df39062472a59fb27f9951169229053a7cd2c49d1fe0bc1abe1d10548c44695d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2024, 05:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

165a4ffdc2704770eeef07e1e5146c94_JaffaCakes118.exe
Size

220KB
MD5

165a4ffdc2704770eeef07e1e5146c94
SHA1

db54b38dff50e311e8edb4653443ef4b38600f5d
SHA256

df39062472a59fb27f9951169229053a7cd2c49d1fe0bc1abe1d10548c44695d
SHA512

3c3786853e4ac4ae35f86c364bb8be4757961651b039b9b1a8630e25f53572c73c3012db1f07f335dbc3a2fd654bb58700138f527bf2631c7d7428dbc182afc1
SSDEEP

3072:yOkEXFtVI7huijzivefSjIeVXcJZn+ehHcNeBS1SNmiH3jDfRtoJpUCIwZ1ApqKw:fkEXFtV6ncxXcJZkNe6fQB2zUDw

Score

8^/10

discovery evasion execution persistence privilege_escalation

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\imapioko.sys	165a4ffdc2704770eeef07e1e5146c94_JaffaCakes118.exe.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2144	netsh.exe
4372	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\cpqoko6\Parameters\ServiceDll = "C:\\Windows\\system32\\erokosvc.dll"	reg.exe

Executes dropped EXE 1 IoCs

pid	Process
3920	165a4ffdc2704770eeef07e1e5146c94_JaffaCakes118.exe.exe

Loads dropped DLL 1 IoCs

pid	Process
4904	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\erokosvc.dll	165a4ffdc2704770eeef07e1e5146c94_JaffaCakes118.exe.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1776	sc.exe
2980	sc.exe
3148	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cMd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	165a4ffdc2704770eeef07e1e5146c94_JaffaCakes118.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	165a4ffdc2704770eeef07e1e5146c94_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CmD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CmD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4860	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\TP = "1000"	reg.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4904	svchost.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 2896	4072	165a4ffdc2704770eeef07e1e5146c94_JaffaCakes118.exe	82
PID 4072 wrote to memory of 2896	4072	165a4ffdc2704770eeef07e1e5146c94_JaffaCakes118.exe	82
PID 4072 wrote to memory of 2896	4072	165a4ffdc2704770eeef07e1e5146c94_JaffaCakes118.exe	82
PID 4072 wrote to memory of 3112	4072	165a4ffdc2704770eeef07e1e5146c94_JaffaCakes118.exe	84
PID 4072 wrote to memory of 3112	4072	165a4ffdc2704770eeef07e1e5146c94_JaffaCakes118.exe	84
PID 4072 wrote to memory of 3112	4072	165a4ffdc2704770eeef07e1e5146c94_JaffaCakes118.exe	84
PID 3112 wrote to memory of 3920	3112	CmD.exe	86
PID 3112 wrote to memory of 3920	3112	CmD.exe	86
PID 3112 wrote to memory of 3920	3112	CmD.exe	86
PID 4072 wrote to memory of 3812	4072	165a4ffdc2704770eeef07e1e5146c94_JaffaCakes118.exe	94
PID 4072 wrote to memory of 3812	4072	165a4ffdc2704770eeef07e1e5146c94_JaffaCakes118.exe	94
PID 4072 wrote to memory of 3812	4072	165a4ffdc2704770eeef07e1e5146c94_JaffaCakes118.exe	94
PID 3812 wrote to memory of 2548	3812	cMd.exe	96
PID 3812 wrote to memory of 2548	3812	cMd.exe	96
PID 3812 wrote to memory of 2548	3812	cMd.exe	96
PID 3812 wrote to memory of 2144	3812	cMd.exe	97
PID 3812 wrote to memory of 2144	3812	cMd.exe	97
PID 3812 wrote to memory of 2144	3812	cMd.exe	97
PID 3812 wrote to memory of 4372	3812	cMd.exe	98
PID 3812 wrote to memory of 4372	3812	cMd.exe	98
PID 3812 wrote to memory of 4372	3812	cMd.exe	98
PID 3812 wrote to memory of 1776	3812	cMd.exe	99
PID 3812 wrote to memory of 1776	3812	cMd.exe	99
PID 3812 wrote to memory of 1776	3812	cMd.exe	99
PID 3812 wrote to memory of 4296	3812	cMd.exe	100
PID 3812 wrote to memory of 4296	3812	cMd.exe	100
PID 3812 wrote to memory of 4296	3812	cMd.exe	100
PID 3812 wrote to memory of 2940	3812	cMd.exe	101
PID 3812 wrote to memory of 2940	3812	cMd.exe	101
PID 3812 wrote to memory of 2940	3812	cMd.exe	101
PID 3812 wrote to memory of 368	3812	cMd.exe	102
PID 3812 wrote to memory of 368	3812	cMd.exe	102
PID 3812 wrote to memory of 368	3812	cMd.exe	102
PID 3812 wrote to memory of 2980	3812	cMd.exe	103
PID 3812 wrote to memory of 2980	3812	cMd.exe	103
PID 3812 wrote to memory of 2980	3812	cMd.exe	103
PID 3812 wrote to memory of 3148	3812	cMd.exe	105
PID 3812 wrote to memory of 3148	3812	cMd.exe	105
PID 3812 wrote to memory of 3148	3812	cMd.exe	105
PID 3812 wrote to memory of 4860	3812	cMd.exe	106
PID 3812 wrote to memory of 4860	3812	cMd.exe	106
PID 3812 wrote to memory of 4860	3812	cMd.exe	106

C:\Users\Admin\AppData\Local\Temp\165a4ffdc2704770eeef07e1e5146c94_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\165a4ffdc2704770eeef07e1e5146c94_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Windows\SysWOW64\CmD.exe
  CmD /c copy "C:\Users\Admin\AppData\Local\Temp\165a4ffdc2704770eeef07e1e5146c94_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\Temp\165a4ffdc2704770eeef07e1e5146c94_JaffaCakes118.exe.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2896
- C:\Windows\SysWOW64\CmD.exe
  CmD /c ""C:\Users\Admin\AppData\Local\Temp\165a4ffdc2704770eeef07e1e5146c94_JaffaCakes118.exe.exe" /okoarg > "C:\Users\Admin\AppData\Local\Temp\w3oko.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3112
- - C:\Users\Admin\AppData\Local\Temp\165a4ffdc2704770eeef07e1e5146c94_JaffaCakes118.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\165a4ffdc2704770eeef07e1e5146c94_JaffaCakes118.exe.exe" /okoarg
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:3920
- C:\Windows\SysWOW64\cMd.exe
  cMd /c "C:\Users\Admin\AppData\Local\Temp\w3oko.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3812
- - C:\Windows\SysWOW64\reg.exe
    reG aDd "hklm\SOFTWARE\Microsoft\Internet Explorer\Main" /v TP /t ReG_Sz /d 1000 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2548
- - C:\Windows\SysWOW64\netsh.exe
    NetSh FIReWAlL Add allOweDPrOgrAm naMe="BlueSoleil OKO" prOGram="C:\Windows\system32\svchost.exe" mode=ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2144
- - C:\Windows\SysWOW64\netsh.exe
    nETsH fIrEwaLl aDD pOrToPEnIng tcP 8085 "OKOToGate" eNABLe
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4372
- - C:\Windows\SysWOW64\sc.exe
    Sc CreATe "cpqoko6" tyPE= share start= auto binPaTh= "C:\Windows\system32\svchost.exe -k tapisrvs" DisplayName= "Service Serenum Temporary CPL Search HID Bluetooth SyncMgr"
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1776
- - C:\Windows\SysWOW64\reg.exe
    rEg adD "hkLm\sYsTEm\CuRrenTcoNtRoLSeT\seRvIcES\cpqoko6\Parameters" /v ServiceDll /t ReG_EXpaND_Sz /d "C:\Windows\system32\erokosvc.dll" /f
    3⤵
    - Server Software Component: Terminal Services DLL
    - System Location Discovery: System Language Discovery
    PID:4296
- - C:\Windows\SysWOW64\reg.exe
    rEg adD "hkLm\sYsTEm\CuRrenTcoNtRoLSeT\seRvIcES\cpqoko6" /v FailureActions /t rEG_BInaRY /d 00000000000000000000000003000000140000000100000060EA00000100000060EA00000100000060EA0000 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2940
- - C:\Windows\SysWOW64\reg.exe
    ReG adD "hklm\SOfTwaRe\mIcrOSoFt\WiNdoWs nt\CURrENtveRSiOn\svcHoSt" /v tapisrvs /t rEg_mULti_sz /d "cpqoko6\0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:368
- - C:\Windows\SysWOW64\sc.exe
    sc start "cpqoko6"
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2980
- - C:\Windows\SysWOW64\sc.exe
    sc boot ok
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3148
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:4860

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k tapisrvs -s cpqoko6
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\165a4ffdc2704770eeef07e1e5146c94_JaffaCakes118.exe.exe

Filesize
220KB

MD5
165a4ffdc2704770eeef07e1e5146c94

SHA1
db54b38dff50e311e8edb4653443ef4b38600f5d

SHA256
df39062472a59fb27f9951169229053a7cd2c49d1fe0bc1abe1d10548c44695d

SHA512
3c3786853e4ac4ae35f86c364bb8be4757961651b039b9b1a8630e25f53572c73c3012db1f07f335dbc3a2fd654bb58700138f527bf2631c7d7428dbc182afc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\w3oko.bat

Filesize
1KB

MD5
c4bbbb06b8ce7a04474a8601e5857a5a

SHA1
0e8c65daf2f6419bce793b67acdd906f1e8418bc

SHA256
9491767a11dd3da6f27befe20ae527a0257c6edb76193ba81dc184a941107754

SHA512
2bceaab0a770961983a063210f79301d4eb4ebf8785815165b4168bf6dec044e5e566d95c14de02c5a750fc507ff2fd871bf5d3667c1a750abc3031f6aa28421

Download Submit
C:\Windows\SysWOW64\erokosvc.dll

Filesize
118KB

MD5
14947076c826c1ae5cb965cd1bd2efcb

SHA1
550a0115ad401ce0c37ec45de94c9004ff46cc4b

SHA256
f49a73b3006891c7fcf38157f3923c44fe89e4f298429b2df6139c2e2964f9e0

SHA512
6cf84506bc1e8c045e61eea107c36809f246d1a535d01d77760f8cba3e57a32028254fc053afae30342f18adb164b3fb10bdcbeb0c3520923a16d9b7f1c19169

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads