5a2c8da0d1b8f960a6b91004ddb0b0603c29fecffa6bf79261f0f9a6b57ae479

Analysis

max time kernel
149s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 12:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
Size

21KB
MD5

3fcae5bd4f03a2505ea9218963dceb50
SHA1

3e5053ef2d3dd1f4e8beb7abcaf9d8b57392ba7d
SHA256

5a2c8da0d1b8f960a6b91004ddb0b0603c29fecffa6bf79261f0f9a6b57ae479
SHA512

c26445c6f2d041af61b927144911722cecf29f9b139d8d24ad1142d6782b93610e4157d2344cc082686d137e54d6a42b7a9a5e6d9b633282882cd2dd3db4c1e7
SSDEEP

384:5rzTbrtaQd24tGvycwaO5PDWBeOWpeTYwxHo:tnbrcQZtG6czOJUey

Score

8^/10

defense_evasion discovery persistence upx

Malware Config

Signatures

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Windows\\system32\\windowsstone55.exe"	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Windows\\system32\\windowsstone55.exe"	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explore = "C:\\Windows\\system32\\windows55.exe"	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops autorun.inf file 1 TTPs 54 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\J:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File created	F:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File created	\??\M:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File created	\??\N:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File opened for modification	\??\G:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File opened for modification	\??\I:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File opened for modification	\??\K:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File opened for modification	\??\O:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File opened for modification	\??\S:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File created	D:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File opened for modification	\??\Q:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File created	\??\T:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File opened for modification	\??\V:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File created	\??\H:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File opened for modification	\??\P:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File created	\??\I:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File created	\??\P:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File created	\??\X:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File opened for modification	\??\X:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File opened for modification	\??\Y:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File created	\??\Z:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File opened for modification	\??\A:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File opened for modification	\??\E:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File created	\??\R:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File opened for modification	\??\U:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File created	\??\W:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File opened for modification	\??\W:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File created	\??\B:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File opened for modification	\??\N:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File opened for modification	\??\B:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File created	\??\K:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File opened for modification	\??\R:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File created	\??\Y:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File created	\??\E:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File created	\??\J:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File created	\??\L:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File created	\??\U:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File opened for modification	\??\Z:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File created	\??\A:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File created	C:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File opened for modification	C:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File created	\??\G:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File created	\??\S:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File opened for modification	F:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File created	\??\V:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File opened for modification	\??\H:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File opened for modification	\??\L:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File opened for modification	\??\M:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File created	\??\Q:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File opened for modification	D:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File created	\??\O:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File opened for modification	\??\T:\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\windows55.exe	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\windows55.exe	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\windowsstone55.exe	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\autorun.inf	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2324-0-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/files/0x000500000001967f-37.dat	upx
behavioral1/memory/2324-92-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2324-93-0x0000000000400000-0x0000000000413000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2324	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 1800	2324	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe	31
PID 2324 wrote to memory of 1800	2324	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe	31
PID 2324 wrote to memory of 1800	2324	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe	31
PID 2324 wrote to memory of 1800	2324	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe	31
PID 2324 wrote to memory of 2484	2324	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe	32
PID 2324 wrote to memory of 2484	2324	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe	32
PID 2324 wrote to memory of 2484	2324	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe	32
PID 2324 wrote to memory of 2484	2324	3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe	32
PID 1800 wrote to memory of 2952	1800	cmd.exe	35
PID 1800 wrote to memory of 2952	1800	cmd.exe	35
PID 1800 wrote to memory of 2952	1800	cmd.exe	35
PID 1800 wrote to memory of 2952	1800	cmd.exe	35
PID 2952 wrote to memory of 2412	2952	net.exe	36
PID 2952 wrote to memory of 2412	2952	net.exe	36
PID 2952 wrote to memory of 2412	2952	net.exe	36
PID 2952 wrote to memory of 2412	2952	net.exe	36

C:\Users\Admin\AppData\Local\Temp\3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3fcae5bd4f03a2505ea9218963dceb50_JaffaCakes118.exe"
1⤵
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop sharedaccess
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\SysWOW64\net.exe
    net stop sharedaccess
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop sharedaccess
      4⤵
      System Location Discovery: System Language Discovery
      PID:2412
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c del /f /s /q /a f:\*.gho
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Network Share Discovery

T1135

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\autorun.inf

Filesize
76B

MD5
ebf1b1977ebcaf26a56eaaf577d2ca3a

SHA1
a788c720b29e4997935697dcb8275d2f505caf3f

SHA256
c4501c4c5f0239bc2ecb0de63228dbfbc700d5d79c1ec0fa0494230d67a707db

SHA512
317eba867a788453d0013f3246a172b02e67d192731d4532abfeca80f6d5017020134550f72830964cede1da7e45f38629e61c543c76bd8ff485c9679da76b8a

Download Submit
C:\Windows\SysWOW64\windowsstone55.exe

Filesize
40KB

MD5
524240c2337b9558e29b904ec6038246

SHA1
c84d945c53170b621cf77e8d94536d7640ab04bc

SHA256
fba8dda4e89357e2dea07355e4184048d0cb8746049b2d305dd6e7484eb77ab6

SHA512
8456f24bd0a441f7c643f246fe06d5da22f35ae032e13a73afb6aac1aef1d6d20618314a73fab6e699bf455e0cb02a65660a072da9f3f286709bc68a61be63a4

Download Submit
C:\brother.exe

Filesize
21KB

MD5
3fcae5bd4f03a2505ea9218963dceb50

SHA1
3e5053ef2d3dd1f4e8beb7abcaf9d8b57392ba7d

SHA256
5a2c8da0d1b8f960a6b91004ddb0b0603c29fecffa6bf79261f0f9a6b57ae479

SHA512
c26445c6f2d041af61b927144911722cecf29f9b139d8d24ad1142d6782b93610e4157d2344cc082686d137e54d6a42b7a9a5e6d9b633282882cd2dd3db4c1e7

Download Submit
memory/2324-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2324-92-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2324-93-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads