e3ea21e5073c4a4480b727ed5cd4ac173f9c270c2a4edee41f660c7ab2bbe5c6

Analysis

max time kernel
149s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 23:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15479e61dcbe4a0af85f13e251af68b5_JaffaCakes118.exe
Size

348KB
MD5

15479e61dcbe4a0af85f13e251af68b5
SHA1

962625f127b539983b04c12375072156e68fe70b
SHA256

e3ea21e5073c4a4480b727ed5cd4ac173f9c270c2a4edee41f660c7ab2bbe5c6
SHA512

cfbff2614a8181a0f94c06b410b96945acbadc349c610d6e6df72e20229ce75e52c1fe24e8501798a64136774bb9fd94f81c730beb84088a227ac61abc5e5333
SSDEEP

6144:Re4dpV+upoq5/Elu+lmTDI8RB81IdebXR7m6pSsix3Vo/WI4IlsLkRfRjTfIeXCK:/dp0fk0utTUE8hlroJIOINaeXC3a

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2368	MSN.exe
2824	rinst.exe
2740	MultiClient.exe
2716	bpk.exe

Loads dropped DLL 20 IoCs

pid	Process
904	15479e61dcbe4a0af85f13e251af68b5_JaffaCakes118.exe
2368	MSN.exe
2368	MSN.exe
2368	MSN.exe
2368	MSN.exe
2368	MSN.exe
2824	rinst.exe
2824	rinst.exe
2824	rinst.exe
2824	rinst.exe
2824	rinst.exe
2740	MultiClient.exe
2824	rinst.exe
2740	MultiClient.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2740	MultiClient.exe
2368	MSN.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bpk = "C:\\Windows\\SysWOW64\\bpk.exe"	bpk.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rinst.exe	rinst.exe
File opened for modification	C:\Windows\SysWOW64\pk.bin	bpk.exe
File opened for modification	C:\Windows\SysWOW64\bpk.dat	bpk.exe
File created	C:\Windows\SysWOW64\pk.bin	rinst.exe
File created	C:\Windows\SysWOW64\bpk.exe	rinst.exe
File created	C:\Windows\SysWOW64\bpkhk.dll	rinst.exe
File created	C:\Windows\SysWOW64\inst.dat	rinst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bpk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15479e61dcbe4a0af85f13e251af68b5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rinst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MultiClient.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2716	bpk.exe
2740	MultiClient.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2716	bpk.exe
2716	bpk.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
904	15479e61dcbe4a0af85f13e251af68b5_JaffaCakes118.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe
2716	bpk.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 904 wrote to memory of 2368	904	15479e61dcbe4a0af85f13e251af68b5_JaffaCakes118.exe	29
PID 904 wrote to memory of 2368	904	15479e61dcbe4a0af85f13e251af68b5_JaffaCakes118.exe	29
PID 904 wrote to memory of 2368	904	15479e61dcbe4a0af85f13e251af68b5_JaffaCakes118.exe	29
PID 904 wrote to memory of 2368	904	15479e61dcbe4a0af85f13e251af68b5_JaffaCakes118.exe	29
PID 904 wrote to memory of 2368	904	15479e61dcbe4a0af85f13e251af68b5_JaffaCakes118.exe	29
PID 904 wrote to memory of 2368	904	15479e61dcbe4a0af85f13e251af68b5_JaffaCakes118.exe	29
PID 904 wrote to memory of 2368	904	15479e61dcbe4a0af85f13e251af68b5_JaffaCakes118.exe	29
PID 2368 wrote to memory of 2824	2368	MSN.exe	30
PID 2368 wrote to memory of 2824	2368	MSN.exe	30
PID 2368 wrote to memory of 2824	2368	MSN.exe	30
PID 2368 wrote to memory of 2824	2368	MSN.exe	30
PID 2368 wrote to memory of 2824	2368	MSN.exe	30
PID 2368 wrote to memory of 2824	2368	MSN.exe	30
PID 2368 wrote to memory of 2824	2368	MSN.exe	30
PID 2824 wrote to memory of 2740	2824	rinst.exe	31
PID 2824 wrote to memory of 2740	2824	rinst.exe	31
PID 2824 wrote to memory of 2740	2824	rinst.exe	31
PID 2824 wrote to memory of 2740	2824	rinst.exe	31
PID 2824 wrote to memory of 2740	2824	rinst.exe	31
PID 2824 wrote to memory of 2740	2824	rinst.exe	31
PID 2824 wrote to memory of 2740	2824	rinst.exe	31
PID 2824 wrote to memory of 2716	2824	rinst.exe	32
PID 2824 wrote to memory of 2716	2824	rinst.exe	32
PID 2824 wrote to memory of 2716	2824	rinst.exe	32
PID 2824 wrote to memory of 2716	2824	rinst.exe	32
PID 2824 wrote to memory of 2716	2824	rinst.exe	32
PID 2824 wrote to memory of 2716	2824	rinst.exe	32
PID 2824 wrote to memory of 2716	2824	rinst.exe	32

C:\Users\Admin\AppData\Local\Temp\15479e61dcbe4a0af85f13e251af68b5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\15479e61dcbe4a0af85f13e251af68b5_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:904
- C:\Users\Admin\AppData\Local\Temp\MSN.exe
  "C:\Users\Admin\AppData\Local\Temp\MSN.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\MultiClient.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\MultiClient.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      PID:2740
  - - C:\Windows\SysWOW64\bpk.exe
      C:\Windows\system32\bpk.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Koxp Bypass.dll

Filesize
65KB

MD5
6df5d905a97d3c4a818b127564bec4ae

SHA1
53b1ff867f370324ab43827cc7ea270d2e51627d

SHA256
b321c2bf10d0e87905c1e62df562e1cbf92ffde277146adc765cbb831ab4eef9

SHA512
974b79ea50ff3dffd4499d19a74ccc117e43cbfcc31ce527e904de26739e972ce8731d3a8876fb20d3d662b96f4a480477930dafad9aeb5078a51334374fb696

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MultiClient.exe

Filesize
159KB

MD5
d83455bc9e6829529004a6b962171ba3

SHA1
8bd869c0925ac5df967953cafc235e29e44f2553

SHA256
63e04ecf4d15ee223cd8da551116cef161266ac87937d0a03e5aa6b1a5101d16

SHA512
66f8421c9e7371650839c5c1ad89236705530e9c25d3720b5f45379b8c1a621170f48e9f30260390ff1f04ebc55f8e48abe8a9f309c1ad47c4a7130d01a825b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bpk.exe

Filesize
408KB

MD5
33ac8314af3ca9827e4c55b15355737b

SHA1
c86d0f6bc7ad728a95532f5cf3d6cb8ed9e253b7

SHA256
a458e72bc283d080311c3cd80ebdefedc857690021f38fcdbe558de3cd91d4e5

SHA512
7e6209826158fbef6108e01fa7e384faefe04db133db6c2a35d021a7a03c949fe99d245a97db5be5b907f21d53a84798b9f032d64ac605a7ce35cbe21bc45971

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bpkhk.dll

Filesize
21KB

MD5
fe317937827d904477c53807b6666ae7

SHA1
580c8de253d5e007a1b0cb891258afb76f2a895c

SHA256
7a9c09a738316915a3970381b46b09f1d55fd6db3c6dc051582fd0a76cc33ccf

SHA512
070708290db4ddd5da80ca14cb5ba3949118e2531f55e1e0cf195cabb17910408b17dcbc2646d7c701f72ca7cc30f78e12b404f70648f259d184daba5e8e95a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat

Filesize
1KB

MD5
26bcfd9fbe38195cbd69024628adbae5

SHA1
39595ad6ddb6f9f0226a6213794c595ff1a3ad9a

SHA256
afc80cec22f6e48604f1766aa04d2e6e160b1ec0e6b46206607b567c055fccf2

SHA512
bddfba2fac60dea1a91bcb6c272ad69bf3089da640e04820c52e13b1cff009fe414673d4786deb641239fbabc78ff818b58b3a7aa43657a7a61780b913f9b987

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pk.bin

Filesize
7KB

MD5
d730c05c8a7488077eb39a8f65ca9e2e

SHA1
1511ec85286480d938030d639eb5e2620a385b3c

SHA256
dae5df7611ef8fbe02bc5cbbe9184d09768232998da0429f2d2585908156e504

SHA512
7a883b3f4ec74f5c692f957dc4befdcf3177ca4b6b9a586ef2a09abf7dcb3d4c23039b9cf4650325c8c6239578d6c8e74a86f98d9efe80243de3b1cc154a2791

Download Submit
C:\Windows\SysWOW64\bpk.dat

Filesize
4KB

MD5
74ff79a0673d3c2426747d7e5f4d3597

SHA1
6fd8e6f64a0c3a3472c59d4d6309a40a688a86de

SHA256
7f8c67ff2a6281042f1a459ffc3b300bb2676266c5d0722033c073bc94692b49

SHA512
25be69baaed436fce51cc2a0c776b899c20604225e43a151ac12682b74e4eedb29e840df5bd28d857860ea4722669d36d002042991c5043a1710be7a0803feaa

Download Submit
C:\Windows\SysWOW64\pk.bin

Filesize
7KB

MD5
c7c2f55811fb4375a75219bdc4c96c46

SHA1
fd7b2afb5d9af612d004c7ec7ae340fd2287e47b

SHA256
c042a09056a3ba25cc8cd6545c4ddf9ffc819a7b3fb50ee15ddbda89574e2897

SHA512
ce9784caa8524c1f0428abd35944f7912e8b46bf57c9b778b4a0c537056ebec4807a73ac5f2fa3094a55460dfc312fa5118c96f83d4e1774d83773d841f8477b

Download Submit
\Users\Admin\AppData\Local\Temp\MSN.exe

Filesize
328KB

MD5
2df869fb36ef0cd932282cec7bff2f4f

SHA1
add7e0593e11f6b75097850f321231a51efdf51a

SHA256
021538ad2288379794b8497aefbfa03cd691f06ead9120d9f17dc633f459b743

SHA512
053fb164d2acdaecf6f8cd70064c7890e1c3f0e27f5ed15502bfd7e2e29147a83d005a54c67127082cf6aa8a76beab828baf8078b4abd4ef02cb3b3edefd3b28

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

Filesize
22KB

MD5
9a00d512f9e1464ad793702cf2b1eda0

SHA1
39a47a90cd3dd132dbab9f5052dda38dbd7c63f6

SHA256
98d257f639ee9df968f77b1f66c78230d07d86e58a7ddf0d306a24af3873dc5b

SHA512
18604f20351db1d418f48f2eb023be07588754b428b5d6abb0a7c40d6bf174ce7dcab2ae6e06f22585e12f1bfdb6e408b17bf20e2a7ba137620002ac04b8b4ba

Download Submit
\Windows\SysWOW64\bpk.exe

Filesize
408KB

MD5
a635bc1492e4c39ef47ed617d3dfe491

SHA1
353ae5d543aee4bd2084798308a82361336b34fb

SHA256
cd06f57e2e2956c634f851eb92666e9e24557fffbfcd098686e3d7fe03d8ffed

SHA512
e152eaaebc4a6a48d32ed2382e048f171d35200d1654cfb241f57612b655e921b8645e700f011d3638fda4bbc7f50e90ebdc24398664a9e553540b15a006b226

Download Submit
\Windows\SysWOW64\bpkhk.dll

Filesize
21KB

MD5
a11068817ba83d7b8c61a5c53c5a72ab

SHA1
cf4685ae095d5b1e92062c9d299cf9d250b6bab2

SHA256
0ee6154256e55de7d451e729c590f5bbf65479503099c3dfeaa10deac6fe4901

SHA512
a5ef2ec37eaf688c1fa926349227d25de1c5568c5630e56f8e5e3104ae6ee45275de8599d33d164cd2fc7c5b5dd853433e4228ff553d83228ae3f925446e9bae

Download Submit
memory/2368-72-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads