Analysis

  • max time kernel
    149s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15/10/2024, 18:48

General

  • Target

    496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe

  • Size

    658KB

  • MD5

    496f1defa92daf684818e5d161c71e8b

  • SHA1

    de21e1d8c5645f4550f09d11295b81293164a0f1

  • SHA256

    745115e5515092ad108ad14211fc1f03e0dd4730bfeb79b5fadd753a4ba14f36

  • SHA512

    805a88a93ddd3b4dc9bafaebf91723a7db70302007b8603a33c6cdea4f769ca15f62c84a689fef131be73fe15984491bc434e6a8a1d51839a441bf9a933a50fc

  • SSDEEP

    12288:qa11Gr3+pfNixGTdIkIxJIEo3gMH70mVogKp4tQ3BfS6oN+qESVBx7neivjX/I:qWixGpuIEow7WG4tQxa6ojxvnei7

Malware Config

Signatures

  • Modifies security service 2 TTPs 3 IoCs
  • Windows security bypass 2 TTPs 4 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

    Clear Windows Event Logs to hide the activity of an intrusion.

  • Loads dropped DLL 1 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks registry for disk virtualization 3 TTPs 1 IoCs

    Detecting virtualization disks is order done to detect sandboxing environments.

  • Drops desktop.ini file(s) 5 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 32 IoCs
  • Suspicious use of SetThreadContext 25 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 4 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 41 IoCs
  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
  • Modifies data under HKEY_USERS 30 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: MapViewOfSection 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    1⤵
      PID:268
    • C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe"
      1⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2640
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2696
      • \??\globalroot\systemroot\system32\usеrinit.exe
        /install
        2⤵
        • Sets service image path in registry
        • Executes dropped EXE
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2796
        • C:\Windows\system32\svchost.exe
          "C:\Windows\system32\svchost.exe"
          3⤵
          • Modifies security service
          • Windows security bypass
          • Modifies system executable filetype association
          • Checks registry for disk virtualization
          • Enumerates connected drives
          • Maps connected drives based on registry
          • Drops file in System32 directory
          • Suspicious use of NtCreateThreadExHideFromDebugger
          • Suspicious use of SetThreadContext
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          • Checks SCSI registry key(s)
          • Checks processor information in registry
          • Enumerates system info in registry
          • Modifies data under HKEY_USERS
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2808
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" https://secure.exbilling.com/get/product.php?id=intsec&advert=131087&extern=0&lang=EN
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2292
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2292 CREDAT:275457 /prefetch:2
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:552
    • C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe -Embedding
      1⤵
        PID:2512
      • C:\Windows\system32\DllHost.exe
        C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
        1⤵
          PID:592

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                Filesize

                342B

                MD5

                e04df4d0e3a2822ef8080f38c0ab2b37

                SHA1

                7413938e2481805fbcf0d5e59cb2c483cf36abe8

                SHA256

                953e62a81391a16d74301704e2b48abacf7caf7331f6544574604f0e55866945

                SHA512

                f1d142e81457b7d3e44573db89decb80fd873a58b7e21ef4f254ed9d2bff31d9b071fbd806e7535f0c66fc36c27a300f8c81c3f77c30ab772f73843365c097c0

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                Filesize

                342B

                MD5

                ae3bc922b706d88d7dd0676329dc7ab2

                SHA1

                19b546ddc19f69bf0447065c0e8b773adcbcfb0e

                SHA256

                e3bfa9fdfb7d893928182bc85a1442fb93e725a8d94b65dea3a1b1c23d108bd7

                SHA512

                bd454c87115b8a6730630bf87be0fd5736b1e26b5e51141d7371eeda8c7820e00403b149ae77a52196eed731df2a37a23324858828a9dfdd36ada2aa18cd2f95

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                Filesize

                342B

                MD5

                996fd57d8c1f15ffeaf6b11dd539996f

                SHA1

                a8d4e909c53a6309be2a46b0b7f29f804a65b4c2

                SHA256

                8804cf908633976ba8bbd8a3a957e0500edfef80f9b276a104f235fd90d000a7

                SHA512

                3685d260315066738f54b6ebce7417e573271a1fbfca48fc120dfd1de6e151a505b7e1a98d72acbf4643e66e0b2c2ee58caba6903364a5aea3a718c24f23ca89

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                Filesize

                342B

                MD5

                5a0c34b7800455ce71c024106690779f

                SHA1

                81c013616d2a5940597fe5bb959ea3f06188889e

                SHA256

                505cde7fc413a7bcbfec990a8dbacd4c6bd54caefa5007570085128db68e774b

                SHA512

                76f3078855daaae909e866a400740fc2af14c099311f263af03e4932280acccbdcf6a7b211b85b30cda9d52380cfb6f4b86c50993b6091f245440e962df1e594

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                Filesize

                342B

                MD5

                72cf8a79616709a415d151d48919a386

                SHA1

                4c49ed10900806d51c0d33bd4b84da5b7dd2606a

                SHA256

                0922d6c7f9e7597ca3489db9814b2a148fab453c1e1996b419ec1d98c39cfcd8

                SHA512

                3051b069b1db76ce923c92ae845da32693286c5bf968af625e96dcbafb0b0c12855ce3aa72c630f23eabdb4c6edd7f2a434f1f57013eac6829ba9c8d05ce1ab0

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                Filesize

                342B

                MD5

                31d423e32c90515547e3437f04fb075b

                SHA1

                8576b0ecaf0490f29761578d5f804fa3385510ac

                SHA256

                48be57868dd26e259c87a3e0af1105ab3565a32183d62c9ab138d6e4ac701a90

                SHA512

                8fbed755dd6882e6110ed50b2cae5d50af519d6dea2f82a34517faa92c2c758e697e7e84ebdf872feae34d55830b951a72dc362e9632d9c6478a63aba80ede33

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                Filesize

                342B

                MD5

                332764916617e1b7d9cd5cdfc98c87a0

                SHA1

                b0ec320bafebfb3294ca8da3bda286288a416581

                SHA256

                c3d13dd2c97e78b9ef462b42109df797dbdb0fa43072437d52f8a150d7668159

                SHA512

                c5d4ea431e573e466c79686fbc81015d9f1971ef6c1046b4adca94464eca9c540571197bf52b7939b06744c108156db00ee56f725ca66d0729070d5d446125ff

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                Filesize

                342B

                MD5

                42b06110edf22de7faa46c9fc55ee57e

                SHA1

                7d1f8a661eed9b00fc5202ccba85e32b49f69fe5

                SHA256

                117b60e0b0ccac0255e34bfdf4da193c02b921f71e908d672dfd045951eafe46

                SHA512

                bf3d2d7457b3a9ada630f6106e6206d7f54209a7a93b1fba1662e90eb1e055ebf7f7cf9aa1cd2ecfbdff2bc717076cb94640310c4bfdcb405a21d24a6c3a51c6

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                Filesize

                342B

                MD5

                a642a9b802b09c5735db1b6f59dfb06b

                SHA1

                a36ac43267b27a3cab1f73bb7950753108268807

                SHA256

                8ca4be3647c2d25fe0b718b6dc28c2660187fdad03d1d7ebd4a1896ab8e74284

                SHA512

                f43b20d7fc5e160abf1ff2f4829bc1f9af5caaf871c2af6e849be25d3e51bfd0f042307c3d2da488c3dc02244937adcc3d54737b11442f02fbe2cf3981e8e993

              • C:\Users\Admin\AppData\Local\Temp\CabC63F.tmp

                Filesize

                70KB

                MD5

                49aebf8cbd62d92ac215b2923fb1b9f5

                SHA1

                1723be06719828dda65ad804298d0431f6aff976

                SHA256

                b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                SHA512

                bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

              • C:\Users\Admin\AppData\Local\Temp\TarC6AF.tmp

                Filesize

                181KB

                MD5

                4ea6026cf93ec6338144661bf1202cd1

                SHA1

                a1dec9044f750ad887935a01430bf49322fbdcb7

                SHA256

                8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                SHA512

                6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

              • C:\Users\Admin\AppData\Local\Temp\{E9C1E0AC-C9B1-4c85-94DE-9C1518918D02}.tlb

                Filesize

                2KB

                MD5

                63881935b6ff930a39df13a27c18c3f5

                SHA1

                d5464ca24d61b2efb562b1b4f4e0bef69c94cf04

                SHA256

                50d712b007a3339855619a4ad283661c07e13ec0a74465ea3d121439005cd1e5

                SHA512

                011d0307d088ac7a691ff504f8c3e99a06097fc27e10d40d62721cf6c6d0500120d040a7d32fd10aa50aeef1ef12be67501fff122bed129a354fb57c213a0ed9

              • C:\Windows\System32\exefile.exe

                Filesize

                3KB

                MD5

                33d277c7477cedb2644df98b7a06a64d

                SHA1

                3a01e8ef0ac09348c9f282cb7380c5670e950178

                SHA256

                b46c95f1ad6bc432d029288e40d570cc3db24b92d8d5dd1f05f7784a23db64d9

                SHA512

                343e2f9fd67188d91cb13d423d01700af15ab8e50538f9356e3985a8acd2d73c1dd4c2256d426ae04eea957a5083e8720a166a0d278386a9d9fc011e5014a6bc

              • C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx

                Filesize

                68KB

                MD5

                f76794743b87c6704ef54f548bc4640d

                SHA1

                2f64a17121772839350513b88b29362e0f6d5322

                SHA256

                4df6e2656c52ac5172b60c363eb637ffca80676dc43e4a3f04792067250efcee

                SHA512

                b762d80c62f31941396abca602f908b75ccc6805aea3491698b6daba86adb3b9a21fe6f7a4a01fe20d7273b63d11d1b5012fbf2b3b27afdb9a8bd7c7700621bd

              • \Windows\System32\usеrinit.exe

                Filesize

                139KB

                MD5

                4acd14244d2cd76d06939163127cfb10

                SHA1

                75f3e3c764f7d20c9950f5410f753f3210bcc2e7

                SHA256

                29b5b65a1cdf119ac7c6c9df76c6843b25a81bd00aa5a5e995ec675e34bf1acb

                SHA512

                001504da15c1825102479ba379b0be7ec15e779626d450d9d763552d7e1ac71f5bb86110f9361363bd401aabc53cdfd2d554480aec8bef85ed8c7b03cebf4031

              • \systemroot\system32\msiavjyv.dll

                Filesize

                718KB

                MD5

                dc1277e7b67690d454af6bc63a10567a

                SHA1

                dd92ac19af235b659377688b5ff387ab45475c5b

                SHA256

                a281b3f4a1c161ec7a4de14d88b4a5709e5f712a1937e106478f19eb57c23cc4

                SHA512

                64f3d080b2d0388b5921ab1110ae69769456836193e56dc86e857886ed1f05c4508d8c319c4a5b22655f584c0d844447135596a350b68bcff38384bc393ee152

              • memory/268-58-0x0000000000DF0000-0x0000000000DF6000-memory.dmp

                Filesize

                24KB

              • memory/268-49-0x0000000000DD0000-0x0000000000DD3000-memory.dmp

                Filesize

                12KB

              • memory/268-54-0x0000000000DF0000-0x0000000000DF6000-memory.dmp

                Filesize

                24KB

              • memory/268-50-0x0000000000DF0000-0x0000000000DF6000-memory.dmp

                Filesize

                24KB

              • memory/2640-1-0x0000000000400000-0x0000000000480000-memory.dmp

                Filesize

                512KB

              • memory/2640-11-0x0000000000400000-0x00000000004A6E00-memory.dmp

                Filesize

                667KB

              • memory/2640-12-0x0000000000400000-0x0000000000480000-memory.dmp

                Filesize

                512KB

              • memory/2640-2-0x0000000000400000-0x00000000004A6E00-memory.dmp

                Filesize

                667KB

              • memory/2796-29-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

                Filesize

                64KB

              • memory/2808-32-0x00000000000A0000-0x00000000000BA000-memory.dmp

                Filesize

                104KB

              • memory/2808-281-0x00000000000A0000-0x00000000000BA000-memory.dmp

                Filesize

                104KB

              • memory/2808-79-0x00000000000A0000-0x00000000000BA000-memory.dmp

                Filesize

                104KB

              • memory/2808-59-0x000007FFFFF80000-0x000007FFFFF90000-memory.dmp

                Filesize

                64KB

              • memory/2808-47-0x00000000000A0000-0x00000000000BA000-memory.dmp

                Filesize

                104KB

              • memory/2808-42-0x00000000000A0000-0x00000000000BA000-memory.dmp

                Filesize

                104KB

              • memory/2808-37-0x00000000000A0000-0x00000000000BA000-memory.dmp

                Filesize

                104KB