af68f476140d51931caa9b605442477b894d7cfa83b6a36165f818b91297d707

Analysis

max time kernel
94s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2024 01:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
Size

49KB
MD5

0d513ceac4decc4d06e35ad3a951256c
SHA1

60735cdca1f6610552c17cb6f058c5d9c42c2191
SHA256

af68f476140d51931caa9b605442477b894d7cfa83b6a36165f818b91297d707
SHA512

953b6d091b9fdbf45d2f3d3766a3bd4d2cebadaffc6222dc138bf236cd54495b9fff316bfeebed745eab950acbbc3f01ef5e75f0575969a1b2d11dc7bc91d92f
SSDEEP

768:If6EsU/CR16uhtTmbDRFZ8hjZlKFoak2BbWzsRxJn02WXpJobj6/4BMOljVQbrCx:dEs169ZwlioSWYnJ0FXpSq6MOTQH1

Score

10^/10

discovery evasion execution

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Deletes itself 1 IoCs

pid	Process
4316	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
4316	rundll32.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\yucomres.dll	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\comres.dll	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\YU0x4.dll	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\ksuser.dll	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\midimap.dll	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\yumidimap.dll	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\comres.dll	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\yuksuser.dll	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\yuksuser.dll	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ksuser.dll	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3556	sc.exe
1804	sc.exe
1640	sc.exe
2616	sc.exe
792	sc.exe
4320	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
4316	rundll32.exe
4316	rundll32.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 732 wrote to memory of 912	732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	82
PID 732 wrote to memory of 912	732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	82
PID 732 wrote to memory of 912	732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	82
PID 732 wrote to memory of 2616	732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	83
PID 732 wrote to memory of 2616	732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	83
PID 732 wrote to memory of 2616	732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	83
PID 732 wrote to memory of 792	732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	84
PID 732 wrote to memory of 792	732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	84
PID 732 wrote to memory of 792	732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	84
PID 732 wrote to memory of 4944	732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	85
PID 732 wrote to memory of 4944	732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	85
PID 732 wrote to memory of 4944	732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	85
PID 732 wrote to memory of 4320	732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	86
PID 732 wrote to memory of 4320	732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	86
PID 732 wrote to memory of 4320	732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	86
PID 732 wrote to memory of 3556	732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	87
PID 732 wrote to memory of 3556	732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	87
PID 732 wrote to memory of 3556	732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	87
PID 732 wrote to memory of 4896	732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	89
PID 732 wrote to memory of 4896	732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	89
PID 732 wrote to memory of 4896	732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	89
PID 732 wrote to memory of 1640	732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	90
PID 732 wrote to memory of 1640	732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	90
PID 732 wrote to memory of 1640	732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	90
PID 732 wrote to memory of 1804	732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	91
PID 732 wrote to memory of 1804	732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	91
PID 732 wrote to memory of 1804	732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	91
PID 732 wrote to memory of 4316	732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	93
PID 732 wrote to memory of 4316	732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	93
PID 732 wrote to memory of 4316	732	0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe	93
PID 4944 wrote to memory of 4908	4944	net.exe	101
PID 4944 wrote to memory of 4908	4944	net.exe	101
PID 4944 wrote to memory of 4908	4944	net.exe	101
PID 4896 wrote to memory of 3460	4896	net.exe	102
PID 4896 wrote to memory of 3460	4896	net.exe	102
PID 4896 wrote to memory of 3460	4896	net.exe	102
PID 912 wrote to memory of 4684	912	net.exe	103
PID 912 wrote to memory of 4684	912	net.exe	103
PID 912 wrote to memory of 4684	912	net.exe	103

C:\Users\Admin\AppData\Local\Temp\0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0d513ceac4decc4d06e35ad3a951256c_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:732
- C:\Windows\SysWOW64\net.exe
  net stop cryptsvc
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop cryptsvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4684
- C:\Windows\SysWOW64\sc.exe
  sc config cryptsvc start= disabled
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2616
- C:\Windows\SysWOW64\sc.exe
  sc delete cryptsvc
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:792
- C:\Windows\SysWOW64\net.exe
  net stop cryptsvc
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop cryptsvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4908
- C:\Windows\SysWOW64\sc.exe
  sc config cryptsvc start= disabled
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:4320
- C:\Windows\SysWOW64\sc.exe
  sc delete cryptsvc
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:3556
- C:\Windows\SysWOW64\net.exe
  net stop cryptsvc
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop cryptsvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3460
- C:\Windows\SysWOW64\sc.exe
  sc config cryptsvc start= disabled
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:1640
- C:\Windows\SysWOW64\sc.exe
  sc delete cryptsvc
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:1804
- C:\Windows\SysWOW64\rundll32.exe
  C:\Users\Admin\AppData\Local\Temp\Aupbc7a3.dat, ServerMain
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Aupbc7a3.dat

Filesize
28KB

MD5
55e3d398a50d93d046009571413bd55c

SHA1
89fad6b96211616a25c3924924d23b09cc5a140d

SHA256
9e211f728d6ac7f045181b40b0581a87e3bf260fbbdeb10d4444cbcdff5c0f56

SHA512
d193028704826a0ae56ac1b0dfa5b9998462da2315adaa819b92212f6ea86f690a2c6e788bcfe82520bb7241e572d640eb88bf71dd2b36f328692cff889db31d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gamecfg.ini

Filesize
105B

MD5
0570d8f868e535c11763800457edf292

SHA1
75edbca748cf036763b32f2063b61ef44c37b971

SHA256
b3bab904030b990d70ef8c1a15870346f811fa58efcdc1f56bf97324bb8f4e1b

SHA512
03fb35d252af61d9f8c1c3f1c59b5c11c4b2e713b30342ceba2c0c5a79a16ada4f1eba414caf187191eef23ecf2c31783dc0a6b6d625702393dcaeb8aa08c8d6

Download Submit