dd77adda6b4f260a9f5ef079e520d58b35abf166b72b63ee5968883b9d7eb440

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
02/10/2024, 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cb9802d25363248aa1b64a44bb09cc7_JaffaCakes118.exe
Size

501KB
MD5

0cb9802d25363248aa1b64a44bb09cc7
SHA1

94fab7822332e452a2bb493f8651a4cc24ddf644
SHA256

dd77adda6b4f260a9f5ef079e520d58b35abf166b72b63ee5968883b9d7eb440
SHA512

9ad547ae5e23683ccc30d9c35bf6695c60fa0bf4abe4ef19ce96b5ca71f6cb5a3e326c2c1de2cb473af3c1a1b1658adae87ab15d98bc365b2b2b2a6c35aa7618
SSDEEP

12288:rWlfxLwk9hLMUYoura4RE0m77JWymUgG+6GO/:GJ0uhAUYouu4/K7JWymUD+m

Score

10^/10

discovery persistence

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2820	regedit.exe	32

Executes dropped EXE 1 IoCs

pid	Process
2972	TPlayer.exe

Loads dropped DLL 2 IoCs

pid	Process
1304	0cb9802d25363248aa1b64a44bb09cc7_JaffaCakes118.exe
1304	0cb9802d25363248aa1b64a44bb09cc7_JaffaCakes118.exe

Modifies system executable filetype association 2 TTPs 6 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Program Files\\TTPlayer\\TPlayer.exe\" \"%1\""	regedit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\ = "´ò¿ª"	regedit.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\TTPlayer\TPlayer.exe	0cb9802d25363248aa1b64a44bb09cc7_JaffaCakes118.exe
File opened for modification	C:\Program Files\TTPlayer\TPlayer.exe	0cb9802d25363248aa1b64a44bb09cc7_JaffaCakes118.exe
File opened for modification	C:\Program Files\TTPlayer\Config.ini	TPlayer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0cb9802d25363248aa1b64a44bb09cc7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TPlayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 35 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\linkfile\shellex	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\linkfile\shellex\ContextMenuHandlers	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.link\ShellEx\{000214EE-0000-0000-C000-000000000046}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.link\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Program Files\\TTPlayer\\TPlayer.exe\" \"%1\""	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\linkfile\shellex\IconHandler\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\linkfile\shellex\PropertySheetHandlers	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.link	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.link\ShellEx\{000214F9-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.link\ShellEx\{00021500-0000-0000-C000-000000000046}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.link\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\linkfile	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\linkfile\shellex\ContextMenuHandlers\Offline Files\ = "{750fdf0e-2a26-11d1-a3ea-080036587f03}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.link\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\linkfile\NeverShowExt	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\linkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.link\ = "linkfile"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\linkfile\shellex\ContextMenuHandlers\Offline Files	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\linkfile\shellex\PropertySheetHandlers\ShimLayer Property Page\ = "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\ = "´ò¿ª"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.link\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.link\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\linkfile\IsShortcut	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\linkfile\shellex\DropHandler	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\linkfile\shellex\DropHandler\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\linkfile\shellex\PropertySheetHandlers\ShimLayer Property Page	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\linkfile\shellex\IconHandler	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.link\ShellEx	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\linkfile\EditFlags = "1"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\linkfile\CLSID	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\linkfile\CLSID\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046}	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2832	regedit.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2972	TPlayer.exe
2972	TPlayer.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 2972	1304	0cb9802d25363248aa1b64a44bb09cc7_JaffaCakes118.exe	30
PID 1304 wrote to memory of 2972	1304	0cb9802d25363248aa1b64a44bb09cc7_JaffaCakes118.exe	30
PID 1304 wrote to memory of 2972	1304	0cb9802d25363248aa1b64a44bb09cc7_JaffaCakes118.exe	30
PID 1304 wrote to memory of 2972	1304	0cb9802d25363248aa1b64a44bb09cc7_JaffaCakes118.exe	30
PID 2972 wrote to memory of 2496	2972	TPlayer.exe	31
PID 2972 wrote to memory of 2496	2972	TPlayer.exe	31
PID 2972 wrote to memory of 2496	2972	TPlayer.exe	31
PID 2972 wrote to memory of 2496	2972	TPlayer.exe	31

C:\Users\Admin\AppData\Local\Temp\0cb9802d25363248aa1b64a44bb09cc7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0cb9802d25363248aa1b64a44bb09cc7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Program Files\TTPlayer\TPlayer.exe
  "C:\Program Files\TTPlayer\TPlayer.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RTCHP.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2496

C:\Windows\regedit.exe
regedit /s "C:\Users\Admin\AppData\Local\Temp\81AKL.reg"
1⤵
- Process spawned unexpected child process
- Modifies system executable filetype association
- Modifies registry class
- Runs .reg file with regedit
PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81AKL.reg

Filesize
1KB

MD5
873a0456fbaa689791a316bd95c4fc9e

SHA1
b8bbb098fffec911a760a3520823074d46090157

SHA256
4ccc1598bea95fa8476a3765e4c94ffc8005dda5ea1e89491344dd691e6a62e4

SHA512
1e48d7150b2610ed71be2bab65dddd395e06ae86f328c8f3f30937db2bb41c2516be35389c48e3d2418c20de56ecd9ed61987d8513fa7e0616c241d0b922a9a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RTCHP.vbs

Filesize
541B

MD5
860d572ea3fe8976c82841799a1979da

SHA1
d4434b7f53bf822b1a0333ff16d2fad9a97313c2

SHA256
ce742631170ee182378bffa40bc0c9347093493f456cb0fec3626260a94c07c6

SHA512
ee07ce294e4dc1090bd16a598d8cf43003893ccd59a29f0488fcf15dcc8408acb1f0626d7e948fcfb8536ec7e14b1e17c660c811590c45e3adf84c75b72bc631

Download Submit
\Program Files\TTPlayer\TPlayer.exe

Filesize
14.7MB

MD5
a83c89feeba7c5243173689945354962

SHA1
534e4fa32a796e25eefe2599b0186e02e1c391f4

SHA256
cfdc9f414e669abf0a038748c61d7022b0f6f203a01a4572407aece6724297ac

SHA512
d74c50a5bab2e4355f0a1d62040c402faa1124ba6ca1d31ef40145918a52c7f076e51f6366d912b1f6fdfe4baa9259d4c8f48ca981f68d8f8e2c257d18216e6a

Download Submit
memory/1304-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1304-10-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2972-14-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2972-21-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2972-22-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2972-23-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads