b9e3dc99da606e2145d07b737a7fe111e6311d7cc312baa11aec54353c648970

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-10-2024 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3edbc62f72e4d7d679a77bf30f85ecf2_JaffaCakes118.exe
Size

598KB
MD5

3edbc62f72e4d7d679a77bf30f85ecf2
SHA1

2496b313b05f96d0f729025d6254973b7b0c74e0
SHA256

b9e3dc99da606e2145d07b737a7fe111e6311d7cc312baa11aec54353c648970
SHA512

ea7561d76217685b19a2a4d3459d1338f40a34c8d689afd918a3d706292d95fea5585c13d57551fe0b16daaa32451e489fbb60b8b11b18d2546b9605d03be6a5
SSDEEP

12288:CJKJJr6hlaU5LoAV1ltqzBRBsuNKVvCR6jVWTg:C4b+Df5T6sBCR6jEg

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2772	cmstp.exe

Loads dropped DLL 8 IoCs

pid	Process
2764	3edbc62f72e4d7d679a77bf30f85ecf2_JaffaCakes118.exe
2764	3edbc62f72e4d7d679a77bf30f85ecf2_JaffaCakes118.exe
2764	3edbc62f72e4d7d679a77bf30f85ecf2_JaffaCakes118.exe
2764	3edbc62f72e4d7d679a77bf30f85ecf2_JaffaCakes118.exe
2764	3edbc62f72e4d7d679a77bf30f85ecf2_JaffaCakes118.exe
2764	3edbc62f72e4d7d679a77bf30f85ecf2_JaffaCakes118.exe
2772	cmstp.exe
2772	cmstp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3edbc62f72e4d7d679a77bf30f85ecf2_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmstp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmstp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3edbc62f72e4d7d679a77bf30f85ecf2_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2772	2764	3edbc62f72e4d7d679a77bf30f85ecf2_JaffaCakes118.exe	30
PID 2764 wrote to memory of 2772	2764	3edbc62f72e4d7d679a77bf30f85ecf2_JaffaCakes118.exe	30
PID 2764 wrote to memory of 2772	2764	3edbc62f72e4d7d679a77bf30f85ecf2_JaffaCakes118.exe	30
PID 2764 wrote to memory of 2772	2764	3edbc62f72e4d7d679a77bf30f85ecf2_JaffaCakes118.exe	30
PID 2764 wrote to memory of 2772	2764	3edbc62f72e4d7d679a77bf30f85ecf2_JaffaCakes118.exe	30
PID 2764 wrote to memory of 2772	2764	3edbc62f72e4d7d679a77bf30f85ecf2_JaffaCakes118.exe	30
PID 2764 wrote to memory of 2772	2764	3edbc62f72e4d7d679a77bf30f85ecf2_JaffaCakes118.exe	30
PID 2772 wrote to memory of 2068	2772	cmstp.exe	31
PID 2772 wrote to memory of 2068	2772	cmstp.exe	31
PID 2772 wrote to memory of 2068	2772	cmstp.exe	31
PID 2772 wrote to memory of 2068	2772	cmstp.exe	31
PID 2772 wrote to memory of 2068	2772	cmstp.exe	31
PID 2772 wrote to memory of 2068	2772	cmstp.exe	31
PID 2772 wrote to memory of 2068	2772	cmstp.exe	31

C:\Users\Admin\AppData\Local\Temp\3edbc62f72e4d7d679a77bf30f85ecf2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3edbc62f72e4d7d679a77bf30f85ecf2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cmstp.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\.\cmstp.exe TomilVPN.inf
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\SysWOW64\cmstp.exe
    "C:\Windows\system32\cmstp.exe" "C:\Users\Admin\AppData\Local\Temp\{131FC522-3509-464D-93C5-C7FFDD7AF08A}\TomilVPN.inf"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TomilVPN.bmp

Filesize
136KB

MD5
2c9cfecedc6f0dd43660f853c119029d

SHA1
abd92e358815c5446f8693aad0243a4a72839129

SHA256
1c99d0689ef905978c3b505371bc89d4427a2c37e660ce0f9361e81982b1387f

SHA512
6b758eeda5de31a3e7ebb8ccad2b6ff3d6a858f69d784629beeb090118ba905d334fb254808b9dc499a90e8dc009993c0223e5d726628c5f82301238f839fe34

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TomilVPN.cmp

Filesize
84B

MD5
9d1b0d6ca28ddfcb2cbcdb5408c176b6

SHA1
a2e01ad5e7797cf4909a5c8698a64da47263298b

SHA256
12b0aa1eea9b251f649f706b1370652e7f791aa92e8eff876e69f0bdcac01acf

SHA512
ead51a88826b971d003e63b6e1aefc9e7f8cecd824df0c2274d197b5e75649733d449186478f5566885233a5195e591759fbbd030ddf7875bbf81ddd971445b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TomilVPN.cms

Filesize
2KB

MD5
53301299970929fe83fc34d5d0a6c03d

SHA1
fa1a9becda0d9276932e1aaa0d93994ffe92772c

SHA256
e746236d7df151d00696baf2b6922c5789130077f1b79e70bcc0da092bbe4104

SHA512
13ecb1a9cf982742564bab6ef04b0de8dc94037a168b0689a36c0315c37c8ce3c089b0dab49e951f74832173b11edb7f8218de79632cac198428c5be3a57a950

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TomilVPN.inf

Filesize
10KB

MD5
9b1ce7f4f7ae46f7dab37f01da787a5e

SHA1
dceb17bcd1260e554c996bab4f44d2da88d990ba

SHA256
67f16fb250e76335f47afdfe6265b07e7cf8ca50433ee579d50d2ea531f58aa2

SHA512
b42e7f515babc50b22e40a9a350a72ba00652fa3c71ed8fc52a68b7fd4de4b3ee3d57c67376f6a294410af4fa7c015e0da3d7c5972b8b9e830a672df2dbb5fca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ccfg95.dll

Filesize
32KB

MD5
09c08dce00f7030b1dbe75d8b91e88ba

SHA1
af82755c33fab1a6f9bb75349835dbd4d00cf0cc

SHA256
e240081e5ada85fdf47140609162739567f91799b059934b2eb53ee171d9bea8

SHA512
b3cb915f1e1e307c8179a62910949323836a3ffb1542ab6c5935a0ca74d48bf9afcc06e499cf3f718a7df920a58af40588233ad4cf78fc715ace1241bc3f4eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cmbins.exe

Filesize
334KB

MD5
0138319822e10c11502ac172426da562

SHA1
a845a4c4fb97fa57749e23eec6f59b7e28616d95

SHA256
80b140427085fc8adda2d78e437ecbad83f9d89bd9f18459153b5509a29b58df

SHA512
310096201dcb07315e9fce125c3e103d59ff0c144f613b07e6da2b59e30797d102121364ae0e0fb0fbaa430192e32ca3bdbfb384aeb85e22cbafd358666b2041

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cmexcept.cat

Filesize
12KB

MD5
64384ab225c611ce28acafcc570d955a

SHA1
89d83c2060f12794ee5f37932c590a8933e1ba95

SHA256
47f8afa43ca647a010059e73670806922d14ea820bc39c624ca02c32d73d8fa9

SHA512
bf095131f8ccfedda3b4b74eaf2e926d1bb2266c3d1e31d81f5fcf9e76b85199291c1204a08b97f42f85bd5be7f10aa461ce65a6c1025185ddb31e2561e4a16d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cmutoa.dll

Filesize
58KB

MD5
f7f735534c3837c32bcadbdd7ce6ff02

SHA1
bb12ac505528d03d4466a0a73301b745cca9b0d4

SHA256
b6ee08a318ba6403e1fa68ad213de8f4a71f98fb2415bc3d219b269d46984485

SHA512
7fe0709deb289582c9e9fddcb6d415dfdee14bccd5ffe518b13d093066716361d20dc440485f5f0f1f017a4f0b01e39f98d0bf9226ff23c39d3a002ff7a1b803

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cnet16.dll

Filesize
43KB

MD5
44a5e0fa7297f4e82a2f03d0a0081787

SHA1
33c2a5e9c6eecaef8d3b505e7efe6b56b4fe7d0b

SHA256
97222019e8084a15938eb60b653e3552012f3229a53e732820f06612d064e281

SHA512
b36712e9dfc0dafc9ce7a9b8c6a73e460aec90f46dc6012211771d829004c7f84635d44133ba8eccca64f92ec462071f2ef0f93853ae39ec8008bfb168b78ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ico32x32.ico

Filesize
4KB

MD5
98da4226fb4578abaa904d2094fc9ad7

SHA1
c15a411242a383bcd0528825eca59e944cc5c7db

SHA256
a02be73866dca1cda67d87054bb52366b455fdad85cf619bb29d3021d768d374

SHA512
88bd2e960b6e7448fe793a7035893cff9700f3c05ac698370c3ec005bca0367a69485eeefcb29e5bcb6a9a3de49b620e299976ff65672823fcfd8d14d948d44d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\instcm.inf

Filesize
3KB

MD5
09a3e486f9d08c8c2267efe1ce1092c6

SHA1
b2f0bd469b099cd224dccfae2092994c9dbe20a1

SHA256
45edb55ddcf0d8ff687bce8a9402d5191dbe2f8199380af65544284f11e5eb75

SHA512
d820639ef2163fbcf9f78fefb3696e531fe3f2ea6c6cd732cb661911f05f997c15fb31827dfa2a7bd2873e9766af7343e6c73073432ff406f2c8ced2659728f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w95inf16.dll

Filesize
2KB

MD5
7210d5407a2d2f52e851604666403024

SHA1
242fde2a7c6a3eff245f06813a2e1bdcaa9f16d9

SHA256
337d2fb5252fc532b7bf67476b5979d158ca2ac589e49c6810e2e1afebe296af

SHA512
1755a26fa018429aea00ebcc786bb41b0d6c4d26d56cd3b88d886b0c0773d863094797334e72d770635ed29b98d4c8c7f0ec717a23a22adef705a1ccf46b3f68

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\advpack.dll

Filesize
122KB

MD5
7bf35ccd4401e7be5d967c536cc1c421

SHA1
326665ef56626cf3f3dcbacd1b91dd0f8a410ed5

SHA256
4abb49c3227ebde1ae3e8f2d874c1f50bd6e95be55e622334ed98f02762ce24e

SHA512
3aaba8420a6231586be6ab4f9462be777b718cb7855e37343b629a02ff468ba0a9e1f26a01dfbb87977f6c358fe40de671b993fda41e66d3e32e71e865621b45

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\cmstp.exe

Filesize
70KB

MD5
184b4ca9293214c64f65478e5992b57b

SHA1
9ecc414607d95ec73c42603dfb56428b39782cb3

SHA256
ceb488cc4b103f456734c225e33dd2d07a954027e88976757adbc270fc06ab9a

SHA512
432970b7bb4365d7faa3472174df58939bb2896793e1ca677238e4d5eba803e2397c2b35c57d5ab8c4ccd9e485a467fa63ff55dab2b91df843128ce426476a2a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\w95inf32.dll

Filesize
4KB

MD5
cf573ee760df99a8d379be65ea00c0fa

SHA1
c69590d51649c898dff00d7b662b412b18749646

SHA256
22953e6a1d8cc168be377e8ba5c7e29cb4d400e202c35836b527f6b877467852

SHA512
38efdd617977ed8fb8e2f144ed9364285416054ce87631036b9a7299cf7178f1f947cee4835114f3157a088603d2d12b567c2997399194a07587e767784ccf34

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads