5eb32845ec057e47ed62d0ac3f86cfa7a11f94caa95038e6f07929c35e0c555b

Analysis

max time kernel
139s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe
Size

369KB
MD5

efbcb62c2f180599cbe7d4925e30324b
SHA1

a41da44737478a6b2180639dbf931754a04d5ee8
SHA256

5eb32845ec057e47ed62d0ac3f86cfa7a11f94caa95038e6f07929c35e0c555b
SHA512

1797f314186f51ccc246728e99260f581fe370593b0390a79068b6bd811da9231cd1583230bb460e4d1b84fa32fb779887cebc9a884128c21b44d8d0a0a3cb61
SSDEEP

6144:UQqOAE4QqtfosaF2pC3gRrxFNQ1EwU4hQ1lxKuPIYt1Iy8tZSIOZrc5ovh2/juMl:7AEwoHF8/rxTR9vx1gYo5t7OZrWfhz

Score

7^/10

discovery vmprotect

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2460	cfÎÏÅ£Í¸ÊÓ.exe
2488	ÎÏÅ£Í¸ÊÓ.exe
2020	cfÎÏÅ£Í¸ÊÓ.tmp

Loads dropped DLL 11 IoCs

pid	Process
2292	efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe
2292	efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe
2292	efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe
2488	ÎÏÅ£Í¸ÊÓ.exe
2488	ÎÏÅ£Í¸ÊÓ.exe
2488	ÎÏÅ£Í¸ÊÓ.exe
2460	cfÎÏÅ£Í¸ÊÓ.exe
2460	cfÎÏÅ£Í¸ÊÓ.exe
2460	cfÎÏÅ£Í¸ÊÓ.exe
2020	cfÎÏÅ£Í¸ÊÓ.tmp
2020	cfÎÏÅ£Í¸ÊÓ.tmp

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2488-17-0x0000000000400000-0x000000000042B000-memory.dmp	vmprotect
behavioral1/files/0x000f000000018683-16.dat	vmprotect
behavioral1/memory/2488-28-0x0000000000400000-0x000000000042B000-memory.dmp	vmprotect
behavioral1/memory/2488-59-0x0000000000400000-0x000000000042B000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2488	ÎÏÅ£Í¸ÊÓ.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\DcomServer\DcomServer.exe	cfÎÏÅ£Í¸ÊÓ.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ÎÏÅ£Í¸ÊÓ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfÎÏÅ£Í¸ÊÓ.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfÎÏÅ£Í¸ÊÓ.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2732	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	ÎÏÅ£Í¸ÊÓ.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	taskkill.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2488	ÎÏÅ£Í¸ÊÓ.exe
2488	ÎÏÅ£Í¸ÊÓ.exe
2488	ÎÏÅ£Í¸ÊÓ.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2460	2292	efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe	30
PID 2292 wrote to memory of 2460	2292	efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe	30
PID 2292 wrote to memory of 2460	2292	efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe	30
PID 2292 wrote to memory of 2460	2292	efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe	30
PID 2292 wrote to memory of 2460	2292	efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe	30
PID 2292 wrote to memory of 2460	2292	efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe	30
PID 2292 wrote to memory of 2460	2292	efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe	30
PID 2292 wrote to memory of 2488	2292	efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2488	2292	efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2488	2292	efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2488	2292	efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2488	2292	efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2488	2292	efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2488	2292	efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe	31
PID 2460 wrote to memory of 2020	2460	cfÎÏÅ£Í¸ÊÓ.exe	32
PID 2460 wrote to memory of 2020	2460	cfÎÏÅ£Í¸ÊÓ.exe	32
PID 2460 wrote to memory of 2020	2460	cfÎÏÅ£Í¸ÊÓ.exe	32
PID 2460 wrote to memory of 2020	2460	cfÎÏÅ£Í¸ÊÓ.exe	32
PID 2460 wrote to memory of 2020	2460	cfÎÏÅ£Í¸ÊÓ.exe	32
PID 2460 wrote to memory of 2020	2460	cfÎÏÅ£Í¸ÊÓ.exe	32
PID 2460 wrote to memory of 2020	2460	cfÎÏÅ£Í¸ÊÓ.exe	32
PID 2488 wrote to memory of 1512	2488	ÎÏÅ£Í¸ÊÓ.exe	33
PID 2488 wrote to memory of 1512	2488	ÎÏÅ£Í¸ÊÓ.exe	33
PID 2488 wrote to memory of 1512	2488	ÎÏÅ£Í¸ÊÓ.exe	33
PID 2488 wrote to memory of 1512	2488	ÎÏÅ£Í¸ÊÓ.exe	33
PID 2488 wrote to memory of 1512	2488	ÎÏÅ£Í¸ÊÓ.exe	33
PID 2488 wrote to memory of 1512	2488	ÎÏÅ£Í¸ÊÓ.exe	33
PID 2488 wrote to memory of 1512	2488	ÎÏÅ£Í¸ÊÓ.exe	33
PID 2488 wrote to memory of 2796	2488	ÎÏÅ£Í¸ÊÓ.exe	34
PID 2488 wrote to memory of 2796	2488	ÎÏÅ£Í¸ÊÓ.exe	34
PID 2488 wrote to memory of 2796	2488	ÎÏÅ£Í¸ÊÓ.exe	34
PID 2488 wrote to memory of 2796	2488	ÎÏÅ£Í¸ÊÓ.exe	34
PID 2488 wrote to memory of 2796	2488	ÎÏÅ£Í¸ÊÓ.exe	34
PID 2488 wrote to memory of 2796	2488	ÎÏÅ£Í¸ÊÓ.exe	34
PID 2488 wrote to memory of 2796	2488	ÎÏÅ£Í¸ÊÓ.exe	34
PID 2796 wrote to memory of 2732	2796	cmd.exe	36
PID 2796 wrote to memory of 2732	2796	cmd.exe	36
PID 2796 wrote to memory of 2732	2796	cmd.exe	36
PID 2796 wrote to memory of 2732	2796	cmd.exe	36
PID 2796 wrote to memory of 2732	2796	cmd.exe	36
PID 2796 wrote to memory of 2732	2796	cmd.exe	36
PID 2796 wrote to memory of 2732	2796	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\Temp\cfÎÏÅ£Í¸ÊÓ.exe
  "C:\Users\Admin\AppData\Local\Temp\cfÎÏÅ£Í¸ÊÓ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Users\Admin\AppData\Local\Temp\is-6T4EL.tmp\cfÎÏÅ£Í¸ÊÓ.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-6T4EL.tmp\cfÎÏÅ£Í¸ÊÓ.tmp" /SL5="$400F4,53248,53248,C:\Users\Admin\AppData\Local\Temp\cfÎÏÅ£Í¸ÊÓ.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2020
- C:\Users\Admin\AppData\Local\Temp\ÎÏÅ£Í¸ÊÓ.exe
  "C:\Users\Admin\AppData\Local\Temp\ÎÏÅ£Í¸ÊÓ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 C:\WINDOWS\system32\shdocvw.dll /s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c taskkill /f /im empty.dat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im empty.dat
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\DcomServer\DcomServer.exe

