cbb16aaa6b5a4277dd7077e28412e58981ea6edf784b20f5fb02aa8e57b3ddf2

Analysis

max time kernel
150s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/10/2024, 22:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2616445b0b58063980d3bc2b0da2feed_JaffaCakes118.exe
Size

1.0MB
MD5

2616445b0b58063980d3bc2b0da2feed
SHA1

70165e724e514d649e08a81e0ef1f16030b9daba
SHA256

cbb16aaa6b5a4277dd7077e28412e58981ea6edf784b20f5fb02aa8e57b3ddf2
SHA512

52aed930302344a58d70ae94159b042d9854802e3bdf5239ff73d93492a30deaa4396d11059b075f2aeef98a3c7f2630030faa1c909da320e9b9b104d6620d07
SSDEEP

24576:UXQKznLsKA4bTlV9vwSfeqsxC3oh4Rj5xrYIKsIp1:2FTl7vyYUQ9K3

Score

7^/10

discovery persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023c97-19.dat	acprotect
behavioral2/files/0x0007000000023c96-23.dat	acprotect

Executes dropped EXE 11 IoCs

pid	Process
1988	IUB.EXE
3156	ashsvc.exe
232	SVCHOSI.EXE
4748	COM2.EXE
4516	SVCHOSI.EXE
5068	COM1.EXE
4436	ashsvc.exe
2532	IUB.EXE
4864	COM2.EXE
3436	IUB.EXE
3680	COM2.EXE

Loads dropped DLL 6 IoCs

pid	Process
3156	ashsvc.exe
3156	ashsvc.exe
3156	ashsvc.exe
4436	ashsvc.exe
4436	ashsvc.exe
4436	ashsvc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinSix = "C:\\Windows\\System32\\SVCHOSI.EXE"	REG.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\SVCHOSI.EXE	COM2.EXE
File opened for modification	C:\Windows\SysWOW64\2026\2045\ashsvc.exe	COM2.EXE
File created	C:\Windows\SysWOW64\2026\2045\ssleay32.dll	COM2.EXE
File opened for modification	C:\Windows\SysWOW64\2026\2045\libeay32.dll	COM2.EXE
File created	C:\Windows\SysWOW64\SVCHOSI.EXE	COM2.EXE
File opened for modification	C:\Windows\SysWOW64\2026\desktop.ini	COM2.EXE
File opened for modification	C:\Windows\SysWOW64\2026\2045\ssleay32.dll	COM2.EXE
File created	C:\Windows\SysWOW64\2026\2045\ashsvc.exe	COM2.EXE
File created	C:\Windows\SysWOW64\2026\2045\libeay32.dll	COM2.EXE
File opened for modification	C:\Windows\SysWOW64\2026\	COM2.EXE
File opened for modification	C:\Windows\SysWOW64\SVCHOSI.EXE	IUB.EXE
File created	C:\Windows\SysWOW64\SVCHOSI.EXE	IUB.EXE
File opened for modification	C:\Windows\SysWOW64\SVCHOSI.exe	SVCHOSI.EXE
File created	C:\Windows\SysWOW64\2026\desktop.ini	COM2.EXE

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ashsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IUB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	COM2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2616445b0b58063980d3bc2b0da2feed_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	COM2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	COM2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOSI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	COM1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IUB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IUB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ashsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOSI.EXE

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1916	REG.exe
848	REG.exe
4296	REG.exe
4164	REG.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3156	ashsvc.exe
3156	ashsvc.exe
4436	ashsvc.exe
4436	ashsvc.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3484	2616445b0b58063980d3bc2b0da2feed_JaffaCakes118.exe
1988	IUB.EXE
232	SVCHOSI.EXE
4748	COM2.EXE
4516	SVCHOSI.EXE
5068	COM1.EXE
2532	IUB.EXE
4864	COM2.EXE
3436	IUB.EXE
3680	COM2.EXE

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 3484 wrote to memory of 1988	3484	2616445b0b58063980d3bc2b0da2feed_JaffaCakes118.exe	86
PID 3484 wrote to memory of 1988	3484	2616445b0b58063980d3bc2b0da2feed_JaffaCakes118.exe	86
PID 3484 wrote to memory of 1988	3484	2616445b0b58063980d3bc2b0da2feed_JaffaCakes118.exe	86
PID 1988 wrote to memory of 3156	1988	IUB.EXE	87
PID 1988 wrote to memory of 3156	1988	IUB.EXE	87
PID 1988 wrote to memory of 3156	1988	IUB.EXE	87
PID 1988 wrote to memory of 232	1988	IUB.EXE	88
PID 1988 wrote to memory of 232	1988	IUB.EXE	88
PID 1988 wrote to memory of 232	1988	IUB.EXE	88
PID 3484 wrote to memory of 4748	3484	2616445b0b58063980d3bc2b0da2feed_JaffaCakes118.exe	89
PID 3484 wrote to memory of 4748	3484	2616445b0b58063980d3bc2b0da2feed_JaffaCakes118.exe	89
PID 3484 wrote to memory of 4748	3484	2616445b0b58063980d3bc2b0da2feed_JaffaCakes118.exe	89
PID 4748 wrote to memory of 848	4748	COM2.EXE	94
PID 4748 wrote to memory of 848	4748	COM2.EXE	94
PID 4748 wrote to memory of 848	4748	COM2.EXE	94
PID 4748 wrote to memory of 4296	4748	COM2.EXE	96
PID 4748 wrote to memory of 4296	4748	COM2.EXE	96
PID 4748 wrote to memory of 4296	4748	COM2.EXE	96
PID 4748 wrote to memory of 4516	4748	COM2.EXE	97
PID 4748 wrote to memory of 4516	4748	COM2.EXE	97
PID 4748 wrote to memory of 4516	4748	COM2.EXE	97
PID 1988 wrote to memory of 5068	1988	IUB.EXE	99
PID 1988 wrote to memory of 5068	1988	IUB.EXE	99
PID 1988 wrote to memory of 5068	1988	IUB.EXE	99
PID 4748 wrote to memory of 4164	4748	COM2.EXE	100
PID 4748 wrote to memory of 4164	4748	COM2.EXE	100
PID 4748 wrote to memory of 4164	4748	COM2.EXE	100
PID 4748 wrote to memory of 1916	4748	COM2.EXE	101
PID 4748 wrote to memory of 1916	4748	COM2.EXE	101
PID 4748 wrote to memory of 1916	4748	COM2.EXE	101
PID 4748 wrote to memory of 4436	4748	COM2.EXE	104
PID 4748 wrote to memory of 4436	4748	COM2.EXE	104
PID 4748 wrote to memory of 4436	4748	COM2.EXE	104
PID 232 wrote to memory of 2532	232	SVCHOSI.EXE	105
PID 232 wrote to memory of 2532	232	SVCHOSI.EXE	105
PID 232 wrote to memory of 2532	232	SVCHOSI.EXE	105
PID 232 wrote to memory of 4864	232	SVCHOSI.EXE	106
PID 232 wrote to memory of 4864	232	SVCHOSI.EXE	106
PID 232 wrote to memory of 4864	232	SVCHOSI.EXE	106
PID 232 wrote to memory of 3436	232	SVCHOSI.EXE	107
PID 232 wrote to memory of 3436	232	SVCHOSI.EXE	107
PID 232 wrote to memory of 3436	232	SVCHOSI.EXE	107
PID 232 wrote to memory of 3680	232	SVCHOSI.EXE	108
PID 232 wrote to memory of 3680	232	SVCHOSI.EXE	108
PID 232 wrote to memory of 3680	232	SVCHOSI.EXE	108

C:\Users\Admin\AppData\Local\Temp\2616445b0b58063980d3bc2b0da2feed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2616445b0b58063980d3bc2b0da2feed_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\IUB.EXE
  C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\IUB.EXE
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\ashsvc.exe
    C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\ashsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3156
- - C:\Windows\SysWOW64\SVCHOSI.EXE
    C:\Windows\System32\SVCHOSI.EXE
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:232
  - - C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\IUB.EXE
      C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\IUB.EXE
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2532
  - - C:\COM2.EXE
      \\.\C:\COM2.EXE
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4864
  - - C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\IUB.EXE
      C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\IUB.EXE
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3436
  - - C:\COM2.EXE
      \\.\C:\COM2.EXE
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3680
- - C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\COM1.EXE
    \\.\C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\COM1.EXE
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5068
- C:\COM2.EXE
  \\.\C:\COM2.EXE
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4748
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v NTLOADER REG_SZ /d "C:\COM2.EXE"
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:848
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v WinSix /t REG_SZ /d "C:\Windows\System32\SVCHOSI.EXE"
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4296
- - C:\Windows\SysWOW64\SVCHOSI.EXE
    C:\Windows\System32\SVCHOSI.EXE
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4516
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState /f /v FullPath /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4164
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState /f /v FullPath /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1916
- - C:\Windows\SysWOW64\2026\2045\ashsvc.exe
    C:\Windows\System32\2026\2045\ashsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\COM2.EXE

Filesize
1.0MB

MD5
983af4b338efe2b42e90e821d0501564

SHA1
e854e7d65710642b32bbf3444c4e21fbd7580558

SHA256
167ddeb6df4bd32ca826ae529b6f827e9588264d8f6531699d60c7dcc44d621c

SHA512
c215d38f064aaab30af2fce5d15c767cab7422c874991fe36f204e42826fb5a4e501c635ec278fe66c6efb8a6487fc9e11e7f61dfdc5a516551e40fb20e98e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\COM1.EXE

Filesize
1.0MB

MD5
20ba5d2f122634169e0c1c43e08923ac

SHA1
70447919e4ce709d62da5affc6f7c6f5b2b7e987

SHA256
9882617828d5b4a94fbcb935e447bae134c8cad58263e11409af9c56acc1cc05

SHA512
e745790e04802628b540879f12d7d5b4eb15d66396a2b5c3c4a3c4b885c2838e7f95caa81d39a530388c02c68b22b7a5d1b786bcf061b2c1c1fde156eac47123

Download Submit
C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\IUB.EXE

Filesize
1.0MB

MD5
fde9a635cebdf4d30d89fab8d9b37ae1

SHA1
06ed294b16ef43b4119c7c2c19d2db6db91b3d55

SHA256
1cf69f58dec0e80e3ddeb6a81409cbfd5f5cb206e413e1b35bb7e23a9b1a6470

SHA512
b6c8164a9c12f7e7befa1030ae098f1c3b69e1e431c7e6e3f89991674662287089b9c9237e95c8a04a23d731a89a6dd6da5b76140f3791d240612708049dffe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\LIBEAY32.dll

Filesize
494KB

MD5
198d065bd0714482011917307c9ebf46

SHA1
b834c8a5396e59b0fd051dda8849cf9b999aa625

SHA256
acee024120921b1f406d6d7f6d5facf054083ab55993ce4c1ba5ebd6595c7e43

SHA512
489d38aee5d95a9611aff4b170113250d1608e9dc3f496f73018e9980de91f30e58edec0e37d4468f093867d5848044136b0934ee35345daa5a63c73b3e96120

Download Submit
C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\ashsvc.exe

Filesize
125KB

MD5
b33db6ac948c4b6e8d0e5c082b9a303a

SHA1
261fd70fb578503c770d0aaccc4fb861cf9ce7fe

SHA256
b50406caf4b61ca379c6408631d4916f33b87efd3d5f23fb9a7433dd4ff78121

SHA512
24123ecb50205122dbaf595822a5165e2eb370c78bea45122ef1af95c128ced2f1834a5e3d301047bf62bf104cf7038e8e47fa5b926c28f4b29406cdfac17045

Download Submit
C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\ssleay32.dll

Filesize
117KB

MD5
c1afdf88451258af208c2eaf90a3e074

SHA1
cc3473b7949e631c4ca0bec21d9430e34e310f2f

SHA256
295331b60026555ea5f27f0e87d5b9d90a5c5fedb656c945d80a3470d4851cc8

SHA512
768330c2bc3ec9ac6803532d833200569442fc5d95193562d8811695b649400eba2ea8166d4f7806a7d9bf6ffbd80c74983f5d05d6698b8f877796f542913609

Download Submit
C:\Windows\SysWOW64\SVCHOSI.EXE

Filesize
1.0MB

MD5
2afa02f694919db1f166e5fa6d3bd494

SHA1
80a0b55499da7c9e601985d2e5970a8b7208aee8

SHA256
3a4e980ff63bdc08e4dc6ef77def1a5f5c91ec8d02db3a9979185ff1e1c4b6f4

SHA512
19a1b90798a5e4b12c81c4fbf307b99aaeb38838ebfdfc50d75156e0b6c96e354910f57a3dd3eced7eb7749015a407f73d748bd37186b9000359694ed4097cca

Download Submit
memory/232-51-0x0000000000400000-0x0000000000733000-memory.dmp

Filesize
3.2MB

Download
memory/232-37-0x0000000000400000-0x0000000000733000-memory.dmp

Filesize
3.2MB

Download
memory/1988-95-0x0000000000400000-0x0000000000733000-memory.dmp

Filesize
3.2MB

Download
memory/1988-22-0x0000000000400000-0x0000000000733000-memory.dmp

Filesize
3.2MB

Download
memory/1988-6-0x0000000000400000-0x0000000000733000-memory.dmp

Filesize
3.2MB

Download
memory/2532-107-0x0000000000400000-0x0000000000733000-memory.dmp

Filesize
3.2MB

Download
memory/3156-26-0x0000000010000000-0x0000000010135000-memory.dmp

Filesize
1.2MB

Download
memory/3156-17-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3156-28-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3156-43-0x0000000010000000-0x0000000010135000-memory.dmp

Filesize
1.2MB

Download
memory/3156-29-0x0000000000E40000-0x0000000000E8B000-memory.dmp

Filesize
300KB

Download
memory/3156-30-0x0000000010000000-0x0000000010135000-memory.dmp

Filesize
1.2MB

Download
memory/3436-138-0x0000000000400000-0x0000000000733000-memory.dmp

Filesize
3.2MB

Download
memory/3484-0-0x0000000000400000-0x0000000000733000-memory.dmp

Filesize
3.2MB

Download
memory/3484-55-0x0000000000400000-0x0000000000733000-memory.dmp

Filesize
3.2MB

Download
memory/3484-10-0x0000000000400000-0x0000000000733000-memory.dmp

Filesize
3.2MB

Download
memory/3680-143-0x0000000000400000-0x0000000000733000-memory.dmp

Filesize
3.2MB

Download
memory/3680-146-0x0000000000400000-0x0000000000733000-memory.dmp

Filesize
3.2MB

Download
memory/4436-90-0x00000000006F0000-0x000000000073B000-memory.dmp

Filesize
300KB

Download
memory/4436-91-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4436-89-0x00000000006F0000-0x000000000073B000-memory.dmp

Filesize
300KB

Download
memory/4436-88-0x0000000010000000-0x0000000010135000-memory.dmp

Filesize
1.2MB

Download
memory/4436-92-0x0000000010000000-0x0000000010135000-memory.dmp

Filesize
1.2MB

Download
memory/4516-63-0x0000000000400000-0x0000000000733000-memory.dmp

Filesize
3.2MB

Download
memory/4748-53-0x0000000000400000-0x0000000000733000-memory.dmp

Filesize
3.2MB

Download
memory/4748-94-0x0000000000400000-0x0000000000733000-memory.dmp

Filesize
3.2MB

Download
memory/4748-44-0x0000000000400000-0x0000000000733000-memory.dmp

Filesize
3.2MB

Download
memory/4864-115-0x0000000000400000-0x0000000000733000-memory.dmp

Filesize
3.2MB

Download
memory/5068-73-0x0000000000400000-0x0000000000733000-memory.dmp

Filesize
3.2MB

Download
memory/5068-66-0x0000000000400000-0x0000000000733000-memory.dmp

Filesize
3.2MB

Download