1a1c78e16493a4a4ecfe771a0fd9542054ddde9b581d54ce2fec6003473d6e70

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/10/2024, 15:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0f7297aeaa068389ac52ee6a0eded319_JaffaCakes118.exe
Size

316KB
MD5

0f7297aeaa068389ac52ee6a0eded319
SHA1

08f61b9d2264ac673101027d160d97574ac30f2f
SHA256

1a1c78e16493a4a4ecfe771a0fd9542054ddde9b581d54ce2fec6003473d6e70
SHA512

c8726cb26035c32493b1eb7c9227b477459f78e08321ba94f6b7de289e951ebb50c3f2d2b310c6c715283b0005ae0afca70e3d12bb9227e2ee64d439f69ab18a
SSDEEP

6144:JsVbo5sCjzrB0kvVinJeKQdBXWIoB0A/rqQ5Kq82rQrpMaiwu:6bCsofVinQKGBW0A/rqgNRfp

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
908	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1032	0f7297aeaa068389ac52ee6a0eded319_JaffaCakes118.exe
1032	0f7297aeaa068389ac52ee6a0eded319_JaffaCakes118.exe
1032	0f7297aeaa068389ac52ee6a0eded319_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\casttipv2 = "\"C:\\Program Files (x86)\\casttipv2\\casttipv2.exe\" /run"	0f7297aeaa068389ac52ee6a0eded319_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\casttipv2\casttipv2.exe	0f7297aeaa068389ac52ee6a0eded319_JaffaCakes118.exe
File created	C:\Program Files (x86)\casttipv2\uninstall.exe	0f7297aeaa068389ac52ee6a0eded319_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f7297aeaa068389ac52ee6a0eded319_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	1032	0f7297aeaa068389ac52ee6a0eded319_JaffaCakes118.exe
Token: SeBackupPrivilege	1032	0f7297aeaa068389ac52ee6a0eded319_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 908	1032	0f7297aeaa068389ac52ee6a0eded319_JaffaCakes118.exe	29
PID 1032 wrote to memory of 908	1032	0f7297aeaa068389ac52ee6a0eded319_JaffaCakes118.exe	29
PID 1032 wrote to memory of 908	1032	0f7297aeaa068389ac52ee6a0eded319_JaffaCakes118.exe	29
PID 1032 wrote to memory of 908	1032	0f7297aeaa068389ac52ee6a0eded319_JaffaCakes118.exe	29
PID 1032 wrote to memory of 908	1032	0f7297aeaa068389ac52ee6a0eded319_JaffaCakes118.exe	29
PID 1032 wrote to memory of 908	1032	0f7297aeaa068389ac52ee6a0eded319_JaffaCakes118.exe	29
PID 1032 wrote to memory of 908	1032	0f7297aeaa068389ac52ee6a0eded319_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\0f7297aeaa068389ac52ee6a0eded319_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f7297aeaa068389ac52ee6a0eded319_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c \DelUS.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DelUS.bat

Filesize
228B

MD5
f4797b67066cbf516cb340f0f26aae05

SHA1
a6ab4671e72bd5dea4b2fae29beeaccd215850a5

SHA256
e69a69f816fc156ef75c3b58abffb2065557681d915d0dbcb5660385111907df

SHA512
5530aead702d2dad664497edfecd7f823ceede13be118b85351f12389a95b30eda9702081e9c24fd1360a0d64232bbd2877fa6953b42532db68b3585a2202ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso8864.tmp\ExistFiles.dll

Filesize
180KB

MD5
a624d57d409bad4044f0d90268d80ed1

SHA1
5e5d146e01c5610ad6f1652de8682cf1b87c2c0e

SHA256
872f23f174b586155200eb593e63bb9612362d31073d3e53961a83a4fc45c6d2

SHA512
61b287ee535da481ab5e0ef9731ca4385fb6fd9bc11b9a84f6f1c6cf286d5c255bd9f9e3263c02662acafc6ebd6fb99242f752d5210abf5c317a810ba0e00c3f

Download Submit
\Users\Admin\AppData\Local\Temp\nso8864.tmp\DLLWebCount.dll

Filesize
28KB

MD5
d825e4003d1697fd4bc45361e222746c

SHA1
e9d4b1073aac15d4dbb430471fcaea549e633d13

SHA256
c79e4be74eecf16f2f7f1d39724c938bf372e9568bb96fa4610926a57fe323f5

SHA512
7740a18cae5a42963c748a49ac6175482c93b34dce703a7cf24f5828ee6cdc19eb2669a634b64c2a4c861272f7e9b9e943455195a7cd6afcd8fa5586744eb86f

Download Submit
\Users\Admin\AppData\Local\Temp\nso8864.tmp\SelfDelete.dll

Filesize
24KB

MD5
7bf1bd7661385621c7908e36958f582e

SHA1
43242d7731c097e95fb96753c8262609ff929410

SHA256
c0ad2c13d48c9fe62f898da822a5f08be3bf6c4e2c1c7ffdf7634f2ca4a8859e

SHA512
8317af5cc3ac802eb095f3fa8cc71daa1265ca58fead031c07872f3d4bb07663a7002ae734fad392a7617f0923fe0caf1f54ed55afdf8516a6a08e202d86fa7f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads