e91bbc7a3407956d8e7df2f24b875b8cf01b89f3d619c1af8906b1a5299498aa

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a65588a9196e5fa84e6bf7833140998_JaffaCakes118.exe
Size

4.5MB
MD5

0a65588a9196e5fa84e6bf7833140998
SHA1

17cb241c28efef6c382cd49385dad7bc8be646a1
SHA256

e91bbc7a3407956d8e7df2f24b875b8cf01b89f3d619c1af8906b1a5299498aa
SHA512

aec9e3a4e22c8bded036d7128a1a197f130e19d802930121d2afca08d502d86aa6ba84d752ac4ba960ff3e29439c938c07872d0273df0c0dc514396f8e81298b
SSDEEP

98304:CNBf4LJfDU5+pZ5kCqGorFB+pKgvLdC9+z8e4KU9I:CNh4HnkCqfrr5gjdE+z8ooI

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2660	~DPD3A.exe
2824	~DPD99.exe
2828	~DPD99.exe
2792	winlogon.exe

Loads dropped DLL 19 IoCs

pid	Process
2184	0a65588a9196e5fa84e6bf7833140998_JaffaCakes118.exe
2184	0a65588a9196e5fa84e6bf7833140998_JaffaCakes118.exe
2184	0a65588a9196e5fa84e6bf7833140998_JaffaCakes118.exe
2824	~DPD99.exe
2824	~DPD99.exe
2824	~DPD99.exe
2824	~DPD99.exe
2828	~DPD99.exe
2828	~DPD99.exe
2828	~DPD99.exe
2828	~DPD99.exe
2828	~DPD99.exe
2828	~DPD99.exe
2828	~DPD99.exe
2828	~DPD99.exe
2828	~DPD99.exe
2828	~DPD99.exe
2828	~DPD99.exe
2828	~DPD99.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nvchost = "C:\\Windows\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nvchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\~DPD3A.exe"	~DPD3A.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKe13F7.tmp	~DPD99.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKe13F7.tmp	~DPD99.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\isp1393.tmp\temp.000	~DPD99.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\isp13D5.tmp\temp.000	~DPD99.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\winlogon.exe	~DPD3A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~DPD99.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a65588a9196e5fa84e6bf7833140998_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~DPD3A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~DPD99.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2792	winlogon.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2660	2184	0a65588a9196e5fa84e6bf7833140998_JaffaCakes118.exe	30
PID 2184 wrote to memory of 2660	2184	0a65588a9196e5fa84e6bf7833140998_JaffaCakes118.exe	30
PID 2184 wrote to memory of 2660	2184	0a65588a9196e5fa84e6bf7833140998_JaffaCakes118.exe	30
PID 2184 wrote to memory of 2660	2184	0a65588a9196e5fa84e6bf7833140998_JaffaCakes118.exe	30
PID 2184 wrote to memory of 2824	2184	0a65588a9196e5fa84e6bf7833140998_JaffaCakes118.exe	31
PID 2184 wrote to memory of 2824	2184	0a65588a9196e5fa84e6bf7833140998_JaffaCakes118.exe	31
PID 2184 wrote to memory of 2824	2184	0a65588a9196e5fa84e6bf7833140998_JaffaCakes118.exe	31
PID 2184 wrote to memory of 2824	2184	0a65588a9196e5fa84e6bf7833140998_JaffaCakes118.exe	31
PID 2184 wrote to memory of 2824	2184	0a65588a9196e5fa84e6bf7833140998_JaffaCakes118.exe	31
PID 2184 wrote to memory of 2824	2184	0a65588a9196e5fa84e6bf7833140998_JaffaCakes118.exe	31
PID 2184 wrote to memory of 2824	2184	0a65588a9196e5fa84e6bf7833140998_JaffaCakes118.exe	31
PID 2824 wrote to memory of 2828	2824	~DPD99.exe	32
PID 2824 wrote to memory of 2828	2824	~DPD99.exe	32
PID 2824 wrote to memory of 2828	2824	~DPD99.exe	32
PID 2824 wrote to memory of 2828	2824	~DPD99.exe	32
PID 2824 wrote to memory of 2828	2824	~DPD99.exe	32
PID 2824 wrote to memory of 2828	2824	~DPD99.exe	32
PID 2824 wrote to memory of 2828	2824	~DPD99.exe	32
PID 2660 wrote to memory of 2792	2660	~DPD3A.exe	33
PID 2660 wrote to memory of 2792	2660	~DPD3A.exe	33
PID 2660 wrote to memory of 2792	2660	~DPD3A.exe	33
PID 2660 wrote to memory of 2792	2660	~DPD3A.exe	33

C:\Users\Admin\AppData\Local\Temp\0a65588a9196e5fa84e6bf7833140998_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0a65588a9196e5fa84e6bf7833140998_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Local\Temp\~DPD3A.exe
  "C:\Users\Admin\AppData\Local\Temp\~DPD3A.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\winlogon.exe
    C:\Windows\winlogon.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2792
- C:\Users\Admin\AppData\Local\Temp\~DPD99.exe
  "C:\Users\Admin\AppData\Local\Temp\~DPD99.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Users\Admin\AppData\Local\Temp\~DPD99.exe
    -deleter
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ISPackFiles.ini

Filesize
821B

MD5
4a685c290ac66d71788580108ed65039

SHA1
df6c2c4604ebf9aa015a66b8870eda2d6a345942

SHA256
3440a041c6f1f36b130d3c29c8244013fc8d4f6b2c73049f06cefa63100f1bfc

SHA512
ff2d6ad5709ba9c32d6c76f06ca89f93ab319ebd1e60db9e3bde8498d234513c474cd0e5e557cf604c8ba1165ba122687da7d38d14e8784a6fbcae62fbae4822

Download Submit
C:\Users\Admin\AppData\Local\Temp\_isdelet.ini

Filesize
155B

MD5
4e89262589bf5a5283300c67cdefe040

SHA1
d4ec507f21f1f2d39152ac9e3b28d215bdf8efc7

SHA256
1733745b3593ad0a57cc7ed38c81cc1cb75cb44f147128a3a08820693f7ace42

SHA512
eff46e16c7d7f1d6ddb05bb865ab29d8b471547b86414880f234c71e65a8e08ebaf04953b427376eef4bda789900ea75b6e5a0d3f637f37c08e70a9ada61f414

Download Submit
C:\Users\Admin\AppData\Local\Temp\bye11DC.tmp\Disk1\setup.boot

Filesize
321KB

MD5
173bddccc829d682046228b9a0a8ad8c

SHA1
4aadfc3c29a36f77cbe81e98cba0e59e6e620d06

SHA256
03e5ce8633b074b0a336ff5c5616318919e3b0a2291d381614858bdb35665ae9

SHA512
3a0f5bc0143cd548c14eaddc494a0646172164f6b7c81d1576714bfc6b58e027407d954e3a14bd81ab805fa25bedb1bc50ffce2ec45213d29a146def2cd658b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bye11DC.tmp\Disk1\setup.ini

Filesize
430B

MD5
f08b2efe62258456df12eb4a824b281b

SHA1
3eb29ccd0e823fb70c4a75aa41cc05aaf89553f5

SHA256
5fbc5c80e8c9aaf9172ee938f3ebad17132248c3b43c7acbe66ded83417e4cdc

SHA512
ea58bf7bb963840605219b1c267bf2257538e1ffe94e4202d7d1fdca565211a820c7a6181051a32e2d1744c548885173ff428c66c8055e2840b7c5a25920c471

Download Submit
C:\Users\Admin\AppData\Local\Temp\isp13D4.tmp\_Setup.dll

Filesize
144KB

MD5
7d206ffa959599b822512f184047f7f1

SHA1
2ccb525e2813d51bb37133bc33d0740355a3b4c3

SHA256
4466f4c424b139190b74137d9ebd901c7b1b1a9e2467d1607b048eb64a1011af

SHA512
b8f0b75a2486de4382177e94b622a73dee6e3ad9618872eb7747f082a5965591ba80d14c14ebf15ea93be892f494bdeca5a601d03e0a868df66170af8cfa03e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\set1394.tmp

Filesize
149KB

MD5
43fffef9a91b39fed4196111bac39640

SHA1
9ce849f11188da639254a77d3f4e31db36a752d2

SHA256
d6fccdbe022be8d79dd40fa3d1bc29c284c19a3471cc5b7db7657496c1381d61

SHA512
ce9f61feaf874944bc4d8301565e704ae8dc263d702a0753f350cffccc5be7f6c7973dac21268031be9033c3b19675e55c40f6c8bf30069a2b33f5f44ec334cc

Download Submit
\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKe13F7.tmp

Filesize
680KB

MD5
8230d489547e2f1c0af852f81d1d63be

SHA1
95e4ae5e66f60d51a29a007869e3f380d82549f4

SHA256
7b5542d5c304f3f5ada9eedfa3fb82c28bec97a0d49e9f0ddf61b7a65006e301

SHA512
7a75352290c6595ec47eb9698626adbeef8b4a4c62399e0620d6fd7fc40fa9adbd49333bc53c21dffdedb89486d13f9b18502ee23ab8394a5a8d51834dda82ed

Download Submit
\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\isp13D5.tmp\IGdi.dll

Filesize
160KB

MD5
150f19ffcf1c56e3c5f77eb712d0310b

SHA1
ee29d37fe83ac48c00b5a15ef8073a653ac3354d

SHA256
63e799505ac9f425a9ae000adf438812d50cb7b92de50d4e45e042af704af49c

SHA512
e2bef9203abbd6934a16bd43c3f8975a69eca3c9ddea66d76dfd97fafceadb8779ea3c2b1f75787e7f909357ef636f5964a903148190886cee35a81668780e49

Download Submit
\Users\Admin\AppData\Local\Temp\isp12F5.tmp\Setup.dll

Filesize
276KB

MD5
e148c1132a32ccd424de346f2ffead1f

SHA1
d2eb1757293ae29ee6039d767953c85f17252915

SHA256
04e326274a3f687e7640a0219a53b7f59d61ca6e6f7320fde5d2eb7fa01290c5

SHA512
96a12bb1a6405e6d5b17b9bc0e8ac36d2bdfb5ca7a371dac7a806aa260dd24337dd6f7a9703d11196dbf77ff6b87c2e497ff07ff50fb9134e2aa61782ff2c0b9

Download Submit
\Users\Admin\AppData\Local\Temp\~DPD3A.exe

Filesize
156KB

MD5
4ed4fdc51790b92c9bf0500bdaef7126

SHA1
49ff61012ff09d1740939ca2c295c011707a92a9

SHA256
136080043058565cbed31faa197c2b9019b01f532abd2c87c9dd38b635c54e3a

SHA512
50bee0eb216e41ef7d5134036301d71f944aaee5805711688b550521c3ef46d293ccb38c4da1bb55000d788cf199d518f53f28bd3d94a73a0e6eaf40dc7c7801

Download Submit
\Users\Admin\AppData\Local\Temp\~DPD99.exe

Filesize
4.3MB

MD5
1eb5ea9749ba238df81442e2e3e569ea

SHA1
2bc8e2acf73895efb3553b0e586cbe05520abedb

SHA256
e668bbdff6b8fac54c2a22444665f3f0636e53f322de9213aa702d0f2dd15000

SHA512
031d065b2676086550f623752b181c978ede63afd52d15da8b9b8f1b632202c2d9b796e954f2d987f2cfd713617d6d1039fd3a46e97cd9d65750d7e0e1552b25

Download Submit
memory/2184-16-0x0000000000400000-0x000000000087B000-memory.dmp

Filesize
4.5MB

Download
memory/2184-3-0x00000000031B0000-0x0000000003213000-memory.dmp

Filesize
396KB

Download
memory/2660-30-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2792-218-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads