faee5f2aa358d90460ec781a79c7a42abd0e39d33987c8964e05f5e5f3f88334

Analysis

max time kernel
150s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee9208d33c6c8d478aab9acd914cc4b4_JaffaCakes118.exe
Size

92KB
MD5

ee9208d33c6c8d478aab9acd914cc4b4
SHA1

7e754aea7fecc1d4e6ee9c39894bdffb2d783358
SHA256

faee5f2aa358d90460ec781a79c7a42abd0e39d33987c8964e05f5e5f3f88334
SHA512

2fd1c320abab018f5c4c6cfb2dc31734aa85cd6c10f83f5a645905cbe13354cc368a11ff67f959c5dfa4a5b6ade199d9e368a6e017e0c235226465733ddb89cf
SSDEEP

1536:92tqbVCAuhkNSAF3V06X7Yvco1l6O+9K5ipE6amZ6dED4LTVz4k:9D9EC46X7Yv/YOb3MyEDqTF

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Program Files\\Windows Media Player\\svchost.exe,"	commond.pif

Deletes itself 1 IoCs

pid	Process
2812	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1252	commond.pif
2672	svchost.exe

Loads dropped DLL 5 IoCs

pid	Process
2840	ee9208d33c6c8d478aab9acd914cc4b4_JaffaCakes118.exe
2840	ee9208d33c6c8d478aab9acd914cc4b4_JaffaCakes118.exe
1252	commond.pif
1252	commond.pif
2672	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\PDLL.dll	svchost.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\commond.pif	ee9208d33c6c8d478aab9acd914cc4b4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\System\commond.pif	ee9208d33c6c8d478aab9acd914cc4b4_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\svchost.exe	commond.pif
File opened for modification	C:\Program Files\Windows Media Player\svchost.exe	commond.pif

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee9208d33c6c8d478aab9acd914cc4b4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	commond.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2840	ee9208d33c6c8d478aab9acd914cc4b4_JaffaCakes118.exe
1252	commond.pif
1252	commond.pif
1252	commond.pif
1252	commond.pif
1252	commond.pif
1252	commond.pif
1252	commond.pif
1252	commond.pif
1252	commond.pif
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2840	ee9208d33c6c8d478aab9acd914cc4b4_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 1252	2840	ee9208d33c6c8d478aab9acd914cc4b4_JaffaCakes118.exe	29
PID 2840 wrote to memory of 1252	2840	ee9208d33c6c8d478aab9acd914cc4b4_JaffaCakes118.exe	29
PID 2840 wrote to memory of 1252	2840	ee9208d33c6c8d478aab9acd914cc4b4_JaffaCakes118.exe	29
PID 2840 wrote to memory of 1252	2840	ee9208d33c6c8d478aab9acd914cc4b4_JaffaCakes118.exe	29
PID 1252 wrote to memory of 2420	1252	commond.pif	30
PID 1252 wrote to memory of 2420	1252	commond.pif	30
PID 1252 wrote to memory of 2420	1252	commond.pif	30
PID 1252 wrote to memory of 2420	1252	commond.pif	30
PID 1252 wrote to memory of 2672	1252	commond.pif	31
PID 1252 wrote to memory of 2672	1252	commond.pif	31
PID 1252 wrote to memory of 2672	1252	commond.pif	31
PID 1252 wrote to memory of 2672	1252	commond.pif	31
PID 2840 wrote to memory of 2812	2840	ee9208d33c6c8d478aab9acd914cc4b4_JaffaCakes118.exe	33
PID 2840 wrote to memory of 2812	2840	ee9208d33c6c8d478aab9acd914cc4b4_JaffaCakes118.exe	33
PID 2840 wrote to memory of 2812	2840	ee9208d33c6c8d478aab9acd914cc4b4_JaffaCakes118.exe	33
PID 2840 wrote to memory of 2812	2840	ee9208d33c6c8d478aab9acd914cc4b4_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\ee9208d33c6c8d478aab9acd914cc4b4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ee9208d33c6c8d478aab9acd914cc4b4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Program Files\Common Files\System\commond.pif
  "C:\Program Files\Common Files\System\\commond.pif"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$cA802.tmp.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2420
- - C:\Program Files\Windows Media Player\svchost.exe
    "C:\Program Files\Windows Media Player\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\Deleteme.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Deleteme.bat

Filesize
212B

MD5
f34bfe2b47edd57aa798a83720606c21

SHA1
03efb3b3e3c6030137b58a915bafd12c2ea0e22e

SHA256
3fa56a3584b3f1f663e38371c6e76e3fbf0dcaa0d12a8cdcc28cb0169a9174e5

SHA512
6cb06833e430dce94e55883b1db1fefdd60fdc1c36e1ba25f631937276d60f439e5c20aafc523b707cef6cf17b71b68bbd13cb74ae9af767f3bbe5798b719b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$cA802.tmp.bat

Filesize
189B

MD5
f4b3ff438714dce0acfa87e7e1619e10

SHA1
200c5ca469631c36231ef2619c46ba1055c077e9

SHA256
436074ef5f35ec884020043409cc4724d59f48a03896f911948de866b0a6a65a

SHA512
ea648d26bc81dfd95f6daa32f80daa6e832b3e8c3c3736564a79cef532b41b766100e875f37f0b3ec667a749ccca37f9a60f449fc40898ccddf018b1ae2717c1

Download Submit
\Program Files\Common Files\System\commond.pif

Filesize
78KB

MD5
0083ac3f9a4485c6ab4f15ae7de011c6

SHA1
a461c464e7f3406a6937445aebfb27eef410b8cc

SHA256
f30f1323384118b14c3b4c453f408856b8b0de99a2b8de50744293dad599538f

SHA512
5d71a2db4c8e1abcfcb7e379747e7ce78ebb5a52c4a82699d40243439e1f0b393d47ced8ddb692a61f47fa569e9e64479ad72ac745cd36b0aa0136c313b14abe

Download Submit
\Windows\SysWOW64\PDLL.dll

Filesize
58KB

MD5
e71c1aa947ab8a64006e6d598bb0a546

SHA1
37d52aff9e88548a164917d37a1e26e61e5343ef

SHA256
eb73fd9c39c21ec47474f99ac5fe4a10811b267c2bd0a1e4da3097488bc39093

SHA512
323879061f3702671ec09ed364ea314616cbb318a261753607aebeaed834e337c1dd947cfc35c812e311f1163f30a8a7c89ce01b02508ff3807ea86077f52cc2

Download Submit
memory/1252-13-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1252-21-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1252-14-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1252-31-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2672-39-0x0000000000450000-0x000000000049B000-memory.dmp

Filesize
300KB

Download
memory/2672-38-0x0000000000450000-0x000000000049B000-memory.dmp

Filesize
300KB

Download
memory/2672-41-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2672-52-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2672-53-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2672-54-0x0000000000450000-0x000000000049B000-memory.dmp

Filesize
300KB

Download
memory/2840-7-0x00000000029A0000-0x00000000029EA000-memory.dmp

Filesize
296KB

Download
memory/2840-2-0x0000000012760000-0x000000001279A000-memory.dmp

Filesize
232KB

Download
memory/2840-37-0x0000000012760000-0x000000001279A000-memory.dmp

Filesize
232KB

Download
memory/2840-0-0x0000000012760000-0x000000001279A000-memory.dmp

Filesize
232KB

Download
memory/2840-40-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2840-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2840-50-0x0000000012760000-0x000000001279A000-memory.dmp

Filesize
232KB

Download