Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    28/09/2024, 00:44

General

  • Target

    fb317b990f2f41f7de3a4be4d67db9b2_JaffaCakes118.exe

  • Size

    160KB

  • MD5

    fb317b990f2f41f7de3a4be4d67db9b2

  • SHA1

    3890c26a6052090c88c953b01a69b7e19439442b

  • SHA256

    5d779261d7787da657d9e77b3dee4a4371f3f5432592ad8c60e8863209f2285c

  • SHA512

    c9efcca432a770e06877d51f4fec58412a569c9ee5a335d2d5ff6b2f1c9185b8a6e5cfb7e1ee279401b8716f71be996633bc87b2f420c64c21441b7539094986

  • SSDEEP

    3072:m6cpbetNSe92q0158JUMD3cvC5qrI/q07:m6cBetke92q458qYKCwrR07

Malware Config

Signatures

  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request 4 IoCs
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Network Service Discovery 1 TTPs 1 IoCs

    Attempt to gather information on host's network.

  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

  • Drops file in System32 directory 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Permission Groups Discovery: Local Groups 1 TTPs

    Attempt to find local system groups and permission settings.

  • System Location Discovery: System Language Discovery 1 TTPs 58 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • System Network Connections Discovery 1 TTPs 1 IoCs

    Attempt to get a listing of network connections.

  • Discovers systems in the same network 1 TTPs 4 IoCs
  • Gathers network information 2 TTPs 3 IoCs

    Uses commandline utility to view network configuration.

  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Opens file in notepad (likely ransom note) 1 IoCs
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fb317b990f2f41f7de3a4be4d67db9b2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fb317b990f2f41f7de3a4be4d67db9b2_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2300
    • C:\ProgramData\Application Data\wmimgmt.exe
      "C:\ProgramData\Application Data\wmimgmt.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2108
      • C:\Users\Admin\AppData\Local\Temp\avp.exe
        C:\Users\Admin\AppData\Local\Temp\avp.exe
        3⤵
        • Server Software Component: Terminal Services DLL
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2240
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\avp.exe" /A /F /Q> nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1092
        • C:\Windows\SysWOW64\NotePAD.exe
          NotePAD.exe "C:\Users\Admin\AppData\Local\Temp\VMvareDnd.log"
          4⤵
          • System Location Discovery: System Language Discovery
          • Opens file in notepad (likely ransom note)
          PID:1920
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe "C:\Windows\system32\EventSystem.dll",TStartUp 0x11
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:2896
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\avp.exe" /A /F /Q> nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2888
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /v:on /c C:\Users\Admin\AppData\Local\Temp\ghi.bat
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2736
        • C:\Windows\SysWOW64\findstr.exe
          findstr /s "YM.CGP_" "C:\Users\Admin"\..\*.txt
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1908
        • C:\Windows\SysWOW64\chcp.com
          chcp
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2624
        • C:\Windows\SysWOW64\net.exe
          net user
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2632
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 user
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2644
        • C:\Windows\SysWOW64\net.exe
          net localgroup administrators
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2732
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 localgroup administrators
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2008
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2916
        • C:\Windows\SysWOW64\systeminfo.exe
          systeminfo
          4⤵
          • System Location Discovery: System Language Discovery
          • Gathers system information
          PID:2848
        • C:\Windows\SysWOW64\reg.exe
          reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1472
        • C:\Windows\SysWOW64\find.exe
          find "REG_"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2520
        • C:\Windows\SysWOW64\reg.exe
          reg query HKEY_CURRENT_USER\Software\Microsoft\Office
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2832
        • C:\Windows\SysWOW64\reg.exe
          reg query HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Common\UserInfo
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1452
        • C:\Windows\SysWOW64\reg.exe
          reg query HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Common\UserInfo
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1864
        • C:\Windows\SysWOW64\reg.exe
          reg query HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\UserInfo
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1844
        • C:\Windows\SysWOW64\reg.exe
          reg query HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\UserInfo
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1720
        • C:\Windows\SysWOW64\reg.exe
          reg query HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\UserInfo
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2996
        • C:\Windows\SysWOW64\reg.exe
          reg query HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Common\UserInfo
          4⤵
          • System Location Discovery: System Language Discovery
          PID:500
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig /all
          4⤵
          • System Location Discovery: System Language Discovery
          • Gathers network information
          PID:276
        • C:\Windows\SysWOW64\NETSTAT.EXE
          netstat -ano
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Connections Discovery
          • Gathers network information
          • Suspicious use of AdjustPrivilegeToken
          PID:2324
        • C:\Windows\SysWOW64\ARP.EXE
          arp -a
          4⤵
          • Network Service Discovery
          • System Location Discovery: System Language Discovery
          PID:1776
        • C:\Windows\SysWOW64\NETSTAT.EXE
          netstat -r
          4⤵
          • System Location Discovery: System Language Discovery
          • Gathers network information
          PID:2956
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2652
            • C:\Windows\SysWOW64\ROUTE.EXE
              C:\Windows\system32\route.exe print
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2076
        • C:\Windows\SysWOW64\net.exe
          net start
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2056
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 start
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1376
        • C:\Windows\SysWOW64\net.exe
          net use
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2484
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo n"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:308
        • C:\Windows\SysWOW64\net.exe
          net share
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2388
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 share
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1112
        • C:\Windows\SysWOW64\net.exe
          net view /domain
          4⤵
          • System Location Discovery: System Language Discovery
          • Discovers systems in the same network
          PID:1740
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:412
        • C:\Windows\SysWOW64\find.exe
          find /i /v "------"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2512
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:848
        • C:\Windows\SysWOW64\find.exe
          find /i /v "domain"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:832
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:948
        • C:\Windows\SysWOW64\find.exe
          find /i /v "¬A╛╣"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1304
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1212
        • C:\Windows\SysWOW64\find.exe
          find /i /v "░⌡ªµª¿"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1788
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2100
        • C:\Windows\SysWOW64\find.exe
          find /i /v "├ⁿ┴ε"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1020
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2328
        • C:\Windows\SysWOW64\find.exe
          find /i /v "completed successfully"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:296
        • C:\Windows\SysWOW64\net.exe
          net view /domain:"WORKGROUP"
          4⤵
          • System Location Discovery: System Language Discovery
          • Discovers systems in the same network
          PID:1216
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\workgrp.tmp "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1848
        • C:\Windows\SysWOW64\find.exe
          find "\\"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1480
        • C:\Windows\SysWOW64\net.exe
          net view \\ELZYPTFV
          4⤵
          • System Location Discovery: System Language Discovery
          • Discovers systems in the same network
          PID:908
        • C:\Windows\SysWOW64\net.exe
          net view \\ELZYPTFV
          4⤵
          • System Location Discovery: System Language Discovery
          • Discovers systems in the same network
          PID:1316
        • C:\Windows\SysWOW64\find.exe
          find "Disk"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1104
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 1 ELZYPTFV
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1576
        • C:\Windows\SysWOW64\findstr.exe
          findstr /i "Pinging Reply Request Unknown"
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          PID:1604

