09cbfc78aa9e65cb330dc38dbc13052d5b252d03338c5acae6a74ad92ba3c467

Analysis

max time kernel
140s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/10/2024, 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
Size

2.4MB
MD5

425b8277b037c52ded09254e68a95446
SHA1

976a8ac6e6a10bb7c92e6de35a4b81261c61c77a
SHA256

09cbfc78aa9e65cb330dc38dbc13052d5b252d03338c5acae6a74ad92ba3c467
SHA512

e7c8350997715a64afdd310c2dd7b6495093a5391441b239b869a69386838af8e745eb109105ef6f0e2e2964ef81d8eb8d2afe0e06a99ab59a5916b2f268b5ef
SSDEEP

49152:ZkwKwLbmQbzizMYt7qLaeIUz8KOLuoodGhRpCHXh/xldDQH1LxGDwPoZM:ZkLwnzbmzMYAV185qRHXldsGDwPoZM

Score

10^/10

discovery evasion trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "2"	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "2"	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe

Drops file in Drivers directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\host_new	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
File created	C:\Windows\System32\drivers\etc\hosts	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\etc\host_new	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Eset\Nod\	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
File opened (read-only)	\??\J:	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
File opened (read-only)	\??\Q:	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
File opened (read-only)	\??\S:	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
File opened (read-only)	\??\T:	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
File opened (read-only)	\??\U:	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
File opened (read-only)	\??\I:	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
File opened (read-only)	\??\K:	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
File opened (read-only)	\??\M:	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
File opened (read-only)	\??\N:	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
File opened (read-only)	\??\P:	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
File opened (read-only)	\??\W:	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
File opened (read-only)	\??\L:	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
File opened (read-only)	\??\O:	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
File opened (read-only)	\??\X:	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
File opened (read-only)	\??\Z:	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
File opened (read-only)	\??\E:	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
File opened (read-only)	\??\G:	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
File opened (read-only)	\??\R:	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
File opened (read-only)	\??\V:	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
File opened (read-only)	\??\Y:	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1996-1-0x0000000013140000-0x000000001373E000-memory.dmp	upx
behavioral1/memory/1996-2-0x0000000013140000-0x00000000139A3000-memory.dmp	upx
behavioral1/memory/1996-238-0x0000000013140000-0x000000001373E000-memory.dmp	upx
behavioral1/memory/1996-239-0x0000000013140000-0x00000000139A3000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IIL = "0"	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\ltHI = "0"	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\ltTST = "44785"	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1996	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe

System policy modification 1 TTPs 7 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "2"	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "2"	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	425b8277b037c52ded09254e68a95446_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\425b8277b037c52ded09254e68a95446_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\425b8277b037c52ded09254e68a95446_JaffaCakes118.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- System policy modification
PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\MSHAIS\MSPYKWSXUXS.cfg

Filesize
185B

MD5
b8224e5293d4fad1927c751cc00c80e7

SHA1
270b8c752c7e93ec5485361fe6ef7b37f0b4513b

SHA256
c47da9be4fc4d757add73c49654c9179067af547d0cc758d6356e2955bbfcb61

SHA512
8fed9a509e46319529145fa2159251e43040d26080af84e44badaab1dd339c767ff75a2c473bc0abfb448b03beb96718ee34ba6bc150ed3085322878b55a22f2

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
977B

MD5
53316bc0c42b9d65743709021f1d03c7

SHA1
44cfe377bf7fedee2ce8f888cfacefd283e924e6

SHA256
600d914eb6b9ffb387be5b7300ca138192a4e86c4679c9bff36bcf0364e74b36

SHA512
9b390f6d7955413c8d63d02dff6988442cf78bbfb72e12f7deab56b190c1a7f455c5af3344ee5a1f7477d383c24e567af4fb7639ab6d9f014935418bf1cf00f6

Download Submit
memory/1996-0-0x0000000001C60000-0x0000000001EAD000-memory.dmp

Filesize
2.3MB

Download
memory/1996-1-0x0000000013140000-0x000000001373E000-memory.dmp

Filesize
6.0MB

Download
memory/1996-2-0x0000000013140000-0x00000000139A3000-memory.dmp

Filesize
8.4MB

Download
memory/1996-238-0x0000000013140000-0x000000001373E000-memory.dmp

Filesize
6.0MB

Download
memory/1996-239-0x0000000013140000-0x00000000139A3000-memory.dmp

Filesize
8.4MB

Download