Analysis
-
max time kernel
149s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25-09-2024 15:59
Static task
static1
Behavioral task
behavioral1
Sample
f65bce220a65369379b4cca2ce085581_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
f65bce220a65369379b4cca2ce085581_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
f65bce220a65369379b4cca2ce085581_JaffaCakes118.exe
-
Size
732KB
-
MD5
f65bce220a65369379b4cca2ce085581
-
SHA1
116d50a56a3d2ec07b3c742f10e41cb2152850d0
-
SHA256
b14e0ad4aed51e262fd9f3e3f2216e34570022b5dda68e25ca649431d7b09906
-
SHA512
3467b288be9a949b5111a37befa49302e8e445ae97913c859851446ef9124cdc152f3d7f600a220935784b1b75ec75510371cb751c65a6ed45bf26ff8b6900f9
-
SSDEEP
12288:9lIBMFAuXEA2VpG778J/9WWbS3ykiIAYPVhcxK:6MFAqL2VpIU/9WWbUJAYPVhcxK
Malware Config
Extracted
latentbot
asdqweqwdasdas.zapto.org
Signatures
-
Modifies firewall policy service 3 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Adobe Reader\Adobe Updater Reader.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe Reader\\Adobe Updater Reader.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\UseNetSpread.exe = "C:\\Users\\Admin\\AppData\\Roaming\\UseNetSpread.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe -
Executes dropped EXE 3 IoCs
pid Process 2960 Adobe Updater Reader.exe 2892 Adobe Updater Reader.exe 2824 Adobe Updater Reader.exe -
Loads dropped DLL 15 IoCs
pid Process 2560 f65bce220a65369379b4cca2ce085581_JaffaCakes118.exe 2560 f65bce220a65369379b4cca2ce085581_JaffaCakes118.exe 2560 f65bce220a65369379b4cca2ce085581_JaffaCakes118.exe 2560 f65bce220a65369379b4cca2ce085581_JaffaCakes118.exe 2960 Adobe Updater Reader.exe 2960 Adobe Updater Reader.exe 2960 Adobe Updater Reader.exe 2960 Adobe Updater Reader.exe 2892 Adobe Updater Reader.exe 2892 Adobe Updater Reader.exe 2892 Adobe Updater Reader.exe 2960 Adobe Updater Reader.exe 2824 Adobe Updater Reader.exe 2824 Adobe Updater Reader.exe 2824 Adobe Updater Reader.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Updater = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe Reader\\Adobe Updater Reader.exe" reg.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2960 set thread context of 2892 2960 Adobe Updater Reader.exe 34 PID 2960 set thread context of 2824 2960 Adobe Updater Reader.exe 37 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adobe Updater Reader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adobe Updater Reader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f65bce220a65369379b4cca2ce085581_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adobe Updater Reader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 1604 reg.exe 3052 reg.exe 1344 reg.exe 3056 reg.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: 1 2892 Adobe Updater Reader.exe Token: SeCreateTokenPrivilege 2892 Adobe Updater Reader.exe Token: SeAssignPrimaryTokenPrivilege 2892 Adobe Updater Reader.exe Token: SeLockMemoryPrivilege 2892 Adobe Updater Reader.exe Token: SeIncreaseQuotaPrivilege 2892 Adobe Updater Reader.exe Token: SeMachineAccountPrivilege 2892 Adobe Updater Reader.exe Token: SeTcbPrivilege 2892 Adobe Updater Reader.exe Token: SeSecurityPrivilege 2892 Adobe Updater Reader.exe Token: SeTakeOwnershipPrivilege 2892 Adobe Updater Reader.exe Token: SeLoadDriverPrivilege 2892 Adobe Updater Reader.exe Token: SeSystemProfilePrivilege 2892 Adobe Updater Reader.exe Token: SeSystemtimePrivilege 2892 Adobe Updater Reader.exe Token: SeProfSingleProcessPrivilege 2892 Adobe Updater Reader.exe Token: SeIncBasePriorityPrivilege 2892 Adobe Updater Reader.exe Token: SeCreatePagefilePrivilege 2892 Adobe Updater Reader.exe Token: SeCreatePermanentPrivilege 2892 Adobe Updater Reader.exe Token: SeBackupPrivilege 2892 Adobe Updater Reader.exe Token: SeRestorePrivilege 2892 Adobe Updater Reader.exe Token: SeShutdownPrivilege 2892 Adobe Updater Reader.exe Token: SeDebugPrivilege 2892 Adobe Updater Reader.exe Token: SeAuditPrivilege 2892 Adobe Updater Reader.exe Token: SeSystemEnvironmentPrivilege 2892 Adobe Updater Reader.exe Token: SeChangeNotifyPrivilege 2892 Adobe Updater Reader.exe Token: SeRemoteShutdownPrivilege 2892 Adobe Updater Reader.exe Token: SeUndockPrivilege 2892 Adobe Updater Reader.exe Token: SeSyncAgentPrivilege 2892 Adobe Updater Reader.exe Token: SeEnableDelegationPrivilege 2892 Adobe Updater Reader.exe Token: SeManageVolumePrivilege 2892 Adobe Updater Reader.exe Token: SeImpersonatePrivilege 2892 Adobe Updater Reader.exe Token: SeCreateGlobalPrivilege 2892 Adobe Updater Reader.exe Token: 31 2892 Adobe Updater Reader.exe Token: 32 2892 Adobe Updater Reader.exe Token: 33 2892 Adobe Updater Reader.exe Token: 34 2892 Adobe Updater Reader.exe Token: 35 2892 Adobe Updater Reader.exe Token: SeDebugPrivilege 2824 Adobe Updater Reader.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2560 f65bce220a65369379b4cca2ce085581_JaffaCakes118.exe 2960 Adobe Updater Reader.exe 2892 Adobe Updater Reader.exe 2892 Adobe Updater Reader.exe 2824 Adobe Updater Reader.exe 2892 Adobe Updater Reader.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2560 wrote to memory of 3016 2560 f65bce220a65369379b4cca2ce085581_JaffaCakes118.exe 30 PID 2560 wrote to memory of 3016 2560 f65bce220a65369379b4cca2ce085581_JaffaCakes118.exe 30 PID 2560 wrote to memory of 3016 2560 f65bce220a65369379b4cca2ce085581_JaffaCakes118.exe 30 PID 2560 wrote to memory of 3016 2560 f65bce220a65369379b4cca2ce085581_JaffaCakes118.exe 30 PID 3016 wrote to memory of 2900 3016 cmd.exe 32 PID 3016 wrote to memory of 2900 3016 cmd.exe 32 PID 3016 wrote to memory of 2900 3016 cmd.exe 32 PID 3016 wrote to memory of 2900 3016 cmd.exe 32 PID 2560 wrote to memory of 2960 2560 f65bce220a65369379b4cca2ce085581_JaffaCakes118.exe 33 PID 2560 wrote to memory of 2960 2560 f65bce220a65369379b4cca2ce085581_JaffaCakes118.exe 33 PID 2560 wrote to memory of 2960 2560 f65bce220a65369379b4cca2ce085581_JaffaCakes118.exe 33 PID 2560 wrote to memory of 2960 2560 f65bce220a65369379b4cca2ce085581_JaffaCakes118.exe 33 PID 2560 wrote to memory of 2960 2560 f65bce220a65369379b4cca2ce085581_JaffaCakes118.exe 33 PID 2560 wrote to memory of 2960 2560 f65bce220a65369379b4cca2ce085581_JaffaCakes118.exe 33 PID 2560 wrote to memory of 2960 2560 f65bce220a65369379b4cca2ce085581_JaffaCakes118.exe 33 PID 2960 wrote to memory of 2892 2960 Adobe Updater Reader.exe 34 PID 2960 wrote to memory of 2892 2960 Adobe Updater Reader.exe 34 PID 2960 wrote to memory of 2892 2960 Adobe Updater Reader.exe 34 PID 2960 wrote to memory of 2892 2960 Adobe Updater Reader.exe 34 PID 2960 wrote to memory of 2892 2960 Adobe Updater Reader.exe 34 PID 2960 wrote to memory of 2892 2960 Adobe Updater Reader.exe 34 PID 2960 wrote to memory of 2892 2960 Adobe Updater Reader.exe 34 PID 2960 wrote to memory of 2892 2960 Adobe Updater Reader.exe 34 PID 2960 wrote to memory of 2892 2960 Adobe Updater Reader.exe 34 PID 2960 wrote to memory of 2892 2960 Adobe Updater Reader.exe 34 PID 2960 wrote to memory of 2892 2960 Adobe Updater Reader.exe 34 PID 2960 wrote to memory of 2892 2960 Adobe Updater Reader.exe 34 PID 2892 wrote to memory of 2876 2892 Adobe Updater Reader.exe 35 PID 2892 wrote to memory of 2876 2892 Adobe Updater Reader.exe 35 PID 2892 wrote to memory of 2876 2892 Adobe Updater Reader.exe 35 PID 2892 wrote to memory of 2876 2892 Adobe Updater Reader.exe 35 PID 2892 wrote to memory of 2876 2892 Adobe Updater Reader.exe 35 PID 2892 wrote to memory of 2876 2892 Adobe Updater Reader.exe 35 PID 2892 wrote to memory of 2876 2892 Adobe Updater Reader.exe 35 PID 2960 wrote to memory of 2824 2960 Adobe Updater Reader.exe 37 PID 2960 wrote to memory of 2824 2960 Adobe Updater Reader.exe 37 PID 2960 wrote to memory of 2824 2960 Adobe Updater Reader.exe 37 PID 2960 wrote to memory of 2824 2960 Adobe Updater Reader.exe 37 PID 2960 wrote to memory of 2824 2960 Adobe Updater Reader.exe 37 PID 2960 wrote to memory of 2824 2960 Adobe Updater Reader.exe 37 PID 2960 wrote to memory of 2824 2960 Adobe Updater Reader.exe 37 PID 2892 wrote to memory of 2880 2892 Adobe Updater Reader.exe 36 PID 2892 wrote to memory of 2880 2892 Adobe Updater Reader.exe 36 PID 2892 wrote to memory of 2880 2892 Adobe Updater Reader.exe 36 PID 2892 wrote to memory of 2880 2892 Adobe Updater Reader.exe 36 PID 2892 wrote to memory of 2880 2892 Adobe Updater Reader.exe 36 PID 2892 wrote to memory of 2880 2892 Adobe Updater Reader.exe 36 PID 2892 wrote to memory of 2880 2892 Adobe Updater Reader.exe 36 PID 2960 wrote to memory of 2824 2960 Adobe Updater Reader.exe 37 PID 2960 wrote to memory of 2824 2960 Adobe Updater Reader.exe 37 PID 2960 wrote to memory of 2824 2960 Adobe Updater Reader.exe 37 PID 2960 wrote to memory of 2824 2960 Adobe Updater Reader.exe 37 PID 2892 wrote to memory of 1680 2892 Adobe Updater Reader.exe 38 PID 2892 wrote to memory of 1680 2892 Adobe Updater Reader.exe 38 PID 2892 wrote to memory of 1680 2892 Adobe Updater Reader.exe 38 PID 2892 wrote to memory of 1680 2892 Adobe Updater Reader.exe 38 PID 2892 wrote to memory of 1680 2892 Adobe Updater Reader.exe 38 PID 2892 wrote to memory of 1680 2892 Adobe Updater Reader.exe 38 PID 2892 wrote to memory of 1680 2892 Adobe Updater Reader.exe 38 PID 2892 wrote to memory of 2740 2892 Adobe Updater Reader.exe 40 PID 2892 wrote to memory of 2740 2892 Adobe Updater Reader.exe 40 PID 2892 wrote to memory of 2740 2892 Adobe Updater Reader.exe 40 PID 2892 wrote to memory of 2740 2892 Adobe Updater Reader.exe 40 PID 2892 wrote to memory of 2740 2892 Adobe Updater Reader.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\f65bce220a65369379b4cca2ce085581_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f65bce220a65369379b4cca2ce085581_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\CSibN.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Adobe Updater" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Adobe Reader\Adobe Updater Reader.exe" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2900
-
-
-
C:\Users\Admin\AppData\Roaming\Adobe Reader\Adobe Updater Reader.exe"C:\Users\Admin\AppData\Roaming\Adobe Reader\Adobe Updater Reader.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Users\Admin\AppData\Roaming\Adobe Reader\Adobe Updater Reader.exe"C:\Users\Admin\AppData\Roaming\Adobe Reader\Adobe Updater Reader.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
PID:2876 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1344
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Adobe Reader\Adobe Updater Reader.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Adobe Reader\Adobe Updater Reader.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
PID:2880 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Adobe Reader\Adobe Updater Reader.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Adobe Reader\Adobe Updater Reader.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1604
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
PID:1680 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3056
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\UseNetSpread.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\UseNetSpread.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
PID:2740 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\UseNetSpread.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\UseNetSpread.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3052
-
-
-
-
C:\Users\Admin\AppData\Roaming\Adobe Reader\Adobe Updater Reader.exe"C:\Users\Admin\AppData\Roaming\Adobe Reader\Adobe Updater Reader.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2824
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168B
MD5977bc61751f2ca8ed16df2d37298f9d1
SHA1637e17a297213cdc535e5a7cc3b4ca7c3d0380c0
SHA2566891dfb21658d11c835a68f000670b97cb98bdd401fccaddf2ae1f88cc13a399
SHA5129f79f1802c55b065edd35d682d1c0aa82dd389aa01f1f439efdc39d3aeb6bb27e5aa7b08589e683cad0b9525bb708f72a297d32601f2a15d385078a0a829e2a9
-
Filesize
732KB
MD5f65bce220a65369379b4cca2ce085581
SHA1116d50a56a3d2ec07b3c742f10e41cb2152850d0
SHA256b14e0ad4aed51e262fd9f3e3f2216e34570022b5dda68e25ca649431d7b09906
SHA5123467b288be9a949b5111a37befa49302e8e445ae97913c859851446ef9124cdc152f3d7f600a220935784b1b75ec75510371cb751c65a6ed45bf26ff8b6900f9