bd8dd45285c8dc69f46910f3076392a4cffb67d523a40dff324cc4378d848d09

Analysis

max time kernel
142s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-09-2024 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
Size

548KB
MD5

faeead23b7fcdbbd68306a094a77b863
SHA1

fa79021ca0e27c9885a927a3323581d80da1d46e
SHA256

bd8dd45285c8dc69f46910f3076392a4cffb67d523a40dff324cc4378d848d09
SHA512

1cf383cb23533b1477d80e01f11e19adbce4b8b335e09c245a5383cad3cda8a45ee71928a84570682aa668f440f4352271175539e6a701e4b2174298212ea3e4
SSDEEP

6144:cRO63Q738NwY7AmlGR0uYFpvcrfgcGS52C7pzEYK2iEC4aZbhhIUrx1KO589Mv84:s53Qb8IWGR0LGgDSEEPC4aFIUb5h

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2820	svchost.exe
2572	svchost.exe

Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\\|MicServicego	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\\|MicServicego\ = "Service"	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2784	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
2784	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\syswow64\desktop.dat	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
File opened for modification	C:\Windows\syswow64\comij\$$$.dat	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
File created	C:\Windows\syswow64\comij\winlogon.dat	svchost.exe
File created	C:\Windows\syswow64\comij\winhelper.dat	svchost.exe
File created	C:\Windows\syswow64\comij\winhelper.dll	svchost.exe
File created	C:\Windows\syswow64\comij\$$$.dat	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
File created	C:\Windows\syswow64\comij\roptions.ini	svchost.exe
File opened for modification	C:\Windows\syswow64\comij\roptions.ini	svchost.exe
File opened for modification	C:\Windows\syswow64\comij\roptions.ini	svchost.exe
File created	C:\Windows\syswow64\comij\winlogon.dll	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2784	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
2784	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
2784	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
2784	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
2572	svchost.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2784	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
Token: SeSecurityPrivilege	2784	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2784	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2784	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2784	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2784	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2784	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2784	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2784	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
Token: SeShutdownPrivilege	2784	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
Token: SeDebugPrivilege	2784	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2784	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2784	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
Token: SeUndockPrivilege	2784	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2784	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
Token: 33	2784	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
Token: 34	2784	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
Token: 35	2784	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2820	svchost.exe
Token: SeSecurityPrivilege	2820	svchost.exe
Token: SeTakeOwnershipPrivilege	2820	svchost.exe
Token: SeLoadDriverPrivilege	2820	svchost.exe
Token: SeSystemProfilePrivilege	2820	svchost.exe
Token: SeSystemtimePrivilege	2820	svchost.exe
Token: SeProfSingleProcessPrivilege	2820	svchost.exe
Token: SeIncBasePriorityPrivilege	2820	svchost.exe
Token: SeCreatePagefilePrivilege	2820	svchost.exe
Token: SeShutdownPrivilege	2820	svchost.exe
Token: SeDebugPrivilege	2820	svchost.exe
Token: SeSystemEnvironmentPrivilege	2820	svchost.exe
Token: SeRemoteShutdownPrivilege	2820	svchost.exe
Token: SeUndockPrivilege	2820	svchost.exe
Token: SeManageVolumePrivilege	2820	svchost.exe
Token: 33	2820	svchost.exe
Token: 34	2820	svchost.exe
Token: 35	2820	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2572	svchost.exe
Token: SeIncreaseQuotaPrivilege	2572	svchost.exe
Token: SeSecurityPrivilege	2572	svchost.exe
Token: SeTakeOwnershipPrivilege	2572	svchost.exe
Token: SeLoadDriverPrivilege	2572	svchost.exe
Token: SeSystemtimePrivilege	2572	svchost.exe
Token: SeShutdownPrivilege	2572	svchost.exe
Token: SeSystemEnvironmentPrivilege	2572	svchost.exe
Token: SeUndockPrivilege	2572	svchost.exe
Token: SeManageVolumePrivilege	2572	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2724	DllHost.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2820	2784	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe	31
PID 2784 wrote to memory of 2820	2784	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe	31
PID 2784 wrote to memory of 2820	2784	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe	31
PID 2784 wrote to memory of 2820	2784	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe	31
PID 2572 wrote to memory of 256	2572	svchost.exe	1
PID 2572 wrote to memory of 332	2572	svchost.exe	2
PID 2572 wrote to memory of 368	2572	svchost.exe	3
PID 2572 wrote to memory of 376	2572	svchost.exe	4
PID 2572 wrote to memory of 416	2572	svchost.exe	5
PID 2572 wrote to memory of 460	2572	svchost.exe	6
PID 2572 wrote to memory of 476	2572	svchost.exe	7
PID 2572 wrote to memory of 484	2572	svchost.exe	8
PID 2572 wrote to memory of 596	2572	svchost.exe	9
PID 2572 wrote to memory of 672	2572	svchost.exe	10
PID 2572 wrote to memory of 756	2572	svchost.exe	11
PID 2572 wrote to memory of 812	2572	svchost.exe	12
PID 2572 wrote to memory of 836	2572	svchost.exe	13
PID 2572 wrote to memory of 992	2572	svchost.exe	15
PID 2572 wrote to memory of 292	2572	svchost.exe	16
PID 2572 wrote to memory of 688	2572	svchost.exe	17
PID 2572 wrote to memory of 1076	2572	svchost.exe	18
PID 2572 wrote to memory of 1116	2572	svchost.exe	19
PID 2572 wrote to memory of 1172	2572	svchost.exe	20
PID 2572 wrote to memory of 1204	2572	svchost.exe	21
PID 2572 wrote to memory of 1452	2572	svchost.exe	23
PID 2572 wrote to memory of 1652	2572	svchost.exe	24
PID 2572 wrote to memory of 944	2572	svchost.exe	25
PID 2572 wrote to memory of 2288	2572	svchost.exe	26
PID 2572 wrote to memory of 2068	2572	svchost.exe	27
PID 2572 wrote to memory of 2724	2572	svchost.exe	30

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:460
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:596
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1652
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:944
  - - C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      PID:2724
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:672
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:756
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:812
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1172
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:836
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:992
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:292
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:688
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1076
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1116
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1452
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2288
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2068
- - C:\Windows\syswow64\comij\svchost.exe
    C:\Windows\syswow64\comij\svchost.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2572
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:476
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:484

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:376

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\syswow64\comij\svchost.exe
    C:\Windows\syswow64\comij\svchost.exe /i
    3⤵
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.jpg

Filesize
14KB

MD5
1c3adf5fe922959b79ed1fed3ebf416a

SHA1
195f9c141c108c58731feb1189156befe42e9cc1

SHA256
c3a0e9115d65c5d60a244d8e26fee3c9b156290aec927a45662b97e0dbee713b

SHA512
315414d9b1cca23b8cf2d2619ca69cbf6eb5bd6ebc3f45d174d85c8f6df65e6012dec9f5b776671aa5c1571f54a81515a0a346aae89ccb581e1b05f515194620

Download Submit
C:\Windows\syswow64\comij\roptions.ini

Filesize
520B

MD5
fabc492a8d64ad3563e0f4e06c1a9065

SHA1
c6f4435e24ce10877aaf7e4c4bd4cb60532d965d

SHA256
0a916eadc565190fd85b05a68dc7b4b1ee18ab0d4e51c66c5b4cab90ce55fe58

SHA512
31656eaece0fed5999586e061bd716858494749b0386ef3143662c0f65fa72b2de1a444fd30de2c994b5377ac6280d0838aadac25381b423c6b652bc562517be

Download Submit
\Windows\SysWOW64\comij\svchost.exe

Filesize
504KB

MD5
d8ab639771c8d20d8e2feb0d3be75186

SHA1
0d7ee6bc86fb182b5823c4a76a78ec936fc02b63

SHA256
fb3e694ad8c9c4d528af2cdb935acc3811795c07b2a2406ad3a25da1a2351fc7

SHA512
c7324fd3107b36687bd30d0067d9bbb24fe410d20b7ed2ac8545a0f3801f6895be2098d762cca55f1f4a9c3256ba154f1320d8a454ad08a49b38d18d5d1b3b24

Download Submit
memory/256-29-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2572-64-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2572-75-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2572-72-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2572-69-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2572-67-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2724-63-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2724-5-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/2724-9-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2784-26-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2784-4-0x00000000029C0000-0x00000000029C2000-memory.dmp

Filesize
8KB

Download
memory/2820-22-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download