ee5c551c628f1d8e12b9552af557de33f7b2f1b26ab8118f5876dc3716d2f65c

Analysis

max time kernel
141s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/09/2024, 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

faeb0dd37f78b31302f32584a087a765_JaffaCakes118.exe
Size

1.2MB
MD5

faeb0dd37f78b31302f32584a087a765
SHA1

7f51e3df8f6ab33215001a95ba6899b186caeafc
SHA256

ee5c551c628f1d8e12b9552af557de33f7b2f1b26ab8118f5876dc3716d2f65c
SHA512

91cfc116cf53f0a22024a7e085314b8a85c87fd6867397001248497cc581e3d6b648d16a4d9be90b33528f225e7aab8e4da477862dce8fcce2869d362d80a0a2
SSDEEP

24576:Ec//////VEqZkTh6gazysQATrtsLDgCjGx96AxvtyrM9gdTZ7XH8/B7WTky:Ec//////uqZgkgxsNQDbjGx9pvtABpXL

Score

7^/10

discovery persistence upx vmprotect

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3028	11111111111111111111111111111111111111111111.exe
540	xodnf.com-dnfpomo0701B.exe

Loads dropped DLL 5 IoCs

pid	Process
2704	cmd.exe
2704	cmd.exe
2496	cmd.exe
2636	rundll32.exe
2636	rundll32.exe

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x0007000000016d36-30.dat	vmprotect

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	rundll32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\systemp	11111111111111111111111111111111111111111111.exe
File created	C:\Windows\SysWOW64\sfcos.dll	11111111111111111111111111111111111111111111.exe
File opened for modification	C:\Windows\SysWOW64\sfcos.dll	11111111111111111111111111111111111111111111.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000010300-3.dat	upx
behavioral1/memory/3028-9-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/3028-28-0x0000000000400000-0x0000000000418000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\rose.jpg	11111111111111111111111111111111111111111111.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	faeb0dd37f78b31302f32584a087a765_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11111111111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xodnf.com-dnfpomo0701B.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	xodnf.com-dnfpomo0701B.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2636	rundll32.exe
2636	rundll32.exe
2636	rundll32.exe
2636	rundll32.exe
2636	rundll32.exe
2636	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
540	xodnf.com-dnfpomo0701B.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
540	xodnf.com-dnfpomo0701B.exe
540	xodnf.com-dnfpomo0701B.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2704	2672	faeb0dd37f78b31302f32584a087a765_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2704	2672	faeb0dd37f78b31302f32584a087a765_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2704	2672	faeb0dd37f78b31302f32584a087a765_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2704	2672	faeb0dd37f78b31302f32584a087a765_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2496	2672	faeb0dd37f78b31302f32584a087a765_JaffaCakes118.exe	31
PID 2672 wrote to memory of 2496	2672	faeb0dd37f78b31302f32584a087a765_JaffaCakes118.exe	31
PID 2672 wrote to memory of 2496	2672	faeb0dd37f78b31302f32584a087a765_JaffaCakes118.exe	31
PID 2672 wrote to memory of 2496	2672	faeb0dd37f78b31302f32584a087a765_JaffaCakes118.exe	31
PID 2704 wrote to memory of 3028	2704	cmd.exe	34
PID 2704 wrote to memory of 3028	2704	cmd.exe	34
PID 2704 wrote to memory of 3028	2704	cmd.exe	34
PID 2704 wrote to memory of 3028	2704	cmd.exe	34
PID 2496 wrote to memory of 540	2496	cmd.exe	35
PID 2496 wrote to memory of 540	2496	cmd.exe	35
PID 2496 wrote to memory of 540	2496	cmd.exe	35
PID 2496 wrote to memory of 540	2496	cmd.exe	35
PID 3028 wrote to memory of 2596	3028	11111111111111111111111111111111111111111111.exe	36
PID 3028 wrote to memory of 2596	3028	11111111111111111111111111111111111111111111.exe	36
PID 3028 wrote to memory of 2596	3028	11111111111111111111111111111111111111111111.exe	36
PID 3028 wrote to memory of 2596	3028	11111111111111111111111111111111111111111111.exe	36
PID 3028 wrote to memory of 2620	3028	11111111111111111111111111111111111111111111.exe	37
PID 3028 wrote to memory of 2620	3028	11111111111111111111111111111111111111111111.exe	37
PID 3028 wrote to memory of 2620	3028	11111111111111111111111111111111111111111111.exe	37
PID 3028 wrote to memory of 2620	3028	11111111111111111111111111111111111111111111.exe	37
PID 2620 wrote to memory of 2636	2620	cmd.exe	40
PID 2620 wrote to memory of 2636	2620	cmd.exe	40
PID 2620 wrote to memory of 2636	2620	cmd.exe	40
PID 2620 wrote to memory of 2636	2620	cmd.exe	40
PID 2620 wrote to memory of 2636	2620	cmd.exe	40
PID 2620 wrote to memory of 2636	2620	cmd.exe	40
PID 2620 wrote to memory of 2636	2620	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\faeb0dd37f78b31302f32584a087a765_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\faeb0dd37f78b31302f32584a087a765_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\11111111111111111111111111111111111111111111.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Users\Admin\AppData\Local\Temp\11111111111111111111111111111111111111111111.exe
    C:\Users\Admin\AppData\Local\Temp\11111111111111111111111111111111111111111111.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Windows\SysWOW64\sfc.exe
      "C:\Windows\system32\sfc.exe" /REVERT
      4⤵
      System Location Discovery: System Language Discovery
      PID:2596
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\del.bat
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe "C:\Users\Admin\AppData\Local\Temp\AF9.tmp",Runed
        5⤵
        Loads dropped DLL
        Modifies WinLogon
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\xodnf.com-dnfpomo0701B.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Users\Admin\AppData\Local\Temp\xodnf.com-dnfpomo0701B.exe
    C:\Users\Admin\AppData\Local\Temp\xodnf.com-dnfpomo0701B.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\rose.jpg

Filesize
68B

MD5
6c24a881dd26c9a53bc39e611834f6d7

SHA1
b606294cea3af1532644a236174ceffd3d1ae701

SHA256
bced0c5c91b8d94bfdf72a2348726c0e093784711c3e1283fabfc317dd745c3e

SHA512
a9fe841eba44bb17cbd7938c974ce5e5108a157e3241e2c70625824081b172b577fd8d1771907d582a62a9ddd39527fd341b36182bfd963d808440f9d25ec993

Download Submit
C:\Users\Admin\AppData\Local\Temp\AF9.tmp

Filesize
47KB

MD5
15642dcd5e18b98eb8d3c50fd41a418c

SHA1
770b5b0b7b586801a67512766971b2c02a0d6eda

SHA256
ea33701f33beae443460054b2553c12d2d51b31883aa4c68ff720f127612e7ba

SHA512
c774516ea3ab0958101e2bb1d21b71b61ed40976d524240bc80062e8ba467e5e764e1ab6bbeec985c61ca2c80c9f3400f0d6e157880562f86bd5f38d52453b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\xodnf.com-dnfpomo0701B.exe

Filesize
1.1MB

MD5
be42ec34d1494c587c8cffe99ef5d5c6

SHA1
ecf6b784b3649159ab3d33dea9d3144faf0676f3

SHA256
9f59189c97391308a6e179f230135e88f3f74b4f09015c3e5403ad32dfeb619f

SHA512
7c7a54a8d742d5ddc9cbb96fba7941f8acd1e18d3a3897e5481f290f89be024eec021e92599f0ec0091a0d125bdfa2b02936ba10b5222e627ab2f13e937f2483

Download Submit
C:\Windows\SysWOW64\sfcos.dll

Filesize
40KB

MD5
84799328d87b3091a3bdd251e1ad31f9

SHA1
64dbbe8210049f4d762de22525a7fe4313bf99d0

SHA256
f85521215924388830dbb13580688db70b46af4c7d82d549d09086438f8d237b

SHA512
0a9401c9c687f0edca01258c7920596408934caa21e5392dbaefc222c5c021255a40ec7c114a805cdb7f5a6153ec9fa9592edcc9e45406ce5612aa4e3da6a2c4

Download Submit
C:\del.bat

Filesize
282B

MD5
8b86309f7e201adaeb63602bfed7937f

SHA1
a554891f9fbd6838e2d4c5cbef083c2d806bcb40

SHA256
aba7aa128e82e4da1e0f45930643bc8cbc7f7053caf1c4921f372902fb5584eb

SHA512
c80ce055d34798de7811c61672ccc7f43ee2ae1d9a93f1d5560ce912783bc50a8000196c5253b160cf43119ded5659036e4478b81b55a2953d3c13fccfa19287

Download Submit
\Users\Admin\AppData\Local\Temp\11111111111111111111111111111111111111111111.exe

Filesize
35KB

MD5
5e525156a93b2765c7bedb4f91ffdaaa

SHA1
ba8397a60cd2ce6478ae4e481a5229bad257814d

SHA256
67087607947f51641c2dd9a4b5e2b200667e03a595b80a27a4ad758faebd80ae

SHA512
f946010994ba03e1f1efa32ca2b20b4688c7cfeb03a01be9cb13a02d897d333454ffafb5b384a2d5437de0a193d83b29d646fd5cb4fb1ecf33ae08bd7561320a

Download Submit
memory/540-43-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2672-2-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2704-6-0x0000000000120000-0x0000000000138000-memory.dmp

Filesize
96KB

Download
memory/2704-7-0x0000000000120000-0x0000000000138000-memory.dmp

Filesize
96KB

Download
memory/3028-9-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3028-28-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download