01fea3dcf68f240ca97669247d80288a44040c2619c2303bcb0018038bd452f4

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 21:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ee7a0a3d99519a67cc6c8f891c6353c8_JaffaCakes118.exe
Size

131KB
MD5

ee7a0a3d99519a67cc6c8f891c6353c8
SHA1

c76d726eccdd260fc0fede7f1a32043caf870686
SHA256

01fea3dcf68f240ca97669247d80288a44040c2619c2303bcb0018038bd452f4
SHA512

490e3306a13707ea7d4221ab751d6e6cf35c23b2969abbe378e41df19ecccb7c1102ff54df4e9c4b897b4ea51dca4f9ae448d5081178c00df36e7263575ae97e
SSDEEP

1536:kq3+5FxBEaK6wkpyUzpEqDrSxezb9AtnHPJ3hNs7izVJBvSqmHvJTMzUQgpEXXDg:kF5ixQpLDLzZAdF7ztvSjpydgarH

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2516	netsh.exe

Deletes itself 1 IoCs

pid	Process
1628	EXPLORER.EXE

Loads dropped DLL 1 IoCs

pid	Process
1628	EXPLORER.EXE

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee7a0a3d99519a67cc6c8f891c6353c8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPLORER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPLORER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2568	ee7a0a3d99519a67cc6c8f891c6353c8_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 1628	2568	ee7a0a3d99519a67cc6c8f891c6353c8_JaffaCakes118.exe	30
PID 2568 wrote to memory of 1628	2568	ee7a0a3d99519a67cc6c8f891c6353c8_JaffaCakes118.exe	30
PID 2568 wrote to memory of 1628	2568	ee7a0a3d99519a67cc6c8f891c6353c8_JaffaCakes118.exe	30
PID 2568 wrote to memory of 1628	2568	ee7a0a3d99519a67cc6c8f891c6353c8_JaffaCakes118.exe	30
PID 1628 wrote to memory of 2516	1628	EXPLORER.EXE	31
PID 1628 wrote to memory of 2516	1628	EXPLORER.EXE	31
PID 1628 wrote to memory of 2516	1628	EXPLORER.EXE	31
PID 1628 wrote to memory of 2516	1628	EXPLORER.EXE	31
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32
PID 1628 wrote to memory of 2532	1628	EXPLORER.EXE	32

C:\Users\Admin\AppData\Local\Temp\ee7a0a3d99519a67cc6c8f891c6353c8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ee7a0a3d99519a67cc6c8f891c6353c8_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Windows\syswow64\EXPLORER.EXE
  C:\Windows\syswow64\EXPLORER.EXE
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Windows\syswow64\netsh.exe
    netsh firewall add allowedprogram program = "C:\Windows\syswow64\EXPLORER.EXE" name = "Windows Explorer" mode = ENABLE scope = ALL profile = ALL
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2516
- - C:\Windows\syswow64\EXPLORER.EXE
    C:\Windows\syswow64\EXPLORER.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{55321987-5432-0977-4332-987654311088}.exe

Filesize
131KB

MD5
ee7a0a3d99519a67cc6c8f891c6353c8

SHA1
c76d726eccdd260fc0fede7f1a32043caf870686

SHA256
01fea3dcf68f240ca97669247d80288a44040c2619c2303bcb0018038bd452f4

SHA512
490e3306a13707ea7d4221ab751d6e6cf35c23b2969abbe378e41df19ecccb7c1102ff54df4e9c4b897b4ea51dca4f9ae448d5081178c00df36e7263575ae97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{55321987-5432-0977-4332-987654311088}.tmp

Filesize
131KB

MD5
8489e883bbb2783084d9bcef0d0e4f3a

SHA1
d2260ee03d4343479f9b1abdf015e6374493bfc3

SHA256
b8d0b284fdeeb4d721098f2b1553a573746c59252ec72a89ae73bf68dee62769

SHA512
de744a9b3a66cdae2dc611b130e147c842c2871e12f161b7987ea87b347178d0fcbfda013a345c5e3887ddec9ce65b499560398b4f25a7dd4cf8495454d574e3

Download Submit
memory/1628-146-0x00000000001A0000-0x0000000000421000-memory.dmp

Filesize
2.5MB

Download
memory/1628-4-0x00000000001A0000-0x0000000000421000-memory.dmp

Filesize
2.5MB

Download
memory/1628-14-0x0000000013130000-0x000000001315B000-memory.dmp

Filesize
172KB

Download
memory/1628-6-0x00000000001A0000-0x0000000000421000-memory.dmp

Filesize
2.5MB

Download
memory/1628-13-0x00000000001A0000-0x0000000000421000-memory.dmp

Filesize
2.5MB

Download
memory/2532-33-0x0000000013130000-0x000000001315B000-memory.dmp

Filesize
172KB

Download
memory/2532-48-0x0000000013130000-0x000000001315B000-memory.dmp

Filesize
172KB

Download
memory/2532-21-0x0000000013130000-0x000000001315B000-memory.dmp

Filesize
172KB

Download
memory/2532-24-0x0000000013130000-0x000000001315B000-memory.dmp

Filesize
172KB

Download
memory/2532-27-0x0000000013130000-0x000000001315B000-memory.dmp

Filesize
172KB

Download
memory/2532-30-0x0000000013130000-0x000000001315B000-memory.dmp

Filesize
172KB

Download
memory/2532-36-0x0000000013130000-0x000000001315B000-memory.dmp

Filesize
172KB

Download
memory/2532-60-0x0000000013130000-0x000000001315B000-memory.dmp

Filesize
172KB

Download
memory/2532-39-0x0000000013130000-0x000000001315B000-memory.dmp

Filesize
172KB

Download
memory/2532-45-0x0000000013130000-0x000000001315B000-memory.dmp

Filesize
172KB

Download
memory/2532-42-0x0000000013130000-0x000000001315B000-memory.dmp

Filesize
172KB

Download
memory/2532-15-0x0000000013130000-0x000000001315B000-memory.dmp

Filesize
172KB

Download
memory/2532-54-0x0000000013130000-0x000000001315B000-memory.dmp

Filesize
172KB

Download
memory/2532-51-0x0000000013130000-0x000000001315B000-memory.dmp

Filesize
172KB

Download
memory/2532-57-0x0000000013130000-0x000000001315B000-memory.dmp

Filesize
172KB

Download
memory/2532-152-0x00000000001A0000-0x0000000000421000-memory.dmp

Filesize
2.5MB

Download
memory/2532-18-0x0000000013130000-0x000000001315B000-memory.dmp

Filesize
172KB

Download
memory/2532-63-0x0000000013130000-0x000000001315B000-memory.dmp

Filesize
172KB

Download
memory/2532-75-0x0000000013130000-0x000000001315B000-memory.dmp

Filesize
172KB

Download
memory/2532-72-0x0000000013130000-0x000000001315B000-memory.dmp

Filesize
172KB

Download
memory/2532-69-0x0000000013130000-0x000000001315B000-memory.dmp

Filesize
172KB

Download
memory/2532-66-0x0000000013130000-0x000000001315B000-memory.dmp

Filesize
172KB

Download
memory/2568-5-0x0000000013130000-0x000000001315B000-memory.dmp

Filesize
172KB

Download
memory/2568-0-0x0000000013130000-0x000000001315B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads