ca6f51b72da84d066de27c621e672834aed99216d744e3a6dffe25db7860430a

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 04:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a802ea6169e6e3b8a341279235feedd_JaffaCakes118.exe
Size

131KB
MD5

2a802ea6169e6e3b8a341279235feedd
SHA1

ec63096a0f9ba628fc8f6824b1ba8995f20172bf
SHA256

ca6f51b72da84d066de27c621e672834aed99216d744e3a6dffe25db7860430a
SHA512

6c18ff928cbb2c81d70f7091e568ff9f9b9b8b175bc567126e78429c1a20a41e497fe319f79878235b235a6cc14e330ba38668b2e478015e43241949446ef3cb
SSDEEP

3072:7ftffjmNXiyPAERE/So/arIEKNDZQhutbBb/zpEPAh:7VfjmNX/PAZAIEk+ybl/tEPAh

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2660	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2820	Logo1_.exe
888	2a802ea6169e6e3b8a341279235feedd_JaffaCakes118.exe

Loads dropped DLL 2 IoCs

pid	Process
2660	cmd.exe
2660	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DAO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\id\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\skins\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Journal\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\eo\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mn\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Temp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EURO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Uninstall Information\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\el\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\af\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	2a802ea6169e6e3b8a341279235feedd_JaffaCakes118.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	2a802ea6169e6e3b8a341279235feedd_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a802ea6169e6e3b8a341279235feedd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2820	Logo1_.exe
2820	Logo1_.exe
2820	Logo1_.exe
2820	Logo1_.exe
2820	Logo1_.exe
2820	Logo1_.exe
2820	Logo1_.exe
2820	Logo1_.exe
2820	Logo1_.exe
2820	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2660	2212	2a802ea6169e6e3b8a341279235feedd_JaffaCakes118.exe	30
PID 2212 wrote to memory of 2660	2212	2a802ea6169e6e3b8a341279235feedd_JaffaCakes118.exe	30
PID 2212 wrote to memory of 2660	2212	2a802ea6169e6e3b8a341279235feedd_JaffaCakes118.exe	30
PID 2212 wrote to memory of 2660	2212	2a802ea6169e6e3b8a341279235feedd_JaffaCakes118.exe	30
PID 2212 wrote to memory of 2820	2212	2a802ea6169e6e3b8a341279235feedd_JaffaCakes118.exe	31
PID 2212 wrote to memory of 2820	2212	2a802ea6169e6e3b8a341279235feedd_JaffaCakes118.exe	31
PID 2212 wrote to memory of 2820	2212	2a802ea6169e6e3b8a341279235feedd_JaffaCakes118.exe	31
PID 2212 wrote to memory of 2820	2212	2a802ea6169e6e3b8a341279235feedd_JaffaCakes118.exe	31
PID 2820 wrote to memory of 2752	2820	Logo1_.exe	32
PID 2820 wrote to memory of 2752	2820	Logo1_.exe	32
PID 2820 wrote to memory of 2752	2820	Logo1_.exe	32
PID 2820 wrote to memory of 2752	2820	Logo1_.exe	32
PID 2752 wrote to memory of 2736	2752	net.exe	35
PID 2752 wrote to memory of 2736	2752	net.exe	35
PID 2752 wrote to memory of 2736	2752	net.exe	35
PID 2752 wrote to memory of 2736	2752	net.exe	35
PID 2660 wrote to memory of 888	2660	cmd.exe	36
PID 2660 wrote to memory of 888	2660	cmd.exe	36
PID 2660 wrote to memory of 888	2660	cmd.exe	36
PID 2660 wrote to memory of 888	2660	cmd.exe	36
PID 2820 wrote to memory of 1208	2820	Logo1_.exe	21
PID 2820 wrote to memory of 1208	2820	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\2a802ea6169e6e3b8a341279235feedd_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2a802ea6169e6e3b8a341279235feedd_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aF98B.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Users\Admin\AppData\Local\Temp\2a802ea6169e6e3b8a341279235feedd_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\2a802ea6169e6e3b8a341279235feedd_JaffaCakes118.exe"
      4⤵
      Executes dropped EXE
      PID:888
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
50b62c1df0608cf31c11c53b67143ffb

SHA1
ed6bca188a9557668f49f6405d3ce2f7df888e86

SHA256
c6c19f8e77dc7c6147e2c2dc8a8c3e76aaeaf05824ba02e7eed5824483a4d559

SHA512
a2904addd446cfd553b6cc747d68fa6c0b58392809020eab3213a8b788102b249e65ab33585de4cf3170ebc09b35863e1520cb77873cc94f5b1eaf8ebffe22c3

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aF98B.bat

Filesize
614B

MD5
8c1f22d7ece829be11d1bece44b50968

SHA1
85f12f780b508233204c88d239aa1603dfbcbc2b

SHA256
8a7e2bd333025d70262754679db1af36c05f05428440b5f87ef48cd891b4c040

SHA512
f199e1ceedf09159d5459db31d29152a0b4a43140993f0b45dec49ff294f63338c737d9ae4269144979344ca7589b8b3f30997a30768aab5b3bdcb7b251a5715

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a802ea6169e6e3b8a341279235feedd_JaffaCakes118.exe.exe

Filesize
105KB

MD5
4586b12af86cc1dbea01dfa961f20886

SHA1
1b531eee6864c0aac2e08fbf8883a1b6aaa9c1f2

SHA256
e6018c7f94622dd5e27b2f8ab6904dfe0a4079484476c9b69c54a54a86b541f4

SHA512
2f6b76b2f8034b95bd9df6950c156409f6bcc122683f909a456aadacb57a06c7d1a8d7d6354d41063d82da30cb89809591204c40eea3921db11d49024d56d527

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
340286e920392ffcfda17fe3f9acd9cf

SHA1
381ed2264eaa3bcf71d564361ea4fab604a8a688

SHA256
2a08465b555785a08fb1046ac9ab4a3fe0efb97a07c0836fc61e77e5e68f9f0c

SHA512
23fd5ef928388633b222f08587b43042fa72d13b4bfcd16d37094836157946e5f572be48da222773e5bbf481dc7e156cff587932d502d54659b938ae5b3adec5

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2872745919-2748461613-2989606286-1000\_desktop.ini

Filesize
9B

MD5
1db84ab14f95c77ed9f73b444afe7548

SHA1
a3c8282dbe6b16a8a263409827e1c94488e82bab

SHA256
395bbd0ae569524e627b9b111a4ac729f524e449f7dd8a1ae4d810f72e505b0e

SHA512
fc82a2c81847882cfa78770c057a0ee8c814cb4d0f2902714f30f156f25e05e8419675e0c0700d5085d97879ccb2f7329c6251debaff4a8489fedc7910901047

Download Submit
memory/1208-30-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/2212-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2212-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-93-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-426-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-1876-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-3336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download