dfee87306b0cdc097712cac9049a4b25f663a3c6b240afe56c3d3ef0f593351c

Analysis

max time kernel
141s
max time network
18s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
12/10/2024, 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a73402533b089cd9b5e4bc7c3c8c8f7_JaffaCakes118.exe
Size

1.6MB
MD5

3a73402533b089cd9b5e4bc7c3c8c8f7
SHA1

bac95b5c11e121438c0b76d5f00844041c50343f
SHA256

dfee87306b0cdc097712cac9049a4b25f663a3c6b240afe56c3d3ef0f593351c
SHA512

a06554d2d9b20755e27ffcc33686b7a967af6db0f5faae14ad907adae9f643d5fbc3f8608be6401deb0618c0aa0fd2932a8a871288f061c83268811b8196b231
SSDEEP

49152:dYmxMr05DEm9D1qbPwzyGglnni5K6poaZBha5NW2pMWzlKaca1:dYmUkDEm9D1qbPwzXglni5K6poaZBhap

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
932	dllhost.exe
2924	2009_9_17_8.32.53.exe
2920	2009_9_17_8.32.53.exe

Loads dropped DLL 6 IoCs

pid	Process
1344	3a73402533b089cd9b5e4bc7c3c8c8f7_JaffaCakes118.exe
1344	3a73402533b089cd9b5e4bc7c3c8c8f7_JaffaCakes118.exe
932	dllhost.exe
1344	3a73402533b089cd9b5e4bc7c3c8c8f7_JaffaCakes118.exe
1344	3a73402533b089cd9b5e4bc7c3c8c8f7_JaffaCakes118.exe
2924	2009_9_17_8.32.53.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\DLLHost = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe\""	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2924 set thread context of 2920	2924	2009_9_17_8.32.53.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a73402533b089cd9b5e4bc7c3c8c8f7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2009_9_17_8.32.53.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2656	reg.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	932	dllhost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
932	dllhost.exe
2924	2009_9_17_8.32.53.exe
2924	2009_9_17_8.32.53.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 932	1344	3a73402533b089cd9b5e4bc7c3c8c8f7_JaffaCakes118.exe	29
PID 1344 wrote to memory of 932	1344	3a73402533b089cd9b5e4bc7c3c8c8f7_JaffaCakes118.exe	29
PID 1344 wrote to memory of 932	1344	3a73402533b089cd9b5e4bc7c3c8c8f7_JaffaCakes118.exe	29
PID 1344 wrote to memory of 932	1344	3a73402533b089cd9b5e4bc7c3c8c8f7_JaffaCakes118.exe	29
PID 1344 wrote to memory of 2924	1344	3a73402533b089cd9b5e4bc7c3c8c8f7_JaffaCakes118.exe	30
PID 1344 wrote to memory of 2924	1344	3a73402533b089cd9b5e4bc7c3c8c8f7_JaffaCakes118.exe	30
PID 1344 wrote to memory of 2924	1344	3a73402533b089cd9b5e4bc7c3c8c8f7_JaffaCakes118.exe	30
PID 1344 wrote to memory of 2924	1344	3a73402533b089cd9b5e4bc7c3c8c8f7_JaffaCakes118.exe	30
PID 932 wrote to memory of 2780	932	dllhost.exe	31
PID 932 wrote to memory of 2780	932	dllhost.exe	31
PID 932 wrote to memory of 2780	932	dllhost.exe	31
PID 932 wrote to memory of 2780	932	dllhost.exe	31
PID 2780 wrote to memory of 2836	2780	cmd.exe	33
PID 2780 wrote to memory of 2836	2780	cmd.exe	33
PID 2780 wrote to memory of 2836	2780	cmd.exe	33
PID 2780 wrote to memory of 2836	2780	cmd.exe	33
PID 2924 wrote to memory of 2920	2924	2009_9_17_8.32.53.exe	34
PID 2924 wrote to memory of 2920	2924	2009_9_17_8.32.53.exe	34
PID 2924 wrote to memory of 2920	2924	2009_9_17_8.32.53.exe	34
PID 2924 wrote to memory of 2920	2924	2009_9_17_8.32.53.exe	34
PID 2924 wrote to memory of 2920	2924	2009_9_17_8.32.53.exe	34
PID 2924 wrote to memory of 2920	2924	2009_9_17_8.32.53.exe	34
PID 2924 wrote to memory of 2920	2924	2009_9_17_8.32.53.exe	34
PID 2924 wrote to memory of 2920	2924	2009_9_17_8.32.53.exe	34
PID 2836 wrote to memory of 2656	2836	cmd.exe	35
PID 2836 wrote to memory of 2656	2836	cmd.exe	35
PID 2836 wrote to memory of 2656	2836	cmd.exe	35
PID 2836 wrote to memory of 2656	2836	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\3a73402533b089cd9b5e4bc7c3c8c8f7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3a73402533b089cd9b5e4bc7c3c8c8f7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Users\Admin\AppData\Roaming\dllhost.exe
  "C:\Users\Admin\AppData\Roaming\dllhost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:932
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c system.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V DLLHost /D "\"C:\Users\Admin\AppData\Roaming\dllhost.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V DLLHost /D "\"C:\Users\Admin\AppData\Roaming\dllhost.exe\"" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2656
- C:\Users\Admin\AppData\Roaming\2009_9_17_8.32.53.exe
  "C:\Users\Admin\AppData\Roaming\2009_9_17_8.32.53.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Users\Admin\AppData\Roaming\2009_9_17_8.32.53.exe
    C:\Users\Admin\AppData\Roaming\2009_9_17_8.32.53.exe
    3⤵
    - Executes dropped EXE
    PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\system.bat