Filesize
128B

MD5
51db95b0c7e44601365e6ae5683c373b

SHA1
5388064be80b99fe503e59c1aac62f183deb3b1b

SHA256
5038cb765d576e13aaf5b8a26fd5e30fc20a1ddd3c4dd4c3e8a488a8fccd3f3a

SHA512
f9bd35e7c0665f68641ae31487cc8e5957c17cd87593e0542e040fb06eb4df07d99a72a019b1efba0af3b939b77853624a61009ee6a139b3d792e102c0c01374

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÎÏÅ£Í¸ÊÓ.exe

Filesize
84KB

MD5
cba0fa0915bf758b46c8a67ff2e5f5b5

SHA1
de0997c8671074c632c27fbf17c657d1c4219ff4

SHA256
6a3f90d5b0a892386a31473e72a07736e2f11a7aa1c95f43e483f8fd27452b5a

SHA512
0b925dfad6caa5ba59ceba727f71b97f16e919cee178c15886f563955d5abcbdc72e4c2b17e6a18267ef7bd74ac2e2128d5e361105834711c71ffc27cc9ac479

Download Submit
\Users\Admin\AppData\Local\Temp\cfÎÏÅ£Í¸ÊÓ.exe

Filesize
293KB

MD5
0c4bc62787fc144a93b21a94677bb3ad

SHA1
3264002ac77ffa02579ace7922446eb26fc62cf5

SHA256
b8b724b34b232d6a642d358b0dee70fd0db52be6e24386d799cd44b7812025eb

SHA512
1c566783b903ed9c064a10cbb034b42db73627b7fd5ab22b3ec012bc517e8e583fa72bdabccf5ab047c1e27be1e3d6f8159f4f675217b0348ca58991875c34b7

Download Submit
\Users\Admin\AppData\Local\Temp\is-2M0LL.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-6T4EL.tmp\cfÎÏÅ£Í¸ÊÓ.tmp

Filesize
681KB

MD5
8e3e4508030c1ffdb0196309114eb841

SHA1
33656ec0c5b5ab8ce4ac566be0a95a96ec4ac40c

SHA256
6d9b3b086a0cd15c9fd32cf639c61e52d4d928d0112a7bb75e95f010e995dd2b

SHA512
6f16872abeb2de9ce3d881cf4b13778af03a305b068e99a8e59735bd4c13b5ad6f24a7aa44c2327cbfbb8351324ab85bb2157d719249fa29eb6f46061badffa4

Download Submit
memory/2020-67-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2020-63-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2020-95-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2020-84-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2020-71-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2020-61-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2292-15-0x0000000002930000-0x000000000295B000-memory.dmp

Filesize
172KB

Download
memory/2292-10-0x0000000002930000-0x000000000295B000-memory.dmp

Filesize
172KB

Download
memory/2460-30-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2460-60-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2460-96-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2460-26-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2488-17-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2488-59-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2488-28-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2488-22-0x0000000000230000-0x000000000025B000-memory.dmp

Filesize
172KB

Download