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\INFO.TXT

    Filesize

    43B

    MD5

    9f8713aff6dc4949d0dcf7869a488a12

    SHA1

    83529c6bf10be34c28615d988c4147493cc66607

    SHA256

    f1a58d2b6c8377fcc07081342bfd0bf6c394abe39b1575d6983bd30f716e6fec

    SHA512

    98005207c23cbb927eea0ee745b631413ca466dc89c8ea74af8ca228a209d835681c5c80a4c9e762b4decd3d53047d27e4063c6b42ac0da8d03628ebb80e923a

  • C:\Users\Admin\AppData\Local\Temp\INFO.TXT

    Filesize

    7KB

    MD5

    493f5925782f20b40ca456af792397e0

    SHA1

    5a77c37601772d45597ad74f99b224b2f92cdeb2

    SHA256

    ef9404ef737e1c82f9393785a24f20c2e14f954e811c43984a75ff63f25d41d5

    SHA512

    7c7ac1d649dcc222e16f7dd201588467695686270b2ce6d070a6f68ad8e5b850870795fdce28a934c43204f69b29b6aea5fc0d480a4cbe043314af1625345e28

  • C:\Users\Admin\AppData\Local\Temp\INFO.TXT

    Filesize

    15KB

    MD5

    57da761cde32ee67376a6383f98d6694

    SHA1

    82698fa2b85dd83fc6476d51208b235d24b1ea0a

    SHA256

    204397bbc459c9acaefdb2ca65156ff32c3483cdea0e65fdab8070195e1b1d5d

    SHA512

    dc95d3ddbb5c7d4091f2d90bad94d4fda188268a1d4b883127ae79634a723a7f6a6eda3d33e6feaec32efddcc469369aa53aa165d12dfea0c9c9a7cb72f39108

  • C:\Users\Admin\AppData\Local\Temp\INFO.TXT

    Filesize

    24.9MB

    MD5

    fb61e168878387f85e17db9c7974d09e

    SHA1

    a2608b1540647c34209fa723ea90dc06744982e1

    SHA256

    144253778579396bc2d0074783233a95aa5092dc039a3e5304a7822def662dbb

    SHA512

    dbde2d39f31b53b37531202d54d0ac1de7459916825da6c57689e75c766cf53e59a9fd2b9a069fa9b886e272fdf2644941e7a93e26bf4a532bd44049607e0773

  • C:\Users\Admin\AppData\Local\Temp\drivers.p

    Filesize

    15B

    MD5

    4ff8e80638f36abd8fb131c19425317b

    SHA1

    358665afaf5f88dfebcdb7c56e963693c520c136

    SHA256

    6b8ceb900443f4924efd3187693038965ad7edb488879305489aa72d78f69626

    SHA512

    d4e6e3d789bc76102c500b46a5aa799c5ebfc432a44117aa0b7c7512439d33a423630b963fb04cda1da17a7f6517b276a3e9298c17cbf795964090f4b9e5d8f1

  • C:\Users\Admin\AppData\Local\Temp\ghi.bat

    Filesize

    3KB

    MD5

    b98e8fcde49a1caee295a6bd3d264e56

    SHA1

    71c82391a8617212ad48c8d79755e71be2e20be9

    SHA256

    e369c7e2e7ac0280882693038b213be0309c910df62f35a5159a125ecd18fb9a

    SHA512

    fb5fa414449e7dd4ce1fedcb92487f59ed18d7fbd3146eb59ec8f7256d68551adebb7d35e859fe7b6bce5a0b042b0de1e9ee56369a8686976dd121b44ff46742

  • C:\Users\Admin\AppData\Local\Temp\s.log

    Filesize

    153B

    MD5

    b256c8a481b065860c2812e742f50250

    SHA1

    51ddf02764fb12d88822450e8a27f9deac85fe54

    SHA256

    b167a692a2ff54cc5625797ddc367ba8736797130b93961d68b9150aef2f0e12

    SHA512

    f425ae70449d16bdb05fcc7913744fb0a81ab81278735d77ce316007b8298ad3c3991a29af67b336420f7dca94702271e59186174b5b78b5cdab1f8ce0163360

  • C:\Users\Admin\AppData\Local\Temp\s.log

    Filesize

    64B

    MD5

    e29f80bf6f6a756e0bc6d7f5189a9bb2

    SHA1

    acdd1032b7dc189f8e68b390fe6fd964618acd72

    SHA256

    8bfe9f81e5c82cbfe69203c993009c22f940f20727fa8cb43773958bf0eba7c7

    SHA512

    f390fc82bdeb43721aa08f3666a4ed7d9ad4a5c1ff91be6967336417a5a5b7968b945773f68effcbe961072b801c3681455cf98b956cd802eba24190bd54268e

  • C:\Users\Admin\AppData\Local\Temp\t.log

    Filesize

    72B

    MD5

    59f2768506355d8bc50979f6d64ded26

    SHA1

    b2d315b3857bec8335c526a08d08d6a1b5f5c151

    SHA256

    7f9f3cbab32b3a5022bed245092835cb12502fa2e79d85c8c45d478918ee6569

    SHA512

    e9aa231d19cb5f93711cd3ffee4a6bd8764b21249ed7eb06ff34bcb457cd075384a0858ea35a99280bff16c01875a4ed79598a6503fcf5262da6f0849b5b1028

  • C:\Users\Admin\AppData\Local\Temp\workgrp.tmp

    Filesize

    234B

    MD5

    b230d00e3e2469fefe2d05175aa4392a

    SHA1

    5966759deb5146df415579df387d7add41b1d8dd

    SHA256

    dc469f971f85ab492ebf0bb8a37271e32e6c0895c96c84015129a42caa6cbe19

    SHA512

    b6b2ba3b36a8b47856562f2ba3e7164abb6c4dbb8c48b9e7aa8265d3548ffc50634a20ceee5ca1359aa1b3be4b245f716b5989e15b9eb3edfb3a273c75faa3c7

  • \ProgramData\wmimgmt.exe

    Filesize

    160KB

    MD5

    fb317b990f2f41f7de3a4be4d67db9b2

    SHA1

    3890c26a6052090c88c953b01a69b7e19439442b

    SHA256

    5d779261d7787da657d9e77b3dee4a4371f3f5432592ad8c60e8863209f2285c

    SHA512

    c9efcca432a770e06877d51f4fec58412a569c9ee5a335d2d5ff6b2f1c9185b8a6e5cfb7e1ee279401b8716f71be996633bc87b2f420c64c21441b7539094986

  • \Users\Admin\AppData\Local\Temp\avp.exe

    Filesize

    73KB

    MD5

    d0b2a18b2220a3248eec7874b75867fe

    SHA1

    47bfbb801c7643f3bc1f767cca4c496d4a620268

    SHA256

    c0879137834b57ed4d7c59a1972737e74528032a39ff7ca8aa2560b9babb8d3b

    SHA512

    3edf0025f8d5a36667b026b1102acca3ca03a2c0539f037fd3e7a28c61b1d10cdc81ee9553ad47eee7c907e02ef1ffa97e3b22d2666c60aa3fb2e7457141ac24

  • \Windows\SysWOW64\EventSystem.dll

    Filesize

    61KB

    MD5

    e752f85ed0c2d7a737c1b7cb69a7f8f1

    SHA1

    16a1d54c5255668a3076026efb4befb406ed03b7

    SHA256

    a6925ccf46342ac629280fbc24cc5f5f87318bddb59a412528e1974fa80a2647

    SHA512

    a18591db11dfd61ae3a90d53f9e2d222f8d6c1f389b07c51a9844c64b7767f1bf8313ef9459b497857e83e339328577c56f92d24705eea9799ded5b3d46f65c7

  • memory/2108-22-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2108-11-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2300-9-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2300-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB