d5ea7e53bfdace00c01781ef2d026bb264c53803459531fa7ef07d2dbc4158f9

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
Size

557KB
MD5

ec90b4de097dfeea48bbc6c0438581da
SHA1

5b21e8efc42ddc679e021e756969ef580aa1e6ac
SHA256

d5ea7e53bfdace00c01781ef2d026bb264c53803459531fa7ef07d2dbc4158f9
SHA512

36557c4ced96f74d1f6a13e8e647a0d67420e15a5b19db72f3f0481f02b3d7bce4d50bba559165ac971c05c91f675c21b13ca62af86599a7ea115da4bf10d183
SSDEEP

12288:ZSh44rv+koAv0MPaFrkocOh+tt+T46pSKjl2Y8rk6:ZSdSkoaU7cOh+2464KjlR4k6

Score

10^/10

discovery evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xpsystem.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xpsystem.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\KillJpg.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winrun.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7z.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVLP.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2208	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
2208	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
2208	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
2208	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
2208	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
2208	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
2208	ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ec90b4de097dfeea48bbc6c0438581da_JaffaCakes118.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\THHXO5RX\winrun[1].htm

Filesize
88B

MD5
bcd8edb015ddc9e31e8e1b4657c3df43

SHA1
d320e044bc0ed73e557a885a1a47714b8c85200e

SHA256
37646c67c0e8429e6fbfc56678a20fd311cb48d0cb19bb5097078968f0673f37

SHA512
2a1497b35930c516a0f5bf75be460eff986b08d2ed0331dd702be5533b88198a59a41f39252809ef83b455bcf4d07ab0d9723494e8008a9578d0509a643cd6cc

Download Submit
C:\Windows\SysWOW64\xpsystem.exe

Filesize
557KB

MD5
ec90b4de097dfeea48bbc6c0438581da

SHA1
5b21e8efc42ddc679e021e756969ef580aa1e6ac

SHA256
d5ea7e53bfdace00c01781ef2d026bb264c53803459531fa7ef07d2dbc4158f9

SHA512
36557c4ced96f74d1f6a13e8e647a0d67420e15a5b19db72f3f0481f02b3d7bce4d50bba559165ac971c05c91f675c21b13ca62af86599a7ea115da4bf10d183

Download Submit