Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2024, 03:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0d9bccc11000309d60fff12b7e0cf84b_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
Behavioral task
behavioral2
Sample
0d9bccc11000309d60fff12b7e0cf84b_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
17 signatures
150 seconds
General
-
Target
0d9bccc11000309d60fff12b7e0cf84b_JaffaCakes118.exe
-
Size
308KB
-
MD5
0d9bccc11000309d60fff12b7e0cf84b
-
SHA1
702e71578d723fb32aeed3946475ce96e2ddbf21
-
SHA256
e23bf3a7902b30451a1edaf7089f6d09cb396a0c0e9234167990ffd36610ddcb
-
SHA512
56f7b479b43d6df576f904c81122d16b07f83d135f608fb10b9ef21ec1b52679c5f5f25d591cd4b6cfcb8d09cf10328a4193436d39a640f84fd50b3bb2994542
-
SSDEEP
6144:G/0uoNej3tJXy8Vz35MTZRkEPW1ymO1d3EsYr7kV:GJzj34Zi+uytEBrwV
Score
10/10
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system32\NvTaskbarInit.exe = "C:\\Windows\\system32\\NvTaskbarInit.exe:*:Enabled:Explorer" document.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List document.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile document.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications document.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" document.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "1" document.exe -
Executes dropped EXE 4 IoCs
pid Process 2972 AdSubAware.exe 2396 document.exe 5104 document.exe 2944 NvMcTray.exe -
Loads dropped DLL 2 IoCs
pid Process 1576 rundll32.exe 3944 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "1" document.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0d9bccc11000309d60fff12b7e0cf84b_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nvidia Control Center = "C:\\Windows\\system32\\NvTaskbarInit.exe" document.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scixu = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\pin3dmsc.dll\",Startup" rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" document.exe -
Enumerates connected drives 3 TTPs 20 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: document.exe File opened (read-only) \??\E: document.exe File opened (read-only) \??\G: document.exe File opened (read-only) \??\J: document.exe File opened (read-only) \??\N: document.exe File opened (read-only) \??\U: document.exe File opened (read-only) \??\V: document.exe File opened (read-only) \??\W: document.exe File opened (read-only) \??\Y: document.exe File opened (read-only) \??\L: document.exe File opened (read-only) \??\M: document.exe File opened (read-only) \??\O: document.exe File opened (read-only) \??\P: document.exe File opened (read-only) \??\R: document.exe File opened (read-only) \??\T: document.exe File opened (read-only) \??\K: document.exe File opened (read-only) \??\Q: document.exe File opened (read-only) \??\S: document.exe File opened (read-only) \??\H: document.exe File opened (read-only) \??\I: document.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\NvTaskbarInit.exe document.exe File created C:\Windows\SysWOW64\NvTaskbarInit.exe document.exe File created C:\Windows\SysWOW64\NvMcTray.exe document.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2396 set thread context of 5104 2396 document.exe 84 -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\program files\limewire\shared\VmWare 7.0 keygen.exe document.exe File created C:\program files\emule\incoming\PDF Unlocker v2.0.3.exe document.exe File created C:\program files\emule\incoming\Adobe Acrobat Reader keygen.exe document.exe File created C:\program files\morpheus\my shared folder\Download Boost 2.0.exe document.exe File created C:\program files\limewire\shared\LimeWire Pro v4.18.3.exe document.exe File created C:\program files\limewire\shared\Absolute Video Converter 6.2.exe document.exe File created C:\program files\icq\shared folder\Nero 9 9.2.6.0 keygen.exe document.exe File created C:\program files\grokster\my grokster\Starcraft2 Oblivion DLL.exe document.exe File created C:\program files\emule\incoming\Absolute Video Converter 6.2.exe document.exe File created C:\program files\limewire\shared\YouTubeGet 5.4.exe document.exe File created C:\program files\winmx\shared\Ashampoo Snap 3.02.exe document.exe File created C:\program files\icq\shared folder\Avast 4.8 Professional.exe document.exe File created C:\program files\grokster\my grokster\K-Lite Mega Codec v5.6.1 Portable.exe document.exe File created C:\program files\emule\incoming\Windows XP PRO Corp SP3 valid-key generator.exe document.exe File created C:\program files\icq\shared folder\Adobe Photoshop CS4 crack.exe document.exe File created C:\program files\grokster\my grokster\Blaze DVD Player Pro v6.52.exe document.exe File created C:\program files\icq\shared folder\DVD Tools Nero 10.5.6.0.exe document.exe File created C:\program files\tesla\files\K-Lite Mega Codec v5.6.1 Portable.exe document.exe File created C:\program files\icq\shared folder\Image Size Reducer Pro v1.0.1.exe document.exe File created C:\program files\icq\shared folder\Blaze DVD Player Pro v6.52.exe document.exe File created C:\program files\emule\incoming\Image Size Reducer Pro v1.0.1.exe document.exe File created C:\program files\emule\incoming\Download Accelerator Plus v9.exe document.exe File created C:\program files\emule\incoming\CleanMyPC Registry Cleaner v6.02.exe document.exe File created C:\program files\limewire\shared\Kaspersky Internet Security 2010 keygen.exe document.exe File created C:\program files\grokster\my grokster\PDF-XChange Pro.exe document.exe File created C:\program files\grokster\my grokster\Adobe Acrobat Reader keygen.exe document.exe File created C:\program files\emule\incoming\Twitter FriendAdder 2.1.1.exe document.exe File created C:\program files\tesla\files\Windows XP PRO Corp SP3 valid-key generator.exe document.exe File created C:\program files\grokster\my grokster\BitDefender AntiVirus 2010 Keygen.exe document.exe File created C:\program files\emule\incoming\WinRAR v3.x keygen RaZoR.exe document.exe File created C:\program files\tesla\files\Power ISO v4.2 + keygen axxo.exe document.exe File created C:\program files\tesla\files\Adobe Photoshop CS4 crack.exe document.exe File created C:\program files\winmx\shared\Super Utilities Pro 2009 11.0.exe document.exe File created C:\program files\winmx\shared\Sophos antivirus updater bypass.exe document.exe File created C:\program files\grokster\my grokster\Adobe Photoshop CS4 crack.exe document.exe File created C:\program files\morpheus\my shared folder\Google SketchUp 7.1 Pro.exe document.exe File created C:\program files\limewire\shared\Windows XP PRO Corp SP3 valid-key generator.exe document.exe File created C:\program files\morpheus\my shared folder\Mp3 Splitter and Joiner Pro v3.48.exe document.exe File created C:\program files\icq\shared folder\Windows2008 keygen and activator.exe document.exe File created C:\program files\tesla\files\DVD Tools Nero 10.5.6.0.exe document.exe File created C:\program files\morpheus\my shared folder\Nero 9 9.2.6.0 keygen.exe document.exe File created C:\program files\limewire\shared\Motorola, nokia, ericsson mobil phone tools.exe document.exe File created C:\program files\winmx\shared\YouTubeGet 5.4.exe document.exe File created C:\program files\winmx\shared\Internet Download Manager V5.exe document.exe File created C:\program files\winmx\shared\Download Boost 2.0.exe document.exe File created C:\program files\icq\shared folder\Anti-Porn v13.5.12.29.exe document.exe File created C:\program files\grokster\my grokster\Nero 9 9.2.6.0 keygen.exe document.exe File created C:\program files\emule\incoming\Sophos antivirus updater bypass.exe document.exe File created C:\program files\morpheus\my shared folder\Youtube Music Downloader 1.0.exe document.exe File created C:\program files\limewire\shared\Windows 2008 Enterprise Server VMWare Virtual Machine.exe document.exe File created C:\program files\limewire\shared\McAfee Total Protection 2010.exe document.exe File created C:\program files\icq\shared folder\AnyDVD HD v.6.3.1.8 Beta incl crack.exe document.exe File created C:\program files\icq\shared folder\Starcraft2 Crack.exe document.exe File created C:\program files\grokster\my grokster\Windows 7 Ultimate keygen.exe document.exe File created C:\program files\emule\incoming\Mp3 Splitter and Joiner Pro v3.48.exe document.exe File created C:\program files\grokster\my grokster\CleanMyPC Registry Cleaner v6.02.exe document.exe File created C:\program files\tesla\files\Norton Anti-Virus 2010 Enterprise Crack.exe document.exe File created C:\program files\winmx\shared\PDF to Word Converter 3.0.exe document.exe File created C:\program files\tesla\files\Kaspersky AntiVirus 2010 crack.exe document.exe File created C:\program files\icq\shared folder\Myspace theme collection.exe document.exe File created C:\program files\grokster\my grokster\Super Utilities Pro 2009 11.0.exe document.exe File created C:\program files\morpheus\my shared folder\Windows XP PRO Corp SP3 valid-key generator.exe document.exe File created C:\program files\grokster\my grokster\YouTubeGet 5.4.exe document.exe File created C:\program files\grokster\my grokster\Sophos antivirus updater bypass.exe document.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0d9bccc11000309d60fff12b7e0cf84b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language document.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language document.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NvMcTray.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe 5104 document.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2972 AdSubAware.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1856 wrote to memory of 2972 1856 0d9bccc11000309d60fff12b7e0cf84b_JaffaCakes118.exe 82 PID 1856 wrote to memory of 2972 1856 0d9bccc11000309d60fff12b7e0cf84b_JaffaCakes118.exe 82 PID 1856 wrote to memory of 2396 1856 0d9bccc11000309d60fff12b7e0cf84b_JaffaCakes118.exe 83 PID 1856 wrote to memory of 2396 1856 0d9bccc11000309d60fff12b7e0cf84b_JaffaCakes118.exe 83 PID 1856 wrote to memory of 2396 1856 0d9bccc11000309d60fff12b7e0cf84b_JaffaCakes118.exe 83 PID 2396 wrote to memory of 5104 2396 document.exe 84 PID 2396 wrote to memory of 5104 2396 document.exe 84 PID 2396 wrote to memory of 5104 2396 document.exe 84 PID 2396 wrote to memory of 5104 2396 document.exe 84 PID 2396 wrote to memory of 5104 2396 document.exe 84 PID 2396 wrote to memory of 5104 2396 document.exe 84 PID 2396 wrote to memory of 5104 2396 document.exe 84 PID 2396 wrote to memory of 5104 2396 document.exe 84 PID 2396 wrote to memory of 5104 2396 document.exe 84 PID 2396 wrote to memory of 5104 2396 document.exe 84 PID 2396 wrote to memory of 5104 2396 document.exe 84 PID 5104 wrote to memory of 2944 5104 document.exe 85 PID 5104 wrote to memory of 2944 5104 document.exe 85 PID 5104 wrote to memory of 2944 5104 document.exe 85 PID 2944 wrote to memory of 1576 2944 NvMcTray.exe 86 PID 2944 wrote to memory of 1576 2944 NvMcTray.exe 86 PID 2944 wrote to memory of 1576 2944 NvMcTray.exe 86 PID 1576 wrote to memory of 3944 1576 rundll32.exe 96 PID 1576 wrote to memory of 3944 1576 rundll32.exe 96 PID 1576 wrote to memory of 3944 1576 rundll32.exe 96 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" document.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d9bccc11000309d60fff12b7e0cf84b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0d9bccc11000309d60fff12b7e0cf84b_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AdSubAware.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AdSubAware.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2972
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\document.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\document.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\document.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\document.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5104 -
C:\Windows\SysWOW64\NvMcTray.exe"C:\Windows\system32\NvMcTray.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\pin3dmsc.dll",Startup5⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\pin3dmsc.dll",iep6⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3944
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99KB
MD5bd080b9977c5b174c17b40d6820f462f
SHA12a5d52097120df518287e02cf09517f92de1e365
SHA256cf40d1995852f79ee3565a1274c547a2566bfdd6e9050280daaa39a7907cf3fd
SHA512b40bdfacd92be98a8b75c4ccb42196711bcd833d817cadb0aa21100c38561bd7a0605b12d2342264cb445c4652a83d0bf7837b63338fea6fef3c83464bfca3c0
-
Filesize
394KB
MD5c1a5ba03f0ba9832cc87180a4c4622a5
SHA1b6c0f0588c8efffc48f308dfddecbf6170204dd9
SHA256e41e19b9ee8889b3887b8cacf264468c661bdf382706bbd9052c1f95c4eea504
SHA512540e6077bf6a8739e9c9b28d609ef453c8a08cef9b81b018271aa7e83455c866e55af20a9545c8f73977d128fee64e1016fb00c4b3016d53925b62f0fb9eaa16
-
Filesize
79KB
MD55d1423367447aa893b5205e54afd2b17
SHA19bc3bd4a25bb9f889b585d461a39b94c177166b0
SHA256c38239c98d9ba20e7af37cd7e516dc69d3accfaf699d9d517976f6cfeccb052c
SHA512e3755609e320963576131594acfac101e794ba794cd0cf8e910d6ed9cd004bb58b022fbfde2b9fd2d6e267c20f2c4f081207e967fcc021b532fce81614fb4f61
-
Filesize
79KB
MD5590ffc586126fa0cedfc82f8e5e20c56
SHA1afa7091d732bd228cb6ec4af63544ff9eb1233be
SHA2565877a70e36f1d51945837daae394da0275ca57e8acbb725fad992b454b7d16c6
SHA512d4b36ac52fdee2fb243d15b0713c3aab0630b07e6dd821380553bdf0176a0325d83122e3eaa9507bea5c8a068761eebb6c9c82c9e49edb011e952d61a7826a84