Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
28/09/2024, 23:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fd58ad7cc72e9286a618f127fa241946_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
17 signatures
150 seconds
Behavioral task
behavioral2
Sample
fd58ad7cc72e9286a618f127fa241946_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
fd58ad7cc72e9286a618f127fa241946_JaffaCakes118.exe
-
Size
4.5MB
-
MD5
fd58ad7cc72e9286a618f127fa241946
-
SHA1
ed076b20442a1902d5aef9b3d9a92366a8001227
-
SHA256
46c6d88a45847cfe6c228d3f424e5bd9fafcd86cf22bb57026abfbe0c6d607bb
-
SHA512
2ee4262a6c5416b6615df415e3c8b0564184732e70caf16e0914fd473ea447941ce835fa5def35f190874dcb01bee8883ad880a3998a2390db66e10c268e7711
-
SSDEEP
98304:cN3Ofojo4j4QrWEvgeL2KIw5x7hCZKKTLUf:c1OfAsSWNe1I5ZtTLUf
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" UOGvxUCxGplRd.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 2260 UOGvxUCxGplRd.exe -
Loads dropped DLL 4 IoCs
pid Process 2020 fd58ad7cc72e9286a618f127fa241946_JaffaCakes118.exe 2020 fd58ad7cc72e9286a618f127fa241946_JaffaCakes118.exe 1184 Process not Found 1184 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UOGvxUCxGplRd.exe = "C:\\ProgramData\\UOGvxUCxGplRd.exe" fd58ad7cc72e9286a618f127fa241946_JaffaCakes118.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI attrib.exe -
resource yara_rule behavioral1/memory/2020-3-0x0000000000400000-0x0000000000485000-memory.dmp upx behavioral1/memory/2020-13-0x0000000000400000-0x0000000000485000-memory.dmp upx behavioral1/memory/2260-16-0x0000000000400000-0x0000000000485000-memory.dmp upx behavioral1/memory/2260-17-0x0000000000400000-0x0000000000485000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\msdaps.dll attrib.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01750_.GIF attrib.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0205462.WMF attrib.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0299611.WMF attrib.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR attrib.exe File opened for modification C:\Program Files\Microsoft Games attrib.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\Wks9Pxy.cnv attrib.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC attrib.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099201.GIF attrib.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\mshwLatin.dll.mui attrib.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-templates.jar attrib.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\uz attrib.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\en-US\msadcfr.dll.mui attrib.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033 attrib.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\msinfo32.exe.mui attrib.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-services.jar attrib.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Xml.Linq.Resources.dll attrib.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\vlc.mo attrib.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL attrib.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01849_.WMF attrib.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLLIBR.DLL attrib.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Maputo attrib.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn attrib.exe File opened for modification C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui attrib.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\INDUST.INF attrib.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_win7.css attrib.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckg.dll attrib.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02407_.WMF attrib.exe File opened for modification C:\Program Files\DVD Maker\fr-FR\DVDMaker.exe.mui attrib.exe File opened for modification C:\Program Files\Windows Journal\de-DE\jnwmon.dll.mui attrib.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\flyout.css attrib.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\settings.html attrib.exe File opened for modification C:\Program Files\Common Files\Services\verisign.bmp attrib.exe File opened for modification C:\Program Files\Java\jre7\lib\ext\zipfs.jar attrib.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\Jujuy attrib.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll attrib.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198016.WMF attrib.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341447.JPG attrib.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_ja.jar attrib.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\Syowa attrib.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES attrib.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01635_.WMF attrib.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javafx.policy attrib.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.DataSetExtensions.Resources.dll attrib.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01366_.WMF attrib.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\UmOutlookAddin.dll attrib.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Hong_Kong attrib.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\settings.css attrib.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Hand Prints.htm attrib.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\BCSAddin.dll attrib.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv attrib.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe attrib.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\mip.exe.mui attrib.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POSTIT.CFG attrib.exe File opened for modification C:\Program Files\SaveDisconnect.mpeg attrib.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf attrib.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe attrib.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR22F.GIF attrib.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html attrib.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\14.png attrib.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR30F.GIF attrib.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libimage_plugin.dll attrib.exe File opened for modification C:\Program Files\Windows Mail\de-DE attrib.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fd58ad7cc72e9286a618f127fa241946_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UOGvxUCxGplRd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe -
Modifies Control Panel 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\7f6b3266-31c5-43a8-9547-e7911ad6fb33 UOGvxUCxGplRd.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\nsreg = "1727565705" UOGvxUCxGplRd.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" fd58ad7cc72e9286a618f127fa241946_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Download fd58ad7cc72e9286a618f127fa241946_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2020 fd58ad7cc72e9286a618f127fa241946_JaffaCakes118.exe 2020 fd58ad7cc72e9286a618f127fa241946_JaffaCakes118.exe 2020 fd58ad7cc72e9286a618f127fa241946_JaffaCakes118.exe 2020 fd58ad7cc72e9286a618f127fa241946_JaffaCakes118.exe 2020 fd58ad7cc72e9286a618f127fa241946_JaffaCakes118.exe 2020 fd58ad7cc72e9286a618f127fa241946_JaffaCakes118.exe 2020 fd58ad7cc72e9286a618f127fa241946_JaffaCakes118.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe 2260 UOGvxUCxGplRd.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2020 fd58ad7cc72e9286a618f127fa241946_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2020 wrote to memory of 2260 2020 fd58ad7cc72e9286a618f127fa241946_JaffaCakes118.exe 30 PID 2020 wrote to memory of 2260 2020 fd58ad7cc72e9286a618f127fa241946_JaffaCakes118.exe 30 PID 2020 wrote to memory of 2260 2020 fd58ad7cc72e9286a618f127fa241946_JaffaCakes118.exe 30 PID 2020 wrote to memory of 2260 2020 fd58ad7cc72e9286a618f127fa241946_JaffaCakes118.exe 30 PID 2260 wrote to memory of 2096 2260 UOGvxUCxGplRd.exe 32 PID 2260 wrote to memory of 2096 2260 UOGvxUCxGplRd.exe 32 PID 2260 wrote to memory of 2096 2260 UOGvxUCxGplRd.exe 32 PID 2260 wrote to memory of 2096 2260 UOGvxUCxGplRd.exe 32 PID 2260 wrote to memory of 1732 2260 UOGvxUCxGplRd.exe 34 PID 2260 wrote to memory of 1732 2260 UOGvxUCxGplRd.exe 34 PID 2260 wrote to memory of 1732 2260 UOGvxUCxGplRd.exe 34 PID 2260 wrote to memory of 1732 2260 UOGvxUCxGplRd.exe 34 PID 2260 wrote to memory of 2912 2260 UOGvxUCxGplRd.exe 36 PID 2260 wrote to memory of 2912 2260 UOGvxUCxGplRd.exe 36 PID 2260 wrote to memory of 2912 2260 UOGvxUCxGplRd.exe 36 PID 2260 wrote to memory of 2912 2260 UOGvxUCxGplRd.exe 36 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System fd58ad7cc72e9286a618f127fa241946_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" fd58ad7cc72e9286a618f127fa241946_JaffaCakes118.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 2096 attrib.exe 1732 attrib.exe 2912 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd58ad7cc72e9286a618f127fa241946_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fd58ad7cc72e9286a618f127fa241946_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2020 -
C:\ProgramData\UOGvxUCxGplRd.exeC:\ProgramData\UOGvxUCxGplRd.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Users\Admin\*.* " /s /d3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2096
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\ProgramData\Microsoft\Windows\Start Menu\*.* " /s /d3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1732
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\*.* " /s /d3⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2912
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD5095092f4e746810c5829038d48afd55a
SHA1246eb3d41194dddc826049bbafeb6fc522ec044a
SHA2562f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588
SHA5127f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400
-
Filesize
4.5MB
MD5fd58ad7cc72e9286a618f127fa241946
SHA1ed076b20442a1902d5aef9b3d9a92366a8001227
SHA25646c6d88a45847cfe6c228d3f424e5bd9fafcd86cf22bb57026abfbe0c6d607bb
SHA5122ee4262a6c5416b6615df415e3c8b0564184732e70caf16e0914fd473ea447941ce835fa5def35f190874dcb01bee8883ad880a3998a2390db66e10c268e7711