e1a8f0816e7036ae477843560a1790275b6bb2c1c0652057eb252517238ef1f6

Analysis

max time kernel
17s
max time network
20s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-10-2024 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe
Size

35KB
MD5

24d47d0a1bb446d0f7e412d90178c7d3
SHA1

db8a4a96bbe16f7a11f26d789c74d0855f382ed0
SHA256

e1a8f0816e7036ae477843560a1790275b6bb2c1c0652057eb252517238ef1f6
SHA512

c7e2db02d07d671a110233d759c286d9a67886b1e7cdfec0ff2bbbe16e5754516f65fe1e12aaf1b39c99399a670d702bc8dc6c062727a3c1e99444be9c99c61f
SSDEEP

768:BGiuyMy/9pvx7+3XngoQ85OjPRUYILYPV24Z952b+s99I5:OyMI9pvxqnC82KYIEPk4Z6xU

Score

10^/10

discovery evasion execution upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\acpiec.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\pcidump.sys	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe

Loads dropped DLL 4 IoCs

pid	Process
3044	rundll32.exe
3044	rundll32.exe
3044	rundll32.exe
3044	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\killkb.dll	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2380-0-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/2380-9-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2716	sc.exe
1248	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1852	ipconfig.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
1648	taskkill.exe
2712	taskkill.exe
2812	taskkill.exe
2816	taskkill.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3044	rundll32.exe
3044	rundll32.exe
3044	rundll32.exe
3044	rundll32.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
476	Process not Found
476	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2812	taskkill.exe
Token: SeDebugPrivilege	2816	taskkill.exe
Token: SeDebugPrivilege	2712	taskkill.exe
Token: SeDebugPrivilege	1648	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2244	2380	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	31
PID 2380 wrote to memory of 2244	2380	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	31
PID 2380 wrote to memory of 2244	2380	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	31
PID 2380 wrote to memory of 2244	2380	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	31
PID 2380 wrote to memory of 2248	2380	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	32
PID 2380 wrote to memory of 2248	2380	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	32
PID 2380 wrote to memory of 2248	2380	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	32
PID 2380 wrote to memory of 2248	2380	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	32
PID 2380 wrote to memory of 3004	2380	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	33
PID 2380 wrote to memory of 3004	2380	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	33
PID 2380 wrote to memory of 3004	2380	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	33
PID 2380 wrote to memory of 3004	2380	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	33
PID 2380 wrote to memory of 2960	2380	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	34
PID 2380 wrote to memory of 2960	2380	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	34
PID 2380 wrote to memory of 2960	2380	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	34
PID 2380 wrote to memory of 2960	2380	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	34
PID 2380 wrote to memory of 3012	2380	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	35
PID 2380 wrote to memory of 3012	2380	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	35
PID 2380 wrote to memory of 3012	2380	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	35
PID 2380 wrote to memory of 3012	2380	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	35
PID 2380 wrote to memory of 3028	2380	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	36
PID 2380 wrote to memory of 3028	2380	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	36
PID 2380 wrote to memory of 3028	2380	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	36
PID 2380 wrote to memory of 3028	2380	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	36
PID 2960 wrote to memory of 2712	2960	cmd.exe	44
PID 2960 wrote to memory of 2712	2960	cmd.exe	44
PID 2960 wrote to memory of 2712	2960	cmd.exe	44
PID 2960 wrote to memory of 2712	2960	cmd.exe	44
PID 3004 wrote to memory of 2716	3004	cmd.exe	43
PID 3004 wrote to memory of 2716	3004	cmd.exe	43
PID 3004 wrote to memory of 2716	3004	cmd.exe	43
PID 3004 wrote to memory of 2716	3004	cmd.exe	43
PID 2244 wrote to memory of 2736	2244	cmd.exe	45
PID 2244 wrote to memory of 2736	2244	cmd.exe	45
PID 2244 wrote to memory of 2736	2244	cmd.exe	45
PID 2244 wrote to memory of 2736	2244	cmd.exe	45
PID 2248 wrote to memory of 2756	2248	cmd.exe	46
PID 2248 wrote to memory of 2756	2248	cmd.exe	46
PID 2248 wrote to memory of 2756	2248	cmd.exe	46
PID 2248 wrote to memory of 2756	2248	cmd.exe	46
PID 3012 wrote to memory of 2812	3012	cmd.exe	47
PID 3012 wrote to memory of 2812	3012	cmd.exe	47
PID 3012 wrote to memory of 2812	3012	cmd.exe	47
PID 3012 wrote to memory of 2812	3012	cmd.exe	47
PID 3028 wrote to memory of 2816	3028	cmd.exe	48
PID 3028 wrote to memory of 2816	3028	cmd.exe	48
PID 3028 wrote to memory of 2816	3028	cmd.exe	48
PID 3028 wrote to memory of 2816	3028	cmd.exe	48
PID 2380 wrote to memory of 3044	2380	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	50
PID 2380 wrote to memory of 3044	2380	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	50
PID 2380 wrote to memory of 3044	2380	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	50
PID 2380 wrote to memory of 3044	2380	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	50
PID 2380 wrote to memory of 3044	2380	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	50
PID 2380 wrote to memory of 3044	2380	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	50
PID 2380 wrote to memory of 3044	2380	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	50
PID 2380 wrote to memory of 996	2380	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	51
PID 2380 wrote to memory of 996	2380	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	51
PID 2380 wrote to memory of 996	2380	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	51
PID 2380 wrote to memory of 996	2380	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	51
PID 2380 wrote to memory of 1116	2380	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	52
PID 2380 wrote to memory of 1116	2380	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	52
PID 2380 wrote to memory of 1116	2380	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	52
PID 2380 wrote to memory of 1116	2380	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	52
PID 996 wrote to memory of 1248	996	cmd.exe	55

C:\Users\Admin\AppData\Local\Temp\24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\system32 /e /p everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32 /e /p everyone:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config ekrn start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\SysWOW64\sc.exe
    sc config ekrn start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /im ekrn.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ekrn.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /im egui.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im egui.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /im ScanFrm.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ScanFrm.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2816
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\system32\killkb.dll, droqp
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config avp start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Windows\SysWOW64\sc.exe
    sc config avp start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1248
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /im avp.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1116
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im avp.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1648
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /all
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\killkb.dll

Filesize
25KB

MD5
590578650f9a95ae0d6a3a1a70f5be65

SHA1
211523f71ad395e5f35c0f7b79c672169fb65eeb

SHA256
11902d9eeeb456170e0a5070e66acf01a74631fe047d53ca83228d544cdeb0b4

SHA512
cebe7d06f06a991902ef1367ae2d0fc230da46357451eb9eb4856b02c6e24f53a27d02140742b1987c0360cf7f2d1d62ad5d591c2a73feaefa6bb30491f95b54

Download Submit
memory/2380-0-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2380-9-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2380-15-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download