Filesize
149B

MD5
28f4505278ee06a7206d6056903ca5b6

SHA1
7c882c069096696a15976bee74f0922f81aa38ae

SHA256
0f63764b7a66b7436fc4f67d6d8e28a4b844643bb78adc1330a552d8421b8a88

SHA512
ca81dae7a6fc531c2fb9170cba6ffe8669b1bd7907396c735c72951e57960070d2c2e668efad714b2391c3f3bfc04efd84fb7046a587d7ddb6b2b5248869dd0c

Download Submit
C:\Users\Admin\AppData\Roaming\2009_9_17_8.32.53.exe

Filesize
76KB

MD5
81d7a521fb019d7b9a88615fd112b856

SHA1
cb9f1f4b7b5a8309d19e672ee953913cbc28df25

SHA256
49b71c9df5e0311ed2b9dca200096c75ea9c0187fa2049dfdc0cc9528a8bf7b3

SHA512
e8baaade2699e333fdfedd8700a60d7f0ae77e44d6995bca1383b3bea948dfd3eb646381feb763f21e8c7751fb429a7e5ee806d66c52588bffe2a07b48a7fb26

Download Submit
C:\Users\Admin\AppData\Roaming\dllhost.exe

Filesize
633KB

MD5
fee0b6126ff99ddd3a56d453cd2750b7

SHA1
c930ac8217ffd3b2b9e9bc21fb3cf0fa12ee18fc

SHA256
0bcf1b94294cc4d012882cad8018f15bf40a202fd7ec3ecbc10d10221f25cbb2

SHA512
c5171aa6a1ff328e7441faeb0cfdf188da25e2ce71b1047518cc7b09690a7d09250049a1d72779c6f676ee5a1dab229a68fdd624ccf7dabe8021392136f81048

Download Submit
\Users\Admin\AppData\Roaming\ntcom.dll

Filesize
374KB

MD5
0d8d5ef2b25e1b4b687d56e1336a3de2

SHA1
417c6a1ce572747b53eb6c761e8961fdbf006eee

SHA256
a5d14c09bff2ffa9ea1964878847ff840717214bafaed44611bd039dc0de2cb6

SHA512
a555f59f81829f6a60062fd187a5f140060de02a8629658893a4f41679f39ea70410e6c0735b404e9ec8cda3fea60101603e966ded3af38a351f890dfea206ba

Download Submit
memory/932-52-0x00000000002E0000-0x0000000000343000-memory.dmp

Filesize
396KB

Download
memory/932-25-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/932-15-0x00000000002E0000-0x0000000000343000-memory.dmp

Filesize
396KB

Download
memory/932-51-0x0000000010000000-0x00000000100AA000-memory.dmp

Filesize
680KB

Download
memory/1344-23-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download
memory/1344-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2920-40-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/2920-47-0x0000000000400000-0x0000000000401E00-memory.dmp

Filesize
7KB

Download
memory/2920-45-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/2920-43-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/2920-42-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2920-36-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/2920-38-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/2924-50-0x0000000000490000-0x00000000004F3000-memory.dmp

Filesize
396KB

Download
memory/2924-49-0x0000000000490000-0x00000000004F3000-memory.dmp

Filesize
396KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads