b7b3672cfe67d75ac1b7a99786b61c5b094388e9786bd6feff80bde7f9a8e6be

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/09/2024, 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f57f9cbc889253a4af0c22e9124c4355_JaffaCakes118.exe
Size

487KB
MD5

f57f9cbc889253a4af0c22e9124c4355
SHA1

38815009691932ddd1c57819f2fd90368bd33fff
SHA256

b7b3672cfe67d75ac1b7a99786b61c5b094388e9786bd6feff80bde7f9a8e6be
SHA512

b36f6776de1f131c3e1cb2b518ac34f6dd19610b2b7abb4178e7a3c7df51a9d187755e252a133b4f2594a80e464413d60f6ba4a819978a5880e604ecfc339be4
SSDEEP

12288:9JB+hGcEYFw1Ud7mtUotK6ONqOePOHnI2aPyvI:9fG7yztrwq3POH3aPyvI

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1968	cmstp.exe

Loads dropped DLL 6 IoCs

pid	Process
3040	f57f9cbc889253a4af0c22e9124c4355_JaffaCakes118.exe
3040	f57f9cbc889253a4af0c22e9124c4355_JaffaCakes118.exe
3040	f57f9cbc889253a4af0c22e9124c4355_JaffaCakes118.exe
3040	f57f9cbc889253a4af0c22e9124c4355_JaffaCakes118.exe
3040	f57f9cbc889253a4af0c22e9124c4355_JaffaCakes118.exe
1968	cmstp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f57f9cbc889253a4af0c22e9124c4355_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmstp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f57f9cbc889253a4af0c22e9124c4355_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmstp.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 1968	3040	f57f9cbc889253a4af0c22e9124c4355_JaffaCakes118.exe	30
PID 3040 wrote to memory of 1968	3040	f57f9cbc889253a4af0c22e9124c4355_JaffaCakes118.exe	30
PID 3040 wrote to memory of 1968	3040	f57f9cbc889253a4af0c22e9124c4355_JaffaCakes118.exe	30
PID 3040 wrote to memory of 1968	3040	f57f9cbc889253a4af0c22e9124c4355_JaffaCakes118.exe	30
PID 3040 wrote to memory of 1968	3040	f57f9cbc889253a4af0c22e9124c4355_JaffaCakes118.exe	30
PID 3040 wrote to memory of 1968	3040	f57f9cbc889253a4af0c22e9124c4355_JaffaCakes118.exe	30
PID 3040 wrote to memory of 1968	3040	f57f9cbc889253a4af0c22e9124c4355_JaffaCakes118.exe	30
PID 3040 wrote to memory of 1968	3040	f57f9cbc889253a4af0c22e9124c4355_JaffaCakes118.exe	30
PID 3040 wrote to memory of 1968	3040	f57f9cbc889253a4af0c22e9124c4355_JaffaCakes118.exe	30
PID 1968 wrote to memory of 2620	1968	cmstp.exe	31
PID 1968 wrote to memory of 2620	1968	cmstp.exe	31
PID 1968 wrote to memory of 2620	1968	cmstp.exe	31
PID 1968 wrote to memory of 2620	1968	cmstp.exe	31
PID 1968 wrote to memory of 2620	1968	cmstp.exe	31
PID 1968 wrote to memory of 2620	1968	cmstp.exe	31
PID 1968 wrote to memory of 2620	1968	cmstp.exe	31

C:\Users\Admin\AppData\Local\Temp\f57f9cbc889253a4af0c22e9124c4355_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f57f9cbc889253a4af0c22e9124c4355_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cmstp.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\.\cmstp.exe NL-L2TP.inf
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\SysWOW64\cmstp.exe
    "C:\Windows\system32\cmstp.exe" "C:\Users\Admin\AppData\Local\Temp\{52106097-B6F1-4CAB-B73A-C94FC44117A9}\NL-L2TP.inf"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NL-L2TP.cmp

Filesize
132B

MD5
3bad69bc69f20528870300594242c7b0

SHA1
cf9f7efce335e5c73d24bd7bc9b58e26d82e8b62

SHA256
186e607f7f4974f0fcf497b8c1d6a56d5dd389be688ba62f01005a456dea7c97

SHA512
ef66141a36d578ac23c07d21be54ef056cb6e52d5290567ef5a278668135b1aa98f0850365a14c4600dcf2a70f377588e5f4d734a08e0d09430fbade9886421e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NL-L2TP.cms

Filesize
2KB

MD5
730f1f395558588881c3a55a9e4665ac

SHA1
d5bdfa812c2761c2d046cf48bd49fde9e1f99b37

SHA256
21f656624953cceb2f1fd658aca35fd43c0986d22e93f5ff9eee14853c190e0d

SHA512
050b027333c5c0aeb6b333d3b8b635e42279f94b0477644f60d908eec87403468cb908459780a25eadbeb8ba8885b91b935a246bc4a4c146a98b1ac392f8feb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NL-L2TP.inf

Filesize
9KB

MD5
b32837f4e03e3fd2006f11f66eb1ec2a

SHA1
6cd9ec806b7a8df5f5172d9806d8d2df03cddc5b

SHA256
26b6fab465c9dcc47d5d0b1b1a99dd66226a6609240d09a4258153fb1e2a31eb

SHA512
78c7e5ffec03c1c28d8ed2f73dc65ccdde3160b119061943712a81c4cfe616bb087dab8b3e498e71254c55521d59af90946d10bd27113d4bc4459f28a8388d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ccfg95.dll

Filesize
32KB

MD5
614f667fa7a81c1c7b5ed73575a808d2

SHA1
b06495b84b2625000017c8561f1aa22fadaf85e0

SHA256
bff2edf1550214df27fa6fd2e025c48bf876dcc7ef8d2ec792231fe810550379

SHA512
37d184d988954d56743e7ba0d78b80f75d259ed792b5413f64b5e6da1d2916ce61a58f2a3d89bfe2eb6a96a3e6ae30b2d0d7d03d47182a5cd626812561d4de73

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cmbins.exe

Filesize
328KB

MD5
4c7b845891ba9b39427cf52c81010a9d

SHA1
9487857b7dbf37f4e03459a99cf27b810db690fb

SHA256
8b6cec8fae83a7b685ab8d362503ae832c98cf5b194fec85f3548b268cd9f4d4

SHA512
57c2d8c3eee0e24641b2e53147885991e39b8c32818a7c0ed87644b855abf3c86fcbe10db5f187c8daf528a630dd46e6ef0a38e2c4da3b112961da610932fb3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cmexcept.cat

Filesize
9KB

MD5
6c9ecbd57b92c5f431d93384329b9443

SHA1
f60386c95d307069905c97c25c33451c45b2b4d3

SHA256
35394c07132f1f54cade654e02031d933ec0e64deeb9da390e39182f35084e97

SHA512
e534ebbf261fcb93ef59e3843365c6720fe9c02dc2fdb78c7d1461a376b020f31ef8cc1e89252129121ef1fe34526552967123f2852f9c1091e28fb680eca758

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cmutoa.dll

Filesize
58KB

MD5
03a18b276488aa7c05d364de09078e32

SHA1
f8a28ca9105af4d40a78a706a768b394408b4d5b

SHA256
f007ac455248d1850a1bc009a6fe2404f5a597a180ddb41dd66622b51fdd7b03

SHA512
1027c486a4949126c0bd323620dd68a956f297731dd97ea9dd441dc4511c0beaec61c82eaa37d19efd0255cb8434a181357f3bc95a4d9d379fd8b71592028899

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cnet16.dll

Filesize
43KB

MD5
e9a60cec3a4ffc7ff23c3609f6edefd2

SHA1
c78c64d660858371e767fb39c60030d565b07032

SHA256
c461d6902f50790cf5e4ed023e08317fd7ee19dc8fbff6b81f81bc3052e51383

SHA512
91d77b07a1920c131de3ce7628eb4d8f652018fc944bcdcc3f60e279636145cdeea4f9ede9875284b5466eace875cdcee44217495ec174b3eceb4123b69c8615

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\instcm.inf

Filesize
5KB

MD5
d50d9154c5c2baadcf9138bd9a47ab2f

SHA1
1ccf281b3f844738596b8a1fa021be9958f96f2f

SHA256
b40284078df9e51f2d794c583cf61b72812166bcfd68949e6ce1729389890d79

SHA512
827e551d6dc4958b913343d2845ebd36855cd9dc3f56bb40aa9c1b8d54047edd18d1dfd476e653c2ef2a9d0ef0618202f65ce260de64c0211a92d6e912f1586a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w95inf16.dll

Filesize
2KB

MD5
7210d5407a2d2f52e851604666403024

SHA1
242fde2a7c6a3eff245f06813a2e1bdcaa9f16d9

SHA256
337d2fb5252fc532b7bf67476b5979d158ca2ac589e49c6810e2e1afebe296af

SHA512
1755a26fa018429aea00ebcc786bb41b0d6c4d26d56cd3b88d886b0c0773d863094797334e72d770635ed29b98d4c8c7f0ec717a23a22adef705a1ccf46b3f68

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\advpack.dll

Filesize
97KB

MD5
774348de1dea6262e06bfe1906d13d4d

SHA1
4a14b774809ed123e19ae349c32631e1f25de51e

SHA256
bae10cb915e197485823414ee42743a631299ade58724eae780b3850937e877e

SHA512
1743a9fe2f1dd88ca02673fa1d038cfc6861a3fb3202e6738ab63b72407f0746012fcb95c8d21d6a3f37234b40aa5a2bde7aabcb4de1b5238f4adaffbccbe037

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\cmstp.exe

Filesize
67KB

MD5
92f5c85c3661bc65c87f161a6be90906

SHA1
5dc0cf894bd2fe89671f6116510348b959ef3126

SHA256
397face88489a020998d2ef109e9e8d864eb3628aafe47ba2f0f9bb37a4b5b37

SHA512
0d4e747a743ac402295bd67eb74e969199ba60cc791fcaca107feb50ef50e43ab01a3bbfd1d3e6d1128b5cdc2daaad59d7afbc735de8845e006c33fe018df107

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\w95inf32.dll

Filesize
4KB

MD5
3ba72f4c922e9da0b0a7e4d4389eb4aa

SHA1
ca47ee77ee1be35f9193e915d0b8f1670dc16809

SHA256
c479a4b72168fab7ae6b93f7b74cc93ab05a314646330a73be56aca7452b7d72

SHA512
0f8a4a63b9b4489d713091dc04c35260e24a418975137bcf5f80a2e5253014093c1824be95ce3c10a8fa55c29101df46e89c52a15447fbc902986ada464213d9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads