f61ad38a058d71dccc6ed18ba2cb065accb4420eef38d39afa94e4068329a9be

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/09/2024, 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fababf22438aec1aaf0a3369babce8a2_JaffaCakes118.exe
Size

62KB
MD5

fababf22438aec1aaf0a3369babce8a2
SHA1

77b5fa4ed2b2830821ec4c1fb536970dc6122108
SHA256

f61ad38a058d71dccc6ed18ba2cb065accb4420eef38d39afa94e4068329a9be
SHA512

67eea8d25fb068b5fdbf776953df8ccd78a2a9dde52acef027087d772aab87feaf8e8ed6ecd0e53eb9ca57b41e478d4f178ecf807eb00089e2bedb73c4e9a448
SSDEEP

768:wfzNyAGva4H7sDGvXSqZtc4HBSw8+CPRR0X5rIVdshMgEN/IuTWl9U7:SyAVDGvXSmnHBSwCORMIdENRG9U7

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
852	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3028	panel.exe

Loads dropped DLL 2 IoCs

pid	Process
1716	fababf22438aec1aaf0a3369babce8a2_JaffaCakes118.exe
1716	fababf22438aec1aaf0a3369babce8a2_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\panel = "C:\\Users\\Admin\\AppData\\Roaming\\panel\\panel.exe -b"	fababf22438aec1aaf0a3369babce8a2_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fababf22438aec1aaf0a3369babce8a2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	panel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe
3028	panel.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1716	fababf22438aec1aaf0a3369babce8a2_JaffaCakes118.exe
Token: SeDebugPrivilege	3028	panel.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1716	fababf22438aec1aaf0a3369babce8a2_JaffaCakes118.exe
3028	panel.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 3028	1716	fababf22438aec1aaf0a3369babce8a2_JaffaCakes118.exe	31
PID 1716 wrote to memory of 3028	1716	fababf22438aec1aaf0a3369babce8a2_JaffaCakes118.exe	31
PID 1716 wrote to memory of 3028	1716	fababf22438aec1aaf0a3369babce8a2_JaffaCakes118.exe	31
PID 1716 wrote to memory of 3028	1716	fababf22438aec1aaf0a3369babce8a2_JaffaCakes118.exe	31
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 1716 wrote to memory of 852	1716	fababf22438aec1aaf0a3369babce8a2_JaffaCakes118.exe	32
PID 1716 wrote to memory of 852	1716	fababf22438aec1aaf0a3369babce8a2_JaffaCakes118.exe	32
PID 1716 wrote to memory of 852	1716	fababf22438aec1aaf0a3369babce8a2_JaffaCakes118.exe	32
PID 1716 wrote to memory of 852	1716	fababf22438aec1aaf0a3369babce8a2_JaffaCakes118.exe	32
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21
PID 3028 wrote to memory of 1188	3028	panel.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188
- C:\Users\Admin\AppData\Local\Temp\fababf22438aec1aaf0a3369babce8a2_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fababf22438aec1aaf0a3369babce8a2_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Users\Admin\AppData\Roaming\panel\panel.exe
    -b
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:3028
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Roaming\panel\upd.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\panel\upd.bat

Filesize
1KB

MD5
fbe3f84e2e75387a01b6abcad115d301

SHA1
38715105ed8ba2e8e970af3832af045946c5c9d3

SHA256
a8514ae40b573c4449d685da219c7a1e1d70d306df14a797b764c7b489aa685f

SHA512
2e67b6ba9bd7aa7647db1a952721dfaaf34a929cc4118cee5c3c42f55ae0b0322b3c8ae467e3cda5978a34313a1dcdd2b8395cccb6b1b069e4e7f93502d38563

Download Submit
\Users\Admin\AppData\Roaming\panel\panel.exe

Filesize
62KB

MD5
fababf22438aec1aaf0a3369babce8a2

SHA1
77b5fa4ed2b2830821ec4c1fb536970dc6122108

SHA256
f61ad38a058d71dccc6ed18ba2cb065accb4420eef38d39afa94e4068329a9be

SHA512
67eea8d25fb068b5fdbf776953df8ccd78a2a9dde52acef027087d772aab87feaf8e8ed6ecd0e53eb9ca57b41e478d4f178ecf807eb00089e2bedb73c4e9a448

Download Submit
memory/1188-35-0x0000000014D00000-0x0000000014D16000-memory.dmp

Filesize
88KB

Download
memory/1188-23-0x0000000014D00000-0x0000000014D16000-memory.dmp

Filesize
88KB

Download
memory/1188-63-0x0000000014D00000-0x0000000014D16000-memory.dmp

Filesize
88KB

Download
memory/1188-31-0x0000000014D00000-0x0000000014D16000-memory.dmp

Filesize
88KB

Download
memory/1188-59-0x0000000014D00000-0x0000000014D16000-memory.dmp

Filesize
88KB

Download
memory/1188-51-0x0000000014D00000-0x0000000014D16000-memory.dmp

Filesize
88KB

Download
memory/1188-27-0x0000000014D00000-0x0000000014D16000-memory.dmp

Filesize
88KB

Download
memory/1188-47-0x0000000014D00000-0x0000000014D16000-memory.dmp

Filesize
88KB

Download
memory/1188-20-0x0000000014D00000-0x0000000014D16000-memory.dmp

Filesize
88KB

Download
memory/1188-75-0x0000000014D00000-0x0000000014D16000-memory.dmp

Filesize
88KB

Download
memory/1188-79-0x0000000014D00000-0x0000000014D16000-memory.dmp

Filesize
88KB

Download
memory/1188-71-0x0000000014D00000-0x0000000014D16000-memory.dmp

Filesize
88KB

Download
memory/1188-39-0x0000000014D00000-0x0000000014D16000-memory.dmp

Filesize
88KB

Download
memory/1188-67-0x0000000014D00000-0x0000000014D16000-memory.dmp

Filesize
88KB

Download
memory/1188-43-0x0000000014D00000-0x0000000014D16000-memory.dmp

Filesize
88KB

Download
memory/1188-55-0x0000000014D00000-0x0000000014D16000-memory.dmp

Filesize
88KB

Download
memory/1716-1-0x0000000014D00000-0x0000000014D17000-memory.dmp

Filesize
92KB

Download
memory/1716-3-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1716-0-0x0000000014D09000-0x0000000014D0D000-memory.dmp

Filesize
16KB

Download
memory/1716-2-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/1716-5-0x0000000014D00000-0x0000000014D16000-memory.dmp

Filesize
88KB

Download
memory/1716-115-0x0000000014D09000-0x0000000014D0D000-memory.dmp

Filesize
16KB

Download
memory/1716-116-0x0000000014D00000-0x0000000014D16000-memory.dmp

Filesize
88KB

Download
memory/3028-15-0x0000000014D00000-0x0000000014D17000-memory.dmp

Filesize
92KB

Download
memory/3028-17-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/3028-18-0x0000000014D00000-0x0000000014D16000-memory.dmp

Filesize
88KB

Download
memory/3028-207-0x0000000014D00000-0x0000000014D17000-memory.dmp

Filesize
92KB

Download
memory/3028-208-0x0000000014D00000-0x0000000014D16000-memory.dmp

Filesize
88KB

Download