af68f476140d51931caa9b605442477b894d7cfa83b6a36165f818b91297d707

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/10/2024, 01:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
Size

49KB
MD5

0d513ceac4decc4d06e35ad3a951256c
SHA1

60735cdca1f6610552c17cb6f058c5d9c42c2191
SHA256

af68f476140d51931caa9b605442477b894d7cfa83b6a36165f818b91297d707
SHA512

953b6d091b9fdbf45d2f3d3766a3bd4d2cebadaffc6222dc138bf236cd54495b9fff316bfeebed745eab950acbbc3f01ef5e75f0575969a1b2d11dc7bc91d92f
SSDEEP

768:If6EsU/CR16uhtTmbDRFZ8hjZlKFoak2BbWzsRxJn02WXpJobj6/4BMOljVQbrCx:dEs169ZwlioSWYnJ0FXpSq6MOTQH1

Score

10^/10

discovery evasion execution

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Deletes itself 1 IoCs

pid	Process
2864	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
2864	rundll32.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\yuksuser.dll	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\yuksuser.dll	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\YU0x4.dll	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ksuser.dll	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\ksuser.dll	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\yumidimap.dll	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\midimap.dll	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\yucomres.dll	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\comres.dll	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\comres.dll	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2940	sc.exe
2720	sc.exe
2956	sc.exe
2416	sc.exe
2104	sc.exe
2300	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
2864	rundll32.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
480	Process not Found
480	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2376	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	30
PID 2504 wrote to memory of 2376	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	30
PID 2504 wrote to memory of 2376	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	30
PID 2504 wrote to memory of 2376	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	30
PID 2504 wrote to memory of 2416	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	31
PID 2504 wrote to memory of 2416	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	31
PID 2504 wrote to memory of 2416	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	31
PID 2504 wrote to memory of 2416	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	31
PID 2504 wrote to memory of 2104	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	33
PID 2504 wrote to memory of 2104	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	33
PID 2504 wrote to memory of 2104	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	33
PID 2504 wrote to memory of 2104	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	33
PID 2504 wrote to memory of 1840	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	34
PID 2504 wrote to memory of 1840	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	34
PID 2504 wrote to memory of 1840	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	34
PID 2504 wrote to memory of 1840	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	34
PID 2504 wrote to memory of 2300	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	35
PID 2504 wrote to memory of 2300	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	35
PID 2504 wrote to memory of 2300	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	35
PID 2504 wrote to memory of 2300	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	35
PID 2504 wrote to memory of 2940	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	36
PID 2504 wrote to memory of 2940	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	36
PID 2504 wrote to memory of 2940	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	36
PID 2504 wrote to memory of 2940	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	36
PID 2504 wrote to memory of 2332	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	38
PID 2504 wrote to memory of 2332	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	38
PID 2504 wrote to memory of 2332	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	38
PID 2504 wrote to memory of 2332	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	38
PID 2504 wrote to memory of 2720	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	40
PID 2504 wrote to memory of 2720	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	40
PID 2504 wrote to memory of 2720	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	40
PID 2504 wrote to memory of 2720	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	40
PID 2504 wrote to memory of 2956	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	41
PID 2504 wrote to memory of 2956	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	41
PID 2504 wrote to memory of 2956	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	41
PID 2504 wrote to memory of 2956	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	41
PID 2504 wrote to memory of 2864	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	48
PID 2504 wrote to memory of 2864	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	48
PID 2504 wrote to memory of 2864	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	48
PID 2504 wrote to memory of 2864	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	48
PID 2504 wrote to memory of 2864	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	48
PID 2504 wrote to memory of 2864	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	48
PID 2504 wrote to memory of 2864	2504	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	48
PID 1840 wrote to memory of 2796	1840	net.exe	49
PID 1840 wrote to memory of 2796	1840	net.exe	49
PID 1840 wrote to memory of 2796	1840	net.exe	49
PID 1840 wrote to memory of 2796	1840	net.exe	49
PID 2376 wrote to memory of 2784	2376	net.exe	50
PID 2376 wrote to memory of 2784	2376	net.exe	50
PID 2376 wrote to memory of 2784	2376	net.exe	50
PID 2376 wrote to memory of 2784	2376	net.exe	50
PID 2332 wrote to memory of 2856	2332	net.exe	51
PID 2332 wrote to memory of 2856	2332	net.exe	51
PID 2332 wrote to memory of 2856	2332	net.exe	51
PID 2332 wrote to memory of 2856	2332	net.exe	51

C:\Users\Admin\AppData\Local\Temp\0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\SysWOW64\net.exe
  net stop cryptsvc
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop cryptsvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2784
- C:\Windows\SysWOW64\sc.exe
  sc config cryptsvc start= disabled
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2416
- C:\Windows\SysWOW64\sc.exe
  sc delete cryptsvc
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2104
- C:\Windows\SysWOW64\net.exe
  net stop cryptsvc
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop cryptsvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2796
- C:\Windows\SysWOW64\sc.exe
  sc config cryptsvc start= disabled
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2300
- C:\Windows\SysWOW64\sc.exe
  sc delete cryptsvc
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2940
- C:\Windows\SysWOW64\net.exe
  net stop cryptsvc
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop cryptsvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2856
- C:\Windows\SysWOW64\sc.exe
  sc config cryptsvc start= disabled
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2720
- C:\Windows\SysWOW64\sc.exe
  sc delete cryptsvc
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2956
- C:\Windows\SysWOW64\rundll32.exe
  C:\Users\Admin\AppData\Local\Temp\Aupbc7a3.dat, ServerMain
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Aupbc7a3.dat

Filesize
28KB

MD5
55e3d398a50d93d046009571413bd55c

SHA1
89fad6b96211616a25c3924924d23b09cc5a140d

SHA256
9e211f728d6ac7f045181b40b0581a87e3bf260fbbdeb10d4444cbcdff5c0f56

SHA512
d193028704826a0ae56ac1b0dfa5b9998462da2315adaa819b92212f6ea86f690a2c6e788bcfe82520bb7241e572d640eb88bf71dd2b36f328692cff889db31d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gamecfg.ini

Filesize
105B

MD5
0570d8f868e535c11763800457edf292

SHA1
75edbca748cf036763b32f2063b61ef44c37b971

SHA256
b3bab904030b990d70ef8c1a15870346f811fa58efcdc1f56bf97324bb8f4e1b

SHA512
03fb35d252af61d9f8c1c3f1c59b5c11c4b2e713b30342ceba2c0c5a79a16ada4f1eba414caf187191eef23ecf2c31783dc0a6b6d625702393dcaeb8aa08c8d6

Download Submit