dc7c2199b0fd054c5ca80bc5ab5c0f4995b028203b7a1855537049ed8ed02f38

Analysis

max time kernel
148s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/10/2024, 22:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe
Size

84KB
MD5

26320550c47aab1b17281e7bcf9ac20e
SHA1

285c5a8de78f6ac0167694aaa61e161248e65fc9
SHA256

dc7c2199b0fd054c5ca80bc5ab5c0f4995b028203b7a1855537049ed8ed02f38
SHA512

96347368941e3dedb98bc4b89527158aa122921a2c8837e9cb11225e42e0e6f3ae1dac37a2f8a8a6d7e5ad3d62a8f8e4aa7c333a3f40d7eb4a75d68054990d20
SSDEEP

1536:BEJXKHcshWT4bgILMbY+UYwUBXfY3LMZhugjzVdxP3Yz:4shgHILJUBA4ln6

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{rwhabuka-hqqy-sxol-kinf-xvgikmuenive}\stubpath = "C:\\Windows\\pkxer.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{rwhabuka-hqqy-sxol-kinf-xvgikmuenive}	svchost.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000c000000023b92-38.dat	acprotect

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\pkxer.exe	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe
File created	C:\Windows\pkxer.exe	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe
File opened for modification	C:\Windows\pkxer.dll	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe
File created	C:\Windows\pkxer.dll	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe
File opened for modification	C:\Windows\xkrbd.imk	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1460	svchost.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe
Token: SeSecurityPrivilege	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe
Token: SeBackupPrivilege	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe
Token: SeRestorePrivilege	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe
Token: SeShutdownPrivilege	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe
Token: SeDebugPrivilege	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe
Token: SeUndockPrivilege	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe
Token: 33	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe
Token: 34	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe
Token: 35	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe
Token: 36	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83
PID 2972 wrote to memory of 1460	2972	26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\26320550c47aab1b17281e7bcf9ac20e_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\pkxer.dll

Filesize
64KB

MD5
f946c086e9ba84052a903e6b77c11bb1

SHA1
c13d34802eba4a7fed16cec43530991c740ff9b8

SHA256
3fc022b14eac6c38f77d0374d6bbb43b82ab5a1e4d7474b2ed9c84cc51e12e2b

SHA512
9863b9844574654e7a0d40c82299c596380a65bd0873246aba9a11f22642785abf4e1d9c3e32010ec2b0964a6eb17eb2ed4c30bbea28d40b77f2029e32240723

Download Submit
C:\Windows\pkxer.exe

Filesize
84KB

MD5
26320550c47aab1b17281e7bcf9ac20e

SHA1
285c5a8de78f6ac0167694aaa61e161248e65fc9

SHA256
dc7c2199b0fd054c5ca80bc5ab5c0f4995b028203b7a1855537049ed8ed02f38

SHA512
96347368941e3dedb98bc4b89527158aa122921a2c8837e9cb11225e42e0e6f3ae1dac37a2f8a8a6d7e5ad3d62a8f8e4aa7c333a3f40d7eb4a75d68054990d20

Download Submit
C:\Windows\xkrbd.imk

Filesize
137B

MD5
95ff4838e883244e4821d26e6207c577

SHA1
124a917b0ba66131abdfdb34fd4c18660ae0e4b3

SHA256
d8a42d3af27bbf369c7767205799d72a5d43ed40f3bd1469991e6f0ca473007f

SHA512
ddfb14050b025c4b85326c639fb5476ec5b58bd7e0cb4e7c23ef4302b925da07f0f5f68ed2436e37050fdee141e5d19ee77f6891a48845d596ff42a5739054e8

Download Submit
memory/1460-46-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/1460-52-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/1460-36-0x0000000003990000-0x0000000003991000-memory.dmp

Filesize
4KB

Download
memory/1460-37-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/1460-10-0x0000000001700000-0x0000000001701000-memory.dmp

Filesize
4KB

Download
memory/1460-45-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/1460-9-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/1460-42-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/1460-44-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/1460-47-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/2972-33-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/2972-40-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2972-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2972-24-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads