614ccc380536b90b5c256b6934747483544f80681a4b1f0a7b05962f0251e016

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
15/10/2024, 01:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe
Size

474KB
MD5

4511ee3b4e5d8150c035a140dfba72c0
SHA1

6a173ea0a4f37cdab59978feb1224f2d652c16a7
SHA256

614ccc380536b90b5c256b6934747483544f80681a4b1f0a7b05962f0251e016
SHA512

dceace1fd9f43ac5d66db22eecdd246dc5a61ba67b6eecb0ee291c8abafc6209adc3d3ac06930fcaacfc167715416d32477bf07dba651982aaec9118b840c711
SSDEEP

12288:gaS8/3dZWDEIsqaRjJHvrdBswIf4KX5yxlt:jSWdZWIOalhjdG+KX5yDt

Score

8^/10

discovery upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\npf.sys	4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
2428	npf_mgm.exe
2176	daemon_mgm.exe
2912	NetMonInstaller.exe

Loads dropped DLL 15 IoCs

pid	Process
2224	4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe
2224	4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe
2224	4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe
2224	4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe
2428	npf_mgm.exe
2428	npf_mgm.exe
2428	npf_mgm.exe
2224	4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe
2176	daemon_mgm.exe
2176	daemon_mgm.exe
2176	daemon_mgm.exe
2224	4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe
2912	NetMonInstaller.exe
2912	NetMonInstaller.exe
2912	NetMonInstaller.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\packet.dll	4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wanpacket.dll	4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wpcap.dll	4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\pthreadVC.dll	4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2224-0-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2224-50-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2224-114-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2224-143-0x0000000000400000-0x0000000000456000-memory.dmp	upx

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\WinPcap\npf_mgm.exe	4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\WinPcap\daemon_mgm.exe	4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\WinPcap\rpcapd.exe	4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\WinPcap\NetMonInstaller.exe	4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe
File created	C:\Program Files (x86)\WinPcap\Uninstall.exe	4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\WinPcap\Uninstall.exe	4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe
File opened for modification	C:\PROGRAM FILES (X86)\WINPCAP\INSTALL.LOG	4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	NetMonInstaller.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	npf_mgm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	daemon_mgm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetMonInstaller.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2912	NetMonInstaller.exe
Token: SeRestorePrivilege	2912	NetMonInstaller.exe
Token: SeRestorePrivilege	2912	NetMonInstaller.exe
Token: SeRestorePrivilege	2912	NetMonInstaller.exe
Token: SeRestorePrivilege	2912	NetMonInstaller.exe
Token: SeRestorePrivilege	2912	NetMonInstaller.exe
Token: SeRestorePrivilege	2912	NetMonInstaller.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2428	2224	4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe	31
PID 2224 wrote to memory of 2428	2224	4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe	31
PID 2224 wrote to memory of 2428	2224	4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe	31
PID 2224 wrote to memory of 2428	2224	4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe	31
PID 2224 wrote to memory of 2428	2224	4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe	31
PID 2224 wrote to memory of 2428	2224	4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe	31
PID 2224 wrote to memory of 2428	2224	4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe	31
PID 2224 wrote to memory of 2176	2224	4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe	33
PID 2224 wrote to memory of 2176	2224	4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe	33
PID 2224 wrote to memory of 2176	2224	4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe	33
PID 2224 wrote to memory of 2176	2224	4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe	33
PID 2224 wrote to memory of 2176	2224	4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe	33
PID 2224 wrote to memory of 2176	2224	4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe	33
PID 2224 wrote to memory of 2176	2224	4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe	33
PID 2224 wrote to memory of 2912	2224	4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe	35
PID 2224 wrote to memory of 2912	2224	4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe	35
PID 2224 wrote to memory of 2912	2224	4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe	35
PID 2224 wrote to memory of 2912	2224	4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe	35
PID 2224 wrote to memory of 2912	2224	4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe	35
PID 2224 wrote to memory of 2912	2224	4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe	35
PID 2224 wrote to memory of 2912	2224	4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe	35

C:\Users\Admin\AppData\Local\Temp\4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Program Files (x86)\WinPcap\npf_mgm.exe
  "C:\Program Files (x86)\WinPcap\npf_mgm.exe" -r
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2428
- C:\Program Files (x86)\WinPcap\daemon_mgm.exe
  "C:\Program Files (x86)\WinPcap\daemon_mgm.exe" -r
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2176
- C:\Program Files (x86)\WinPcap\NetMonInstaller.exe
  "C:\Program Files (x86)\WinPcap\NetMonInstaller.exe" i
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WinPcap\Uninstall.exe

Filesize
194KB

MD5
62da2c201bc09a55c97c46f0ad73c28a

SHA1
adbdd63ff66fada5d91836caf1f62b992953964f

SHA256
dc870b8ade874c66d009553139eeeb07087c4a1f2e7125a140b048e349822e4b

SHA512
157bade77af45e414a1ef3e6d0887c28be3e5bdb3e191405759f6bde1585be3e69e254861c39fa530e66b825ebdeb5b31fa3c8e9804750543e37cb57b53f9341

Download Submit
C:\Temp\1MR0BSGA\4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118\db.pdb

Filesize
4KB

MD5
b017bf2d5f6215a4a410612698696b55

SHA1
c4d2696dde659ca05a34ef0670277933e436f647

SHA256
ca68951c3479e6f8f6e8f5336a0d61a2c2d2c6f2b47f88eb6025788cd2f943c7

SHA512
f962b72b6cb38143396d0a4b2c87ed7ebd9024dcd272535e48d084f3b97f4827c9bd87f6c92ac0a09771915ab5a8bb784ac4de4fee1cd89dc89a62dc9b710593

Download Submit
C:\Temp\1MR0BSGA\4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118\lng\Enu.lng

Filesize
5KB

MD5
60f475862cf4363904975df475353bb4

SHA1
7a3dbc3ab2d7bc3f278b27e91834b5f309db316e

SHA256
2cf57a46d77808d30ccdfe6d67801119c6cc812f0fba02d9689a91f33399a427

SHA512
ebbb9dc923424cfc194ac198fbc1aa15f20e1ce2543c5c281f627980ede4d8ce7fa5eea34b33ac66d9613048a55f44df17877933947ea71fe42b1e8a74a39ecd

Download Submit
C:\Temp\1MR0BSGA\4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118\main.pdb

Filesize
954B

MD5
c022fbd0770324683d199e601c1c82a6

SHA1
72dd84380abfe5bbf9f37013a057cffb9a50c65e

SHA256
255e046fac69584eae5b6ce8a99b379f368cc8f28cb2e4ad84bbd35d64e6cd53

SHA512
53a92a6936ebac16276fbb4cbd3b8dcfe75ff0aa3c2f78a4f8c12f1ae1e73c2f8880e2d64c791dc5702025d1f9b19dc3925d909a2a46f0a9d6a3e67396d5520f

Download Submit
C:\Temp\1MR0BSGA\4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118\plugins\0\lng\Enu.lng

Filesize
4KB

MD5
ac4c7d9da804065ce25541ccfe5c9296

SHA1
4fdd65221399ad4a3eba47be8bb7d3e9a37501bd

SHA256
94ed93684eca3c16b957e34e3937c3eae52d3275c8bfe3d2d845583c2bec152b

SHA512
6ad24a1049f04b7651c611a9d53205bc7a24ba70431870edf56b38240acf53872135bc8bbb61d897fed06fc0ea7666aafb3418ddfc3197549ee9c98bf889a9b9

Download Submit
C:\Temp\1MR0BSGA\4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118\presetup.bmp

Filesize
13KB

MD5
65668961b4585f1564eb5bbf3b40dcde

SHA1
8966cd3903c4ba85dc3855f3c26ff720e3bbb369

SHA256
4600e337e68cdcf786b193e3d28ea5934576f8b7b3bee6241177eca56c6cea4d

SHA512
a4829c7ba8e4ed17c9b590bcfc96320b6b69e4189f4b928d0a694a82a7a0c9a9436f7bf588ab17e6b451c7b7572505f18e837787a1cbebd8f45fa3b9f4306de1

Download Submit
C:\Temp\1MR0BSGA\4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118\presetup.rgn

Filesize
1KB

MD5
172eeccf4687e172e12a1b4ad3023e9f

SHA1
2b74254b4426b38932748aae109ddd1635ee7261

SHA256
cc0b0c69fb12cba8230c363bf63809ac1b8c8695a533446c87c86d9f8643c8c7

SHA512
ffb640adc81bcdcb45a6cd9e95a96c45e49fbf75ff7c785dc79623adf2c9a54930e3437c1f48b537d271b3b63ce5c1cc7e3f90709afb334d2acab3751cc69815

Download Submit
C:\Temp\1MR0BSGA\4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118\presetup\license.txt

Filesize
1KB

MD5
3ec0cb60ee5c909909e1f5ad2b5daf5d

SHA1
f59c49d53243a3bf75e239f813b7f61bc26ff113

SHA256
4d50e52e2a23d990c784aacb2711ff2a32b3d37bac41ce2517baba65660d5a87

SHA512
e7139d99fa6aebd19d57928f59657d97e4b9d3c37c699c248e9593e69d25734718f7d82218d829c6d1d626ba01a663e4c455741e97e8d72a6295a3ad97b48164

Download Submit
C:\Temp\1MR0BSGA\4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118\presetup\readme.txt

Filesize
243B

MD5
f8d14b853290c277b304f2a5bb96eb5b

SHA1
d019aff6ef439d295ba0c69c2db71378c1903986

SHA256
1cb901948589399f3f1abd017640e32479b799f99865b49936f5990d5ad4c040

SHA512
16a73aecd2b877f8e31554752332d8ea352f2bd264f78690cfbac51b674dc0cb8629f4fbad05df1fc75280521c65b238d41e402d249785e234a0ad036b6d76f1

Download Submit
C:\Temp\1MR0BSGA\4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118\splash.bmp

Filesize
133KB

MD5
b04877cefe4914731fb49225f3b662b5

SHA1
e5c47f08efff81baf7f3dde1797c2528861e1c29

SHA256
9009f56f3e511c795bc10e9bdd7eaaa8c00866650ed310eb362097700f63b9b4

SHA512
12d2d20bcbb0db117eb97785c7e599923bba383ba620aa5b6982462c9a446a3d563348861d43d78b62702d5390eaee0601b0587be5c1e87d6fd0d99aca334314

Download Submit
\Program Files (x86)\WinPcap\NetMonInstaller.exe

Filesize
6KB

MD5
87c1716cf63a2522e8d1fc123a1dd9df

SHA1
4f56f480ba5019fb32ad26a3e269c789d2247bad

SHA256
b46861813e57f52d36bdfdaf2c4625f143720dcda5b63b79b24d13feb9d432b0

SHA512
b56791e6d793a6442ed6e10a7f8c7690c2bf47fda705fa33415ed177a059ebb4a812ccd394a51c5dffb2881cf6aad8be33ddbcb498043fc1780266acc235bacf

Download Submit
\Program Files (x86)\WinPcap\daemon_mgm.exe

Filesize
48KB

MD5
5df2055815aa72ac84e0fe4466f8b295

SHA1
0e473d63678c336c1589d0b6da4a4b9fcb0ae308

SHA256
2093374f712a3642238e4da4838c58967a9225f95710f10c906ea378fa2d146c

SHA512
9dcae70c89870e6caa8023041a7d2eb5b993ed284dd9ec0722266e48ec49473a4c46dcceb5367ffccb962fe916d568ddec4fe0b633041973ea1c36d5ec161e30

Download Submit
\Program Files (x86)\WinPcap\npf_mgm.exe

Filesize
48KB

MD5
07382671a64e2b63638aa8ea93390c82

SHA1
abb529cd04882c9a089921edc6c3b17e77ee6515

SHA256
81923a54de9f9ee58c9d657bacf3e32e9532f84ce9f6b0dc5beb0371a93da671

SHA512
96957c5d63f2a55a980eab4c71a4327c2db898dca34d71e683849ab0f459506a1ff71222e60380cb3cfd55babe954585c36e8e1826434ea463a24f524ecbb410

Download Submit
\Temp\1MR0BSGA\4511ee3b4e5d8150c035a140dfba72c0_JaffaCakes118\plugins\0\StdUI.dll

Filesize
147KB

MD5
0ef0df3c28f135fa78eb9dfcf1b0499e

SHA1
ca21f49137267b3edc8f5aae86bec80f43cd4890

SHA256
8d987a52990bf4ea755240b7a1ea7f73a16b1fd67f3e91fc21e87a4f7d443546

SHA512
26bd1e5b0996a6b653b5456e361fa373b0b0505536bb9b8095b1f1389b244810aa51513be2af1585408a0f151db2cadbb65abc02e64b8ca5e8b2e6c5d502746b

Download Submit
\Temp\1MR0BSGA\unpack.dll

Filesize
34KB

MD5
97bb07c04a2f3a0dace5aff04d305455

SHA1
2a966dfb6463a5c26ffb3a247dc9281bb57d25cf

SHA256
2adc86ef09b5aea46bc3ee88d1740760b3ce6ae5fa92fb6eceb6efc1e6c942d9

SHA512
9b00d6c26dfa946b78f73192c78edd6ae6027c377406f8e57089db8426b9664c972c77eb5b998430d9ab99c750b47d8e18203b737afcedec9a9dd09404c07c9f

Download Submit
memory/2224-51-0x0000000000240000-0x0000000000296000-memory.dmp

Filesize
344KB

Download
memory/2224-53-0x0000000002A40000-0x0000000002A69000-memory.dmp

Filesize
164KB

Download
memory/2224-115-0x0000000002A40000-0x0000000002A69000-memory.dmp

Filesize
164KB

Download
memory/2224-50-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2224-114-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2224-143-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2224-46-0x0000000002A40000-0x0000000002A69000-memory.dmp

Filesize
164KB

Download
memory/2224-0-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2224-1-0x0000000000240000-0x0000000000296000-memory.dmp

Filesize
344KB

Download