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\msn.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1532
- C:\Users\Admin\AppData\Local\Temp\notepad.exe
  "C:\Users\Admin\AppData\Local\Temp\notepad.exe"
  2⤵
  - Executes dropped EXE
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\msn.exe

Filesize
332KB

MD5
09ceedd0c5af2b182284dad3fc85f0ad

SHA1
71115ab8b75371c9a25831087126af756d4d2b24

SHA256
95f7e917a9a84ede14e0966908601ce311fca8d964a32ae43ffb79c9f5216e7f

SHA512
bf3d21fb4160a84a7b3494d183c34dda90ebb977b8db088ca0032ccedeab045fb99cd86c4ee09e068470c1bbf9c53e6fbe68c153e731d373287c4d703331fd76

Download Submit
\Users\Admin\AppData\Local\Temp\notepad.exe

Filesize
189KB

MD5
f2c7bb8acc97f92e987a2d4087d021b1

SHA1
7eb0139d2175739b3ccb0d1110067820be6abd29

SHA256
142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

SHA512
2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

Download Submit
memory/3044-0-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3044-19-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads