e0a53f10201ced7aba365c7fd288a198d7fe414f074d8f00979be73bde2d8cf1

Analysis

max time kernel
141s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/10/2024, 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f4470c9420900b42bd249ba438f68f3_JaffaCakes118.exe
Size

1.8MB
MD5

0f4470c9420900b42bd249ba438f68f3
SHA1

9c9ba954fe03d4718880f694476db01d90dda4bf
SHA256

e0a53f10201ced7aba365c7fd288a198d7fe414f074d8f00979be73bde2d8cf1
SHA512

c2a3180ec9fc8a4e27382c8dc82db90074f17e8bcde5477eb42ca05bd6f23a98f4bce1a791f611fca83aeb58973acaa9ab0d6001b8282bbe8545e9c81f6961ee
SSDEEP

24576:lLnaj7ySWIq2wfrx+P4TbTq/aA8ttknGTE8vlj+9A3SvGIGV/wgMGsTAo:FELq3Dk4nWi8MEUlhcGp/wgEko

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2748	tmpUI.exe
2688	tmpt.exe
2736	isass.exe

Loads dropped DLL 7 IoCs

pid	Process
3028	0f4470c9420900b42bd249ba438f68f3_JaffaCakes118.exe
3028	0f4470c9420900b42bd249ba438f68f3_JaffaCakes118.exe
3028	0f4470c9420900b42bd249ba438f68f3_JaffaCakes118.exe
3028	0f4470c9420900b42bd249ba438f68f3_JaffaCakes118.exe
2688	tmpt.exe
2688	tmpt.exe
2736	isass.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\regsrvc = "\"C:\\Users\\Admin\\AppData\\Roaming\\isass.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\regsrvc = "\"C:\\Users\\Admin\\AppData\\Roaming\\isass.exe\""	reg.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Java\jre-08\bin\jusched.exe	tmpUI.exe
File created	C:\Program Files (x86)\Java\jre-08\bin\UF	tmpUI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f4470c9420900b42bd249ba438f68f3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2568	reg.exe
2104	reg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2736	isass.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2748	3028	0f4470c9420900b42bd249ba438f68f3_JaffaCakes118.exe	30
PID 3028 wrote to memory of 2748	3028	0f4470c9420900b42bd249ba438f68f3_JaffaCakes118.exe	30
PID 3028 wrote to memory of 2748	3028	0f4470c9420900b42bd249ba438f68f3_JaffaCakes118.exe	30
PID 3028 wrote to memory of 2748	3028	0f4470c9420900b42bd249ba438f68f3_JaffaCakes118.exe	30
PID 3028 wrote to memory of 2688	3028	0f4470c9420900b42bd249ba438f68f3_JaffaCakes118.exe	31
PID 3028 wrote to memory of 2688	3028	0f4470c9420900b42bd249ba438f68f3_JaffaCakes118.exe	31
PID 3028 wrote to memory of 2688	3028	0f4470c9420900b42bd249ba438f68f3_JaffaCakes118.exe	31
PID 3028 wrote to memory of 2688	3028	0f4470c9420900b42bd249ba438f68f3_JaffaCakes118.exe	31
PID 2688 wrote to memory of 2736	2688	tmpt.exe	32
PID 2688 wrote to memory of 2736	2688	tmpt.exe	32
PID 2688 wrote to memory of 2736	2688	tmpt.exe	32
PID 2688 wrote to memory of 2736	2688	tmpt.exe	32
PID 2688 wrote to memory of 2652	2688	tmpt.exe	33
PID 2688 wrote to memory of 2652	2688	tmpt.exe	33
PID 2688 wrote to memory of 2652	2688	tmpt.exe	33
PID 2688 wrote to memory of 2652	2688	tmpt.exe	33
PID 2652 wrote to memory of 2552	2652	cmd.exe	35
PID 2652 wrote to memory of 2552	2652	cmd.exe	35
PID 2652 wrote to memory of 2552	2652	cmd.exe	35
PID 2652 wrote to memory of 2552	2652	cmd.exe	35
PID 2552 wrote to memory of 2568	2552	cmd.exe	36
PID 2552 wrote to memory of 2568	2552	cmd.exe	36
PID 2552 wrote to memory of 2568	2552	cmd.exe	36
PID 2552 wrote to memory of 2568	2552	cmd.exe	36
PID 2688 wrote to memory of 2352	2688	tmpt.exe	37
PID 2688 wrote to memory of 2352	2688	tmpt.exe	37
PID 2688 wrote to memory of 2352	2688	tmpt.exe	37
PID 2688 wrote to memory of 2352	2688	tmpt.exe	37
PID 2352 wrote to memory of 2216	2352	cmd.exe	39
PID 2352 wrote to memory of 2216	2352	cmd.exe	39
PID 2352 wrote to memory of 2216	2352	cmd.exe	39
PID 2352 wrote to memory of 2216	2352	cmd.exe	39
PID 2216 wrote to memory of 2104	2216	cmd.exe	40
PID 2216 wrote to memory of 2104	2216	cmd.exe	40
PID 2216 wrote to memory of 2104	2216	cmd.exe	40
PID 2216 wrote to memory of 2104	2216	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\0f4470c9420900b42bd249ba438f68f3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f4470c9420900b42bd249ba438f68f3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Local\Temp\tmpUI.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpUI.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2748
- C:\Users\Admin\AppData\Local\Temp\tmpt.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpt.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Users\Admin\AppData\Roaming\isass.exe
    "C:\Users\Admin\AppData\Roaming\isass.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\check.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V regsrvc /D "\"C:\Users\Admin\AppData\Roaming\isass.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V regsrvc /D "\"C:\Users\Admin\AppData\Roaming\isass.exe\"" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2568
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\check.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V regsrvc /D "\"C:\Users\Admin\AppData\Roaming\isass.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2216
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V regsrvc /D "\"C:\Users\Admin\AppData\Roaming\isass.exe\"" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\check.bat

Filesize
146B

MD5
f772c026999177b2c5d4d6fa4796463a

SHA1
ad63f59dbfbc7d50a6b490ada2f95c96c20a6300

SHA256
18e5f358eef6c1e4b68a9b27b203e3c2aedfa1a21a9fb227552e806caa8aa0a5

SHA512
f849487fd5f2b7a8a3efbc2f59450cc56433b7eac97837deeeac9dd421dadeb93f2ce415ee58540f3310e4005b4fb6b5f5c5e3ff6fe2137e4b346e84378fadc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpt.exe

Filesize
1.1MB

MD5
2dad04c682464650f4dd8b6a5fe32f12

SHA1
fbd620787a85cf789ff5d5d2e6bd133c4200bc34

SHA256
0626312a5f30a8eb1a727be27e97d5b9a8c74333b5d020f56e767373942bda72

SHA512
320b331d2c65d2f91f059ef7eb698e279de731c68f08d6290c80765ce03a76d5464b81476ad46be145c162ca031cd0a175d3ad6c159e9feec8811cca42c56aee

Download Submit
C:\Users\Admin\AppData\Roaming\ntldr.dll

Filesize
149KB

MD5
1f450323c7ae5060f71d4cb20f8ea5a8

SHA1
06ef7b16954288baf74d80316748f884d6b675fb

SHA256
8549da573e97faaaa235a1c75f5174bf5061e8e3325a84a909d60771b93a977e

SHA512
9151f84dbcfd4daf179002df1db4fc72a732b24c0bc9364d2fed3d96fc620b36c242460a55ef02c167ecad5a84613d627b01f30c5c271d21fcdd960950365585

Download Submit
\Users\Admin\AppData\Local\Temp\tmpUI.exe

Filesize
63KB

MD5
789c7ca95ac69631edf013583516c7ce

SHA1
2715941968d7606a131356cbbf5c880ddabd80f7

SHA256
672e6e2d6a38d8a18b11b8c517b47ab5d79fb08b432c9af5bb9d6bce4021938a

SHA512
432310a5c7e4feccb1a0e50da0c374cdcc73d3596899ad88cd634847b216786b653b487306da2330898afff74d5395af89eec0e561cfa4274e065aaf014b142d

Download Submit
\Users\Admin\AppData\Roaming\isass.exe

Filesize
147KB

MD5
7b449c21820e95b231797647e7b2a2b6

SHA1
cc0511fb26fa71be0cba562fb876137df5105028

SHA256
368ae2588e5e08ce5cde38cb7a8a536e22d990f409b6801d46587e4241aad4aa

SHA512
47434030cadbf0a3528a9e64cd0e3ad4d5b8e0e93fa1d5203ac3628c5c8b649cfa048eaa8c67ed5d78db207ac7512a917dba5de54ca81b8d9cb1b2037115ee20

Download Submit
memory/2688-20-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2688-55-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2736-54-0x0000000000260000-0x000000000028A000-memory.dmp

Filesize
168KB

Download
memory/2736-56-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3028-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3028-19-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads