6730f905d23498aa7360b4d91a8b500b48015f8883800b25ade213534fda9bd4

Analysis

max time kernel
133s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07ab8a90178c230af795eb3700c4a95c_JaffaCakes118.exe
Size

52KB
MD5

07ab8a90178c230af795eb3700c4a95c
SHA1

245d021be7a463ab463dc3b0999fb40602611ceb
SHA256

6730f905d23498aa7360b4d91a8b500b48015f8883800b25ade213534fda9bd4
SHA512

44f36ff7b48fd13bce5af5bf09cbb2a961e669987d19eeb1306bd3efe1cb6790be80b05c6af040e449d998f7ad1007b89ab030588a2b13e173b96f659caca7ab
SSDEEP

1536:a/BaV7B17CJ/I7vOhK2KNS8BifhDTLKkEzZ:Nv7s/IzUKctfhDf8Z

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Loads dropped DLL 5 IoCs

pid	Process
276	07ab8a90178c230af795eb3700c4a95c_JaffaCakes118.exe
276	07ab8a90178c230af795eb3700c4a95c_JaffaCakes118.exe
276	07ab8a90178c230af795eb3700c4a95c_JaffaCakes118.exe
276	07ab8a90178c230af795eb3700c4a95c_JaffaCakes118.exe
276	07ab8a90178c230af795eb3700c4a95c_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/276-0-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/files/0x000900000001925c-5.dat	upx
behavioral1/memory/276-7-0x0000000002140000-0x0000000002145000-memory.dmp	upx
behavioral1/memory/276-27-0x0000000000400000-0x0000000000420000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\Accessories\iSrev.exe	07ab8a90178c230af795eb3700c4a95c_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\iSrev.exe	07ab8a90178c230af795eb3700c4a95c_JaffaCakes118.exe
File created	C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORER.EXE	07ab8a90178c230af795eb3700c4a95c_JaffaCakes118.exe
File opened for modification	C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORER.EXE	07ab8a90178c230af795eb3700c4a95c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07ab8a90178c230af795eb3700c4a95c_JaffaCakes118.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
276	07ab8a90178c230af795eb3700c4a95c_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2172	explorer.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeBackupPrivilege	276	07ab8a90178c230af795eb3700c4a95c_JaffaCakes118.exe
Token: SeRestorePrivilege	276	07ab8a90178c230af795eb3700c4a95c_JaffaCakes118.exe
Token: SeRestorePrivilege	276	07ab8a90178c230af795eb3700c4a95c_JaffaCakes118.exe
Token: SeRestorePrivilege	276	07ab8a90178c230af795eb3700c4a95c_JaffaCakes118.exe
Token: SeRestorePrivilege	276	07ab8a90178c230af795eb3700c4a95c_JaffaCakes118.exe
Token: SeRestorePrivilege	276	07ab8a90178c230af795eb3700c4a95c_JaffaCakes118.exe
Token: SeBackupPrivilege	276	07ab8a90178c230af795eb3700c4a95c_JaffaCakes118.exe
Token: SeRestorePrivilege	276	07ab8a90178c230af795eb3700c4a95c_JaffaCakes118.exe
Token: SeRestorePrivilege	276	07ab8a90178c230af795eb3700c4a95c_JaffaCakes118.exe
Token: SeRestorePrivilege	276	07ab8a90178c230af795eb3700c4a95c_JaffaCakes118.exe
Token: SeRestorePrivilege	276	07ab8a90178c230af795eb3700c4a95c_JaffaCakes118.exe
Token: SeRestorePrivilege	276	07ab8a90178c230af795eb3700c4a95c_JaffaCakes118.exe
Token: SeBackupPrivilege	276	07ab8a90178c230af795eb3700c4a95c_JaffaCakes118.exe
Token: SeRestorePrivilege	276	07ab8a90178c230af795eb3700c4a95c_JaffaCakes118.exe
Token: SeRestorePrivilege	276	07ab8a90178c230af795eb3700c4a95c_JaffaCakes118.exe
Token: SeRestorePrivilege	276	07ab8a90178c230af795eb3700c4a95c_JaffaCakes118.exe
Token: SeRestorePrivilege	276	07ab8a90178c230af795eb3700c4a95c_JaffaCakes118.exe
Token: SeRestorePrivilege	276	07ab8a90178c230af795eb3700c4a95c_JaffaCakes118.exe
Token: SeBackupPrivilege	276	07ab8a90178c230af795eb3700c4a95c_JaffaCakes118.exe
Token: SeRestorePrivilege	276	07ab8a90178c230af795eb3700c4a95c_JaffaCakes118.exe
Token: SeRestorePrivilege	276	07ab8a90178c230af795eb3700c4a95c_JaffaCakes118.exe
Token: SeRestorePrivilege	276	07ab8a90178c230af795eb3700c4a95c_JaffaCakes118.exe
Token: SeRestorePrivilege	276	07ab8a90178c230af795eb3700c4a95c_JaffaCakes118.exe
Token: SeRestorePrivilege	276	07ab8a90178c230af795eb3700c4a95c_JaffaCakes118.exe
Token: SeDebugPrivilege	276	07ab8a90178c230af795eb3700c4a95c_JaffaCakes118.exe
Token: SeShutdownPrivilege	2172	explorer.exe
Token: SeShutdownPrivilege	2172	explorer.exe
Token: SeShutdownPrivilege	2172	explorer.exe
Token: SeShutdownPrivilege	2172	explorer.exe
Token: SeShutdownPrivilege	2172	explorer.exe
Token: SeShutdownPrivilege	2172	explorer.exe
Token: SeShutdownPrivilege	2172	explorer.exe
Token: SeShutdownPrivilege	2172	explorer.exe
Token: SeShutdownPrivilege	2172	explorer.exe
Token: SeShutdownPrivilege	2172	explorer.exe
Token: SeShutdownPrivilege	2172	explorer.exe
Token: SeShutdownPrivilege	2172	explorer.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe

Suspicious use of SendNotifyMessage 22 IoCs

pid	Process
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\07ab8a90178c230af795eb3700c4a95c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\07ab8a90178c230af795eb3700c4a95c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:276

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Explore.lnk

Filesize
1KB

MD5
eb4f9bd8532ec3859841cd3a9d4c7fa6

SHA1
161a37afaa840ca4fe8d6a7ab2d30d87d4466199

SHA256
3ea8fc57ca83c0bcbe87f55916501540953e4b26e105a402eeb25c85d57499f7

SHA512
604c93b629465c86c1a00ec6e417369b9699aecfe1c9221d3f678b7910787a186fcf0593e2d0d13e05b013ea41f10bddfc0d2d461431b228fc7ed042fb2f890f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explore.lnk

Filesize
1KB

MD5
026203629c68171c30fb7e193403cc9e

SHA1
71a208b7238319b5b352e23cc45f823eebed51cb

SHA256
fe3c359d20f9d2c06a950dd7eb14565be9be2ad35b01444eac2c7e393fb9f648

SHA512
0a00e314ee36fe92578a24225d49b98f9712dba0bb117ed9a9e5d9bd48a2c0e73e8ef5947906fe8bd8889cee490cead1da47e90eea634f2dd0c14d55a44a481c

Download Submit
C:\Users\Public\Desktop\Internet Explore.lnk

Filesize
1KB

MD5
41dce76b03d3f718d2a9df83c6c6de96

SHA1
617480872c6180ce2ecb7184d4627b2be3266573

SHA256
a5308029175c99d0318f2f7de889e8801d1c70cd6a8e8c892bdea1c950930321

SHA512
0005edddc90bc5cc97ae53a8cb0ccce840c1c590fe40448858a9956656e7fae805dbd35054882daa45bddadc55f0a169ec0386c004d5a187646f51bbac895058

Download Submit
\Program Files\Internet Explorer\IEXPLORER.EXE

Filesize
18KB

MD5
75841f234d770b70f4bfdf69c6e545c8

SHA1
2f1c96faa3ecf8288c36ffbc4e3605806c6bef74

SHA256
2a38c06f76019cc1a411c2c84e06864942e3c2ff04e2daed50cbe509edabe36f

SHA512
1314544ace13fe728ca9a2b247eb0bf157edbd624efe2de534d5ae0783535720e186364c805882fa5d0a2720b9aee06652f65dd1b4bb6bb846951346b1b3fa62

Download Submit
memory/276-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/276-7-0x0000000002140000-0x0000000002145000-memory.dmp

Filesize
20KB

Download
memory/276-27-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2172-35-0x0000000002280000-0x0000000002290000-memory.dmp

Filesize
64KB

Download