cdcb185faf0dc11374112bad5bbbefbcf21086d4e168a9bd6c37a5221a5040b8

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/09/2024, 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe
Size

385KB
MD5

f5acf31c5f763e0a4747106ba8ed8969
SHA1

62559ed2f44d2899fba04e814f3d9298966dab11
SHA256

cdcb185faf0dc11374112bad5bbbefbcf21086d4e168a9bd6c37a5221a5040b8
SHA512

d3c597e541a1aca46d022d9babc330591eaf88af33e1404ee0d9ef8c3ac1190bc2d629f58bb218ebfa5034c4878ca9b39eda315fe9002edfc4f56bb23eb4a69c
SSDEEP

12288:7kWAehJuqT4qkn6Hv12hgbUNKMUGJsIHATYeX:7kWAAuqkqTzcKMU4nHC

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
1832	wanst.exe
2704	tibiacast_3_0_38.exe
2688	i.exe
2920	f.exe
2808	cres.exe
2384	webengine.exe
2928	MSBuild.exe

Loads dropped DLL 9 IoCs

pid	Process
2352	f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe
2352	f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe
2352	f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe
1832	wanst.exe
2688	i.exe
2688	i.exe
2688	i.exe
2920	f.exe
2384	webengine.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\webengine.exe"	webengine.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2920 set thread context of 2632	2920	f.exe	36
PID 2928 set thread context of 3048	2928	MSBuild.exe	39

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wanst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	webengine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tibiacast_3_0_38.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2920	f.exe
2384	webengine.exe
2920	f.exe
2928	MSBuild.exe
2920	f.exe
2384	webengine.exe
2928	MSBuild.exe
2920	f.exe
2384	webengine.exe
2928	MSBuild.exe
2920	f.exe
2384	webengine.exe
2928	MSBuild.exe
2704	tibiacast_3_0_38.exe
2704	tibiacast_3_0_38.exe
2704	tibiacast_3_0_38.exe
2920	f.exe
2384	webengine.exe
2928	MSBuild.exe
2920	f.exe
2704	tibiacast_3_0_38.exe
2384	webengine.exe
2928	MSBuild.exe
2704	tibiacast_3_0_38.exe
2920	f.exe
2384	webengine.exe
2928	MSBuild.exe
2704	tibiacast_3_0_38.exe
2920	f.exe
2384	webengine.exe
2928	MSBuild.exe
2704	tibiacast_3_0_38.exe
2920	f.exe
2384	webengine.exe
2928	MSBuild.exe
2920	f.exe
2704	tibiacast_3_0_38.exe
2384	webengine.exe
2928	MSBuild.exe
2704	tibiacast_3_0_38.exe
2920	f.exe
2384	webengine.exe
2928	MSBuild.exe
2920	f.exe
2704	tibiacast_3_0_38.exe
2384	webengine.exe
2928	MSBuild.exe
2920	f.exe
2704	tibiacast_3_0_38.exe
2384	webengine.exe
2928	MSBuild.exe
2920	f.exe
2704	tibiacast_3_0_38.exe
2384	webengine.exe
2928	MSBuild.exe
2920	f.exe
2704	tibiacast_3_0_38.exe
2384	webengine.exe
2928	MSBuild.exe
2920	f.exe
2704	tibiacast_3_0_38.exe
2384	webengine.exe
2928	MSBuild.exe
2704	tibiacast_3_0_38.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2920	f.exe
Token: SeDebugPrivilege	2384	webengine.exe
Token: SeDebugPrivilege	2928	MSBuild.exe
Token: SeDebugPrivilege	2704	tibiacast_3_0_38.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2704	tibiacast_3_0_38.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2704	tibiacast_3_0_38.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 1832	2352	f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe	31
PID 2352 wrote to memory of 1832	2352	f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe	31
PID 2352 wrote to memory of 1832	2352	f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe	31
PID 2352 wrote to memory of 1832	2352	f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe	31
PID 2352 wrote to memory of 1832	2352	f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe	31
PID 2352 wrote to memory of 1832	2352	f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe	31
PID 2352 wrote to memory of 1832	2352	f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe	31
PID 2352 wrote to memory of 2704	2352	f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe	32
PID 2352 wrote to memory of 2704	2352	f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe	32
PID 2352 wrote to memory of 2704	2352	f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe	32
PID 2352 wrote to memory of 2704	2352	f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe	32
PID 2352 wrote to memory of 2704	2352	f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe	32
PID 2352 wrote to memory of 2704	2352	f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe	32
PID 2352 wrote to memory of 2704	2352	f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe	32
PID 1832 wrote to memory of 2688	1832	wanst.exe	33
PID 1832 wrote to memory of 2688	1832	wanst.exe	33
PID 1832 wrote to memory of 2688	1832	wanst.exe	33
PID 1832 wrote to memory of 2688	1832	wanst.exe	33
PID 1832 wrote to memory of 2688	1832	wanst.exe	33
PID 1832 wrote to memory of 2688	1832	wanst.exe	33
PID 1832 wrote to memory of 2688	1832	wanst.exe	33
PID 2688 wrote to memory of 2920	2688	i.exe	34
PID 2688 wrote to memory of 2920	2688	i.exe	34
PID 2688 wrote to memory of 2920	2688	i.exe	34
PID 2688 wrote to memory of 2920	2688	i.exe	34
PID 2688 wrote to memory of 2920	2688	i.exe	34
PID 2688 wrote to memory of 2920	2688	i.exe	34
PID 2688 wrote to memory of 2920	2688	i.exe	34
PID 2688 wrote to memory of 2808	2688	i.exe	35
PID 2688 wrote to memory of 2808	2688	i.exe	35
PID 2688 wrote to memory of 2808	2688	i.exe	35
PID 2688 wrote to memory of 2808	2688	i.exe	35
PID 2688 wrote to memory of 2808	2688	i.exe	35
PID 2688 wrote to memory of 2808	2688	i.exe	35
PID 2688 wrote to memory of 2808	2688	i.exe	35
PID 2920 wrote to memory of 2632	2920	f.exe	36
PID 2920 wrote to memory of 2632	2920	f.exe	36
PID 2920 wrote to memory of 2632	2920	f.exe	36
PID 2920 wrote to memory of 2632	2920	f.exe	36
PID 2920 wrote to memory of 2632	2920	f.exe	36
PID 2920 wrote to memory of 2632	2920	f.exe	36
PID 2920 wrote to memory of 2632	2920	f.exe	36
PID 2920 wrote to memory of 2632	2920	f.exe	36
PID 2920 wrote to memory of 2632	2920	f.exe	36
PID 2920 wrote to memory of 2632	2920	f.exe	36
PID 2920 wrote to memory of 2632	2920	f.exe	36
PID 2920 wrote to memory of 2632	2920	f.exe	36
PID 2920 wrote to memory of 2632	2920	f.exe	36
PID 2920 wrote to memory of 2632	2920	f.exe	36
PID 2920 wrote to memory of 2632	2920	f.exe	36
PID 2920 wrote to memory of 2384	2920	f.exe	37
PID 2920 wrote to memory of 2384	2920	f.exe	37
PID 2920 wrote to memory of 2384	2920	f.exe	37
PID 2920 wrote to memory of 2384	2920	f.exe	37
PID 2920 wrote to memory of 2384	2920	f.exe	37
PID 2920 wrote to memory of 2384	2920	f.exe	37
PID 2920 wrote to memory of 2384	2920	f.exe	37
PID 2384 wrote to memory of 2928	2384	webengine.exe	38
PID 2384 wrote to memory of 2928	2384	webengine.exe	38
PID 2384 wrote to memory of 2928	2384	webengine.exe	38
PID 2384 wrote to memory of 2928	2384	webengine.exe	38
PID 2384 wrote to memory of 2928	2384	webengine.exe	38
PID 2384 wrote to memory of 2928	2384	webengine.exe	38
PID 2384 wrote to memory of 2928	2384	webengine.exe	38

C:\Users\Admin\AppData\Local\Temp\f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Local\Temp\wanst.exe
  "C:\Users\Admin\AppData\Local\Temp\wanst.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Users\Admin\AppData\Local\Temp\i.exe
    "C:\Users\Admin\AppData\Local\Temp\i.exe" -pwr
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Users\Admin\AppData\Local\Temp\f.exe
      "C:\Users\Admin\AppData\Local\Temp\f.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2920
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2632
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\webengine.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\webengine.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2384
      - C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MSBuild.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3048
  - - C:\Users\Admin\AppData\Local\Temp\cres.exe
      "C:\Users\Admin\AppData\Local\Temp\cres.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2808
- C:\Users\Admin\AppData\Local\Temp\tibiacast_3_0_38.exe
  "C:\Users\Admin\AppData\Local\Temp\tibiacast_3_0_38.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cres.exe

Filesize
44KB

MD5
7d0c385b70aaf0cc90753409ef113763

SHA1
1d9c314fda8e10b144d5a99bb7a1c4be1b51be7d

SHA256
67bcb70ec124d342f1581114d0368fead96158a148cf8da05c0207f404fb4a7b

SHA512
5efd3ce53d7445423fe7b0ade2080a7cdf79e42b6fe01871be623833394f41607c874b05a8bef0b792d934e24413a3f89aaebc648294c35668d30c5d07f9ebee

Download Submit
C:\Users\Admin\AppData\Local\Temp\tibiacast_3_0_38.exe

Filesize
257KB

MD5
bccdae521b71140a50bf633cb184e801

SHA1
db01324fd4b3fe558a70f740465a1605e0fd14aa

SHA256
d7570dfba348316b29f21ccd4e33ad2611869b2278cc3965cc66e4866f1bf993

SHA512
6547a63f7e7c1a66dd507fe1bc6cc6b03a9df15f5e3ab371ce95dbaf45dbc70a748927cabdfe3a2ca3427b8e99d9dbd7c0f5bd6ee9a0ef3f58bd594d058d56ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\wanst.exe

Filesize
232KB

MD5
c3fda9f623a64602ebb02d5cdbc39648

SHA1
598d8ebd6a63b405fd80db20457499ddc51c0071

SHA256
67a992609c637d8b416734ca1077e975015ab3bcf16f19b375e22c5878be07bc

SHA512
b1db4cb2b59d5306da9c4eb8ba091c9e32276046671dce3b9e994acd7e87bbd1a99ca18ed63156f59886f37e0f4a5df6613f2332103b7a952a4e095544f44eaf

Download Submit
C:\Users\Admin\AppData\Roaming\f0w8uhy98yur9c8qy38cy82yrc280quafu89uya89dh\f0w8uhy98yur9c8qy38cy82yrc280quafu89uya89dh.txt

Filesize
29B

MD5
af624ec478d796f3e708453ffc23d96a

SHA1
5bc437a06da06b6e228590d1c472d51dcfbc2701

SHA256
6c2477e2514e0fa35d850996d343c1af9cee9b8b34559f63df403b3df03cbb8a

SHA512
8f2dc710c72edbfc01ca3ae706221c0594183819e61d7cf14fbe03e720123694af072100469845bf05849bbd7d983b5933eddc2963a079d607c65c6511384407

Download Submit
\Users\Admin\AppData\Local\Temp\f.exe

Filesize
98KB

MD5
df69062cc95628560fe90f40759be1f1

SHA1
ec1dfb0ca85753129e8bab94d83137ab70eb5bea

SHA256
aa798d45ed5c948fef634e0a8fe1893ca1f68569a52b41bf4152231b334ea382

SHA512
2d87b6e753bc5b94590d02c35504aef1b95d6c9db866bcdee738a7c2f10fd68370f80b07c75ed285e5c3da9c77f46f0b6f7b8f69316856a1f75f8a172af40aa1

Download Submit
\Users\Admin\AppData\Local\Temp\i.exe

Filesize
183KB

MD5
50f5edc93e9565a0dcc86a1b1bbf22df

SHA1
158af3b4d8a442e9b3778f01d4ae8f8ea92783c9

SHA256
bb7e3f6c0ebe2720e2e79bc9a6972aec7722a48807799d7b76282e36dfd54182

SHA512
7ba6c28261d3f26894121f1fb670cce16df99a8c91fc796c3ca0c9c8df91475d4f3ffc9dcb08d2611f6881a86f75120abec3ceb394011d2ae61cdb3b7e013af1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\webengine.exe

Filesize
8KB

MD5
8117d80b0e093b8a22808439e98f8438

SHA1
95e85605a119569be1171e738ab1933d72b4d4ac

SHA256
e1d07433984dc20260f212e464fcdd75e0cca098b4c40d9d940ad71995e74699

SHA512
bef89879f3b5e3b9a3cad130ef33ca6d9a6b55e0b47dd6c47fd94efb343bf9b5d904bdccc52e2416ac68d12a1077102a2015fd8c9f92defcb83514f0d10e06a3

Download Submit
memory/2632-63-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2632-57-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2632-51-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2632-49-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2632-61-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2632-59-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2632-58-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2632-53-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2632-56-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2632-55-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2632-54-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2632-52-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2632-50-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2808-89-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download