f464e49900bfe2fb8f568a8906b78eeedc5f6582df6b15ec20ce4f7f94cace1a

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 16:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

40fb7c28b5bdfadae6b9ee40326b10bc_JaffaCakes118.exe
Size

1.0MB
MD5

40fb7c28b5bdfadae6b9ee40326b10bc
SHA1

a8ae2b8425d144eb7246c52517072f35330b697e
SHA256

f464e49900bfe2fb8f568a8906b78eeedc5f6582df6b15ec20ce4f7f94cace1a
SHA512

64de6f4565b641c0e746ec60e6ed92d462e63e46c453f583c389dfaea231a03b29f532dbba28b78517d2f6291451d6098e902244257a595bf9b36040657255cb
SSDEEP

24576:uXQKznLsKA4bTlV9vwSfeqsxC3oh4Rj5xrYIKsIq:QFTl7vyYUQ9Kq

Score

7^/10

discovery persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023c8b-19.dat	acprotect
behavioral2/files/0x0007000000023c8a-23.dat	acprotect

Executes dropped EXE 11 IoCs

pid	Process
1700	IUB.EXE
4572	ashsvc.exe
1712	SVCHOSI.EXE
1300	COM2.EXE
824	SVCHOSI.EXE
4556	COM1.EXE
4380	ashsvc.exe
3488	IUB.EXE
2228	COM2.EXE
3536	IUB.EXE
1636	COM2.EXE

Loads dropped DLL 6 IoCs

pid	Process
4572	ashsvc.exe
4572	ashsvc.exe
4572	ashsvc.exe
4380	ashsvc.exe
4380	ashsvc.exe
4380	ashsvc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinSix = "C:\\Windows\\System32\\SVCHOSI.EXE"	REG.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\SVCHOSI.EXE	IUB.EXE
File opened for modification	C:\Windows\SysWOW64\2026\	COM2.EXE
File opened for modification	C:\Windows\SysWOW64\SVCHOSI.exe	SVCHOSI.EXE
File opened for modification	C:\Windows\SysWOW64\2026\desktop.ini	COM2.EXE
File created	C:\Windows\SysWOW64\2026\2045\ssleay32.dll	COM2.EXE
File opened for modification	C:\Windows\SysWOW64\SVCHOSI.EXE	IUB.EXE
File opened for modification	C:\Windows\SysWOW64\SVCHOSI.EXE	COM2.EXE
File created	C:\Windows\SysWOW64\2026\2045\ashsvc.exe	COM2.EXE
File opened for modification	C:\Windows\SysWOW64\2026\2045\libeay32.dll	COM2.EXE
File created	C:\Windows\SysWOW64\2026\2045\libeay32.dll	COM2.EXE
File created	C:\Windows\SysWOW64\SVCHOSI.EXE	COM2.EXE
File created	C:\Windows\SysWOW64\2026\desktop.ini	COM2.EXE
File opened for modification	C:\Windows\SysWOW64\2026\2045\ashsvc.exe	COM2.EXE
File opened for modification	C:\Windows\SysWOW64\2026\2045\ssleay32.dll	COM2.EXE

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ashsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	COM2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ashsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOSI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOSI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	COM2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IUB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IUB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	COM2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	COM1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40fb7c28b5bdfadae6b9ee40326b10bc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IUB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1716	REG.exe
1256	REG.exe
4268	REG.exe
540	REG.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4572	ashsvc.exe
4572	ashsvc.exe
4380	ashsvc.exe
4380	ashsvc.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2192	40fb7c28b5bdfadae6b9ee40326b10bc_JaffaCakes118.exe
1700	IUB.EXE
1712	SVCHOSI.EXE
1300	COM2.EXE
824	SVCHOSI.EXE
4556	COM1.EXE
3488	IUB.EXE
2228	COM2.EXE
3536	IUB.EXE
1636	COM2.EXE

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 1700	2192	40fb7c28b5bdfadae6b9ee40326b10bc_JaffaCakes118.exe	86
PID 2192 wrote to memory of 1700	2192	40fb7c28b5bdfadae6b9ee40326b10bc_JaffaCakes118.exe	86
PID 2192 wrote to memory of 1700	2192	40fb7c28b5bdfadae6b9ee40326b10bc_JaffaCakes118.exe	86
PID 1700 wrote to memory of 4572	1700	IUB.EXE	87
PID 1700 wrote to memory of 4572	1700	IUB.EXE	87
PID 1700 wrote to memory of 4572	1700	IUB.EXE	87
PID 1700 wrote to memory of 1712	1700	IUB.EXE	88
PID 1700 wrote to memory of 1712	1700	IUB.EXE	88
PID 1700 wrote to memory of 1712	1700	IUB.EXE	88
PID 2192 wrote to memory of 1300	2192	40fb7c28b5bdfadae6b9ee40326b10bc_JaffaCakes118.exe	89
PID 2192 wrote to memory of 1300	2192	40fb7c28b5bdfadae6b9ee40326b10bc_JaffaCakes118.exe	89
PID 2192 wrote to memory of 1300	2192	40fb7c28b5bdfadae6b9ee40326b10bc_JaffaCakes118.exe	89
PID 1300 wrote to memory of 1256	1300	COM2.EXE	95
PID 1300 wrote to memory of 1256	1300	COM2.EXE	95
PID 1300 wrote to memory of 1256	1300	COM2.EXE	95
PID 1300 wrote to memory of 4268	1300	COM2.EXE	97
PID 1300 wrote to memory of 4268	1300	COM2.EXE	97
PID 1300 wrote to memory of 4268	1300	COM2.EXE	97
PID 1300 wrote to memory of 824	1300	COM2.EXE	98
PID 1300 wrote to memory of 824	1300	COM2.EXE	98
PID 1300 wrote to memory of 824	1300	COM2.EXE	98
PID 1700 wrote to memory of 4556	1700	IUB.EXE	100
PID 1700 wrote to memory of 4556	1700	IUB.EXE	100
PID 1700 wrote to memory of 4556	1700	IUB.EXE	100
PID 1300 wrote to memory of 540	1300	COM2.EXE	101
PID 1300 wrote to memory of 540	1300	COM2.EXE	101
PID 1300 wrote to memory of 540	1300	COM2.EXE	101
PID 1300 wrote to memory of 1716	1300	COM2.EXE	102
PID 1300 wrote to memory of 1716	1300	COM2.EXE	102
PID 1300 wrote to memory of 1716	1300	COM2.EXE	102
PID 1300 wrote to memory of 4380	1300	COM2.EXE	105
PID 1300 wrote to memory of 4380	1300	COM2.EXE	105
PID 1300 wrote to memory of 4380	1300	COM2.EXE	105
PID 1712 wrote to memory of 3488	1712	SVCHOSI.EXE	107
PID 1712 wrote to memory of 3488	1712	SVCHOSI.EXE	107
PID 1712 wrote to memory of 3488	1712	SVCHOSI.EXE	107
PID 1712 wrote to memory of 2228	1712	SVCHOSI.EXE	108
PID 1712 wrote to memory of 2228	1712	SVCHOSI.EXE	108
PID 1712 wrote to memory of 2228	1712	SVCHOSI.EXE	108
PID 1712 wrote to memory of 3536	1712	SVCHOSI.EXE	109
PID 1712 wrote to memory of 3536	1712	SVCHOSI.EXE	109
PID 1712 wrote to memory of 3536	1712	SVCHOSI.EXE	109
PID 1712 wrote to memory of 1636	1712	SVCHOSI.EXE	110
PID 1712 wrote to memory of 1636	1712	SVCHOSI.EXE	110
PID 1712 wrote to memory of 1636	1712	SVCHOSI.EXE	110

C:\Users\Admin\AppData\Local\Temp\40fb7c28b5bdfadae6b9ee40326b10bc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\40fb7c28b5bdfadae6b9ee40326b10bc_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\IUB.EXE
  C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\IUB.EXE
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\ashsvc.exe
    C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\ashsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4572
- - C:\Windows\SysWOW64\SVCHOSI.EXE
    C:\Windows\System32\SVCHOSI.EXE
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\IUB.EXE
      C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\IUB.EXE
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3488
  - - C:\COM2.EXE
      \\.\C:\COM2.EXE
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2228
  - - C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\IUB.EXE
      C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\IUB.EXE
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3536
  - - C:\COM2.EXE
      \\.\C:\COM2.EXE
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1636
- - C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\COM1.EXE
    \\.\C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\COM1.EXE
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4556
- C:\COM2.EXE
  \\.\C:\COM2.EXE
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v NTLOADER REG_SZ /d "C:\COM2.EXE"
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1256
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v WinSix /t REG_SZ /d "C:\Windows\System32\SVCHOSI.EXE"
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4268
- - C:\Windows\SysWOW64\SVCHOSI.EXE
    C:\Windows\System32\SVCHOSI.EXE
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:824
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState /f /v FullPath /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:540
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState /f /v FullPath /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1716
- - C:\Windows\SysWOW64\2026\2045\ashsvc.exe
    C:\Windows\System32\2026\2045\ashsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\COM2.EXE

Filesize
1.0MB

MD5
f9f8495d41549f43f30bff1a0bdf76f9

SHA1
a23dcfa68a6252308a438f0ddb132390b8152917

SHA256
4e60ff5a1bbaf9a445b5ab8a9cc6130cf1dfc9112284693ced52ca507cb3804f

SHA512
3be927432eeba96dc3a383adb0521464260f8eb5484be818ab82205f4c6b476186635f23ea6234658bba27eed8c2fffca6e4b6c7d16303adcbf442f76d72601f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\COM1.EXE

Filesize
1.0MB

MD5
5c306dbc021a4721ed44686130b40283

SHA1
7fde23db1bc3b03abcfc601ea413c7203de51876

SHA256
d05b5b9b48459a019c13352345851e312f3961f3466075e91b91ef4d46bac6bd

SHA512
1bebf581838e6cf9f49a97368ecac5a014a983f8204a92ec753502f21b4435e56b1a48c83a9698a9e22f685da8d58d4c6c43e90b74c6abf8d250ae496448a848

Download Submit
C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\IUB.EXE

Filesize
1.0MB

MD5
728f4d433da8e3caa63eb8b4fd37084a

SHA1
af85b2d295dd3d849673b229ac57d4f8a13be2a3

SHA256
dcf3ab3757a855adcb7fadfd3a848295f0c723f6f2be7a311966b049df47623a

SHA512
aa043529479617c434436fdfdff07384ab31b923d697d9475769e25b45863d81512d09aff3c48a6f41d630af8464e77a834d532ff6f8a93583870881a79ba3d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\LIBEAY32.dll

Filesize
494KB

MD5
198d065bd0714482011917307c9ebf46

SHA1
b834c8a5396e59b0fd051dda8849cf9b999aa625

SHA256
acee024120921b1f406d6d7f6d5facf054083ab55993ce4c1ba5ebd6595c7e43

SHA512
489d38aee5d95a9611aff4b170113250d1608e9dc3f496f73018e9980de91f30e58edec0e37d4468f093867d5848044136b0934ee35345daa5a63c73b3e96120

Download Submit
C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\ashsvc.exe

Filesize
125KB

MD5
b33db6ac948c4b6e8d0e5c082b9a303a

SHA1
261fd70fb578503c770d0aaccc4fb861cf9ce7fe

SHA256
b50406caf4b61ca379c6408631d4916f33b87efd3d5f23fb9a7433dd4ff78121

SHA512
24123ecb50205122dbaf595822a5165e2eb370c78bea45122ef1af95c128ced2f1834a5e3d301047bf62bf104cf7038e8e47fa5b926c28f4b29406cdfac17045

Download Submit
C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\ssleay32.dll

Filesize
117KB

MD5
c1afdf88451258af208c2eaf90a3e074

SHA1
cc3473b7949e631c4ca0bec21d9430e34e310f2f

SHA256
295331b60026555ea5f27f0e87d5b9d90a5c5fedb656c945d80a3470d4851cc8

SHA512
768330c2bc3ec9ac6803532d833200569442fc5d95193562d8811695b649400eba2ea8166d4f7806a7d9bf6ffbd80c74983f5d05d6698b8f877796f542913609

Download Submit
C:\Windows\SysWOW64\SVCHOSI.EXE

Filesize
1.0MB

MD5
bf035e66ac67eba0cb0ffe1bf577fa06

SHA1
451973f2accb493ed85a9d79e9b7795704ce9ac1

SHA256
b5060713b90d436f5b65c1aef0de0f8c740e10015761b82eee7fe8e32906dcf2

SHA512
b05d6048b63c5d85c562bcc76cc95f14af2d21007c4129ebf8a0ca144f836c9bb3675e2095789f981e1001e52855927bba6a1765d5cac4cdce59b59c0343805e

Download Submit
memory/824-61-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/1300-54-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/1300-45-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/1300-95-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/1636-149-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/1700-7-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/1700-24-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/1700-96-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/1712-39-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/1712-51-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2192-0-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2192-55-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2192-10-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2228-117-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/3488-109-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/3536-141-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/4380-93-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4380-88-0x0000000000700000-0x000000000074B000-memory.dmp

Filesize
300KB

Download
memory/4380-94-0x0000000010000000-0x0000000010135000-memory.dmp

Filesize
1.2MB

Download
memory/4380-89-0x0000000000700000-0x000000000074B000-memory.dmp

Filesize
300KB

Download
memory/4380-85-0x0000000010000000-0x0000000010135000-memory.dmp

Filesize
1.2MB

Download
memory/4556-72-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/4556-65-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/4572-30-0x00000000006B0000-0x00000000006FB000-memory.dmp

Filesize
300KB

Download
memory/4572-31-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4572-32-0x0000000010000000-0x0000000010135000-memory.dmp

Filesize
1.2MB

Download
memory/4572-25-0x0000000010000000-0x0000000010135000-memory.dmp

Filesize
1.2MB

Download
memory/4572-26-0x00000000006B0000-0x00000000006FB000-memory.dmp

Filesize
300KB

Download
memory/4572-18-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download