e1a8f0816e7036ae477843560a1790275b6bb2c1c0652057eb252517238ef1f6

Analysis

max time kernel
21s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/10/2024, 20:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe
Size

35KB
MD5

24d47d0a1bb446d0f7e412d90178c7d3
SHA1

db8a4a96bbe16f7a11f26d789c74d0855f382ed0
SHA256

e1a8f0816e7036ae477843560a1790275b6bb2c1c0652057eb252517238ef1f6
SHA512

c7e2db02d07d671a110233d759c286d9a67886b1e7cdfec0ff2bbbe16e5754516f65fe1e12aaf1b39c99399a670d702bc8dc6c062727a3c1e99444be9c99c61f
SSDEEP

768:BGiuyMy/9pvx7+3XngoQ85OjPRUYILYPV24Z952b+s99I5:OyMI9pvxqnC82KYIEPk4Z6xU

Score

10^/10

discovery evasion execution upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\acpiec.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\pcidump.sys	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe

Loads dropped DLL 2 IoCs

pid	Process
3708	rundll32.exe
4176	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\killkb.dll	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4176-0-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/4176-5-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5064	sc.exe
4472	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4024	ipconfig.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
3016	taskkill.exe
3808	taskkill.exe
344	taskkill.exe
4392	taskkill.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3708	rundll32.exe
3708	rundll32.exe
3708	rundll32.exe
3708	rundll32.exe
3708	rundll32.exe
3708	rundll32.exe
3708	rundll32.exe
3708	rundll32.exe
3708	rundll32.exe
3708	rundll32.exe
3708	rundll32.exe
3708	rundll32.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3808	taskkill.exe
Token: SeDebugPrivilege	344	taskkill.exe
Token: SeDebugPrivilege	3016	taskkill.exe
Token: SeDebugPrivilege	4392	taskkill.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 4176 wrote to memory of 3160	4176	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	83
PID 4176 wrote to memory of 3160	4176	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	83
PID 4176 wrote to memory of 3160	4176	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	83
PID 4176 wrote to memory of 2060	4176	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	84
PID 4176 wrote to memory of 2060	4176	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	84
PID 4176 wrote to memory of 2060	4176	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	84
PID 4176 wrote to memory of 3804	4176	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	85
PID 4176 wrote to memory of 3804	4176	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	85
PID 4176 wrote to memory of 3804	4176	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	85
PID 4176 wrote to memory of 540	4176	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	86
PID 4176 wrote to memory of 540	4176	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	86
PID 4176 wrote to memory of 540	4176	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	86
PID 4176 wrote to memory of 4692	4176	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	88
PID 4176 wrote to memory of 4692	4176	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	88
PID 4176 wrote to memory of 4692	4176	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	88
PID 4176 wrote to memory of 4716	4176	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	89
PID 4176 wrote to memory of 4716	4176	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	89
PID 4176 wrote to memory of 4716	4176	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	89
PID 2060 wrote to memory of 4884	2060	cmd.exe	95
PID 2060 wrote to memory of 4884	2060	cmd.exe	95
PID 2060 wrote to memory of 4884	2060	cmd.exe	95
PID 3804 wrote to memory of 4472	3804	cmd.exe	96
PID 3804 wrote to memory of 4472	3804	cmd.exe	96
PID 3804 wrote to memory of 4472	3804	cmd.exe	96
PID 3160 wrote to memory of 2532	3160	cmd.exe	97
PID 3160 wrote to memory of 2532	3160	cmd.exe	97
PID 3160 wrote to memory of 2532	3160	cmd.exe	97
PID 4692 wrote to memory of 3016	4692	cmd.exe	98
PID 4692 wrote to memory of 3016	4692	cmd.exe	98
PID 4692 wrote to memory of 3016	4692	cmd.exe	98
PID 540 wrote to memory of 3808	540	cmd.exe	99
PID 540 wrote to memory of 3808	540	cmd.exe	99
PID 540 wrote to memory of 3808	540	cmd.exe	99
PID 4716 wrote to memory of 344	4716	cmd.exe	100
PID 4716 wrote to memory of 344	4716	cmd.exe	100
PID 4716 wrote to memory of 344	4716	cmd.exe	100
PID 4176 wrote to memory of 3708	4176	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	105
PID 4176 wrote to memory of 3708	4176	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	105
PID 4176 wrote to memory of 3708	4176	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	105
PID 4176 wrote to memory of 2308	4176	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	106
PID 4176 wrote to memory of 2308	4176	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	106
PID 4176 wrote to memory of 2308	4176	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	106
PID 4176 wrote to memory of 3304	4176	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	107
PID 4176 wrote to memory of 3304	4176	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	107
PID 4176 wrote to memory of 3304	4176	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	107
PID 2308 wrote to memory of 5064	2308	cmd.exe	110
PID 2308 wrote to memory of 5064	2308	cmd.exe	110
PID 2308 wrote to memory of 5064	2308	cmd.exe	110
PID 3304 wrote to memory of 4392	3304	cmd.exe	111
PID 3304 wrote to memory of 4392	3304	cmd.exe	111
PID 3304 wrote to memory of 4392	3304	cmd.exe	111
PID 4176 wrote to memory of 4024	4176	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	112
PID 4176 wrote to memory of 4024	4176	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	112
PID 4176 wrote to memory of 4024	4176	24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe	112

C:\Users\Admin\AppData\Local\Temp\24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\24d47d0a1bb446d0f7e412d90178c7d3_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\system32 /e /p everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3160
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32 /e /p everyone:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config ekrn start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\Windows\SysWOW64\sc.exe
    sc config ekrn start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4472
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /im ekrn.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ekrn.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /im egui.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im egui.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /im ScanFrm.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ScanFrm.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:344
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\system32\killkb.dll, droqp
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config avp start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\SysWOW64\sc.exe
    sc config avp start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:5064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /im avp.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3304
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im avp.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4392
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /all
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:4024

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\killkb.dll

Filesize
25KB

MD5
590578650f9a95ae0d6a3a1a70f5be65

SHA1
211523f71ad395e5f35c0f7b79c672169fb65eeb

SHA256
11902d9eeeb456170e0a5070e66acf01a74631fe047d53ca83228d544cdeb0b4

SHA512
cebe7d06f06a991902ef1367ae2d0fc230da46357451eb9eb4856b02c6e24f53a27d02140742b1987c0360cf7f2d1d62ad5d591c2a73feaefa6bb30491f95b54

Download Submit
C:\Windowsupdate.dll

Filesize
62KB

MD5
5804568f87e2f66265208bd3bbaeb269

SHA1
b0b3eb8c9e5668b703494c4d7761104a1f5fa291

SHA256
545c066bc11b25da1c100c0bf2bf908fbe1eb58bff94a56459d7e473afc78793

SHA512
828453e06d49ab41d7022f7bad279cf93f7c110e41364a882db988e93f5dd7718c1c54c8675a70697df1c29be4ca444665772ebba9c3facba97975acea71032e

Download Submit
memory/4176-0-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4176-5-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download