Overview
overview
7Static
static
35197601d32...18.exe
windows7-x64
75197601d32...18.exe
windows10-2004-x64
7$APPDATA/D...er.exe
windows7-x64
6$APPDATA/D...er.exe
windows10-2004-x64
3$PLUGINSDI...os.dll
windows7-x64
3$PLUGINSDI...os.dll
windows10-2004-x64
3$TEMP/7za.exe
windows7-x64
3$TEMP/7za.exe
windows10-2004-x64
3Analysis
-
max time kernel
1s -
max time network
3s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17/10/2024, 09:42
Static task
static1
Behavioral task
behavioral1
Sample
5197601d3263fce60649415662ad878e_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5197601d3263fce60649415662ad878e_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$APPDATA/DivX_Installer.exe
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
$APPDATA/DivX_Installer.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/ExecDos.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/ExecDos.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
$TEMP/7za.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
$TEMP/7za.exe
Resource
win10v2004-20241007-en
General
-
Target
5197601d3263fce60649415662ad878e_JaffaCakes118.exe
-
Size
521KB
-
MD5
5197601d3263fce60649415662ad878e
-
SHA1
d0ed76a028aac5c25ef35e794a5f46722ed7d9d5
-
SHA256
1ecac9baae9daf7c7766ff7683570166d3be1031542475546c4db44e850dcafa
-
SHA512
b3edb5135de6e1321e780cf878801e362134852b2d22ad3ef087e14a20dccd1bf55c1c9ee2cdb6266f70d4ee430d9c14764e778c03209a501b4cbea6fdbb6a68
-
SSDEEP
12288:ibemqOid95Fl3kg7RVq8Nik6Kf6eeUgJi3HnzdeKnPkxgLOOk:ibRUdD3zXH6JeRgJi3nx5bLbk
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1376 cmd.exe -
Executes dropped EXE 5 IoCs
pid Process 2800 DivX_Installer.exe 2728 7za.exe 2764 DivX_Codec.exe 2644 DivX_Player.exe 2592 DivX_Setup.exe -
Loads dropped DLL 21 IoCs
pid Process 2096 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 2096 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 2096 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 2096 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 2800 DivX_Installer.exe 2800 DivX_Installer.exe 2800 DivX_Installer.exe 2096 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 2096 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 2096 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 2096 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 2592 DivX_Setup.exe 2592 DivX_Setup.exe 2592 DivX_Setup.exe 2540 rundll32.exe 2540 rundll32.exe 2540 rundll32.exe 2540 rundll32.exe 1976 WerFault.exe 1976 WerFault.exe 1976 WerFault.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ylawu = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\mfirutrf.dll\",Startup" rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\physicaldrive0 DivX_Installer.exe -
resource yara_rule behavioral1/files/0x0005000000019515-49.dat upx behavioral1/memory/2764-54-0x0000000000400000-0x000000000041C000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1976 2592 WerFault.exe 35 -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DivX_Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5197601d3263fce60649415662ad878e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DivX_Player.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DivX_Codec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DivX_Installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7za.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1788 cmd.exe 1316 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1316 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2764 DivX_Codec.exe 2764 DivX_Codec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2592 DivX_Setup.exe Token: SeShutdownPrivilege 2800 DivX_Installer.exe -
Suspicious use of WriteProcessMemory 56 IoCs
description pid Process procid_target PID 2096 wrote to memory of 2800 2096 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 30 PID 2096 wrote to memory of 2800 2096 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 30 PID 2096 wrote to memory of 2800 2096 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 30 PID 2096 wrote to memory of 2800 2096 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 30 PID 2096 wrote to memory of 2800 2096 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 30 PID 2096 wrote to memory of 2800 2096 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 30 PID 2096 wrote to memory of 2800 2096 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 30 PID 2096 wrote to memory of 2728 2096 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 31 PID 2096 wrote to memory of 2728 2096 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 31 PID 2096 wrote to memory of 2728 2096 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 31 PID 2096 wrote to memory of 2728 2096 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 31 PID 2096 wrote to memory of 2764 2096 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 33 PID 2096 wrote to memory of 2764 2096 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 33 PID 2096 wrote to memory of 2764 2096 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 33 PID 2096 wrote to memory of 2764 2096 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 33 PID 2096 wrote to memory of 2644 2096 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 34 PID 2096 wrote to memory of 2644 2096 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 34 PID 2096 wrote to memory of 2644 2096 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 34 PID 2096 wrote to memory of 2644 2096 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 34 PID 2096 wrote to memory of 2592 2096 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 35 PID 2096 wrote to memory of 2592 2096 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 35 PID 2096 wrote to memory of 2592 2096 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 35 PID 2096 wrote to memory of 2592 2096 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 35 PID 2096 wrote to memory of 2592 2096 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 35 PID 2096 wrote to memory of 2592 2096 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 35 PID 2096 wrote to memory of 2592 2096 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 35 PID 2644 wrote to memory of 2540 2644 DivX_Player.exe 36 PID 2644 wrote to memory of 2540 2644 DivX_Player.exe 36 PID 2644 wrote to memory of 2540 2644 DivX_Player.exe 36 PID 2644 wrote to memory of 2540 2644 DivX_Player.exe 36 PID 2644 wrote to memory of 2540 2644 DivX_Player.exe 36 PID 2644 wrote to memory of 2540 2644 DivX_Player.exe 36 PID 2644 wrote to memory of 2540 2644 DivX_Player.exe 36 PID 2096 wrote to memory of 2076 2096 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 37 PID 2096 wrote to memory of 2076 2096 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 37 PID 2096 wrote to memory of 2076 2096 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 37 PID 2096 wrote to memory of 2076 2096 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 37 PID 2592 wrote to memory of 1976 2592 DivX_Setup.exe 38 PID 2592 wrote to memory of 1976 2592 DivX_Setup.exe 38 PID 2592 wrote to memory of 1976 2592 DivX_Setup.exe 38 PID 2592 wrote to memory of 1976 2592 DivX_Setup.exe 38 PID 2592 wrote to memory of 1976 2592 DivX_Setup.exe 38 PID 2592 wrote to memory of 1976 2592 DivX_Setup.exe 38 PID 2592 wrote to memory of 1976 2592 DivX_Setup.exe 38 PID 2076 wrote to memory of 1376 2076 WScript.exe 39 PID 2076 wrote to memory of 1376 2076 WScript.exe 39 PID 2076 wrote to memory of 1376 2076 WScript.exe 39 PID 2076 wrote to memory of 1376 2076 WScript.exe 39 PID 1376 wrote to memory of 1788 1376 cmd.exe 41 PID 1376 wrote to memory of 1788 1376 cmd.exe 41 PID 1376 wrote to memory of 1788 1376 cmd.exe 41 PID 1376 wrote to memory of 1788 1376 cmd.exe 41 PID 1788 wrote to memory of 1316 1788 cmd.exe 42 PID 1788 wrote to memory of 1316 1788 cmd.exe 42 PID 1788 wrote to memory of 1316 1788 cmd.exe 42 PID 1788 wrote to memory of 1316 1788 cmd.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\5197601d3263fce60649415662ad878e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5197601d3263fce60649415662ad878e_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Users\Admin\AppData\Roaming\DivX_Installer.exe"C:\Users\Admin\AppData\Roaming\DivX_Installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
-
C:\Users\Admin\AppData\Local\Temp\7za.exe"C:\Users\Admin\AppData\Local\Temp\7za.exe" x "C:\Users\Admin\AppData\Local\Temp\a1.7z" -aoa -oC:\Users\Admin\AppData\Local\Temp -p~@S23js@@vBz99432@t9 "" ""2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2728
-
-
C:\Users\Admin\AppData\Local\Temp\DivX_Codec.exe"C:\Users\Admin\AppData\Local\Temp\DivX_Codec.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2764
-
-
C:\Users\Admin\AppData\Local\Temp\DivX_Player.exe"C:\Users\Admin\AppData\Local\Temp\DivX_Player.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\mfirutrf.dll",Startup3⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2540
-
-
-
C:\Users\Admin\AppData\Local\Temp\DivX_Setup.exe"C:\Users\Admin\AppData\Local\Temp\DivX_Setup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 4163⤵
- Loads dropped DLL
- Program crash
PID:1976
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b.vbs"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\d.bat" "3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\cmd.execmd /C ping -n 1 localhost4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\PING.EXEping -n 1 localhost5⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1316
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
26KB
MD5b65d387db7875a1f5ac8aa5932b8af08
SHA1b60a08b5e573fc8fa211379471b01883e9b5fffa
SHA256640eceb1326fcf1f955436a99721893cda6fbc50ae782fa02727ad48c28c60ee
SHA512c5b9ae09c5a0684dbe9bf863a6eda7d08e27890c1d61e97cf82a4ee431dff111a58499ca9d899adb49e79697273a3fecd3c81a4c229ea9c435593c711b0a014e
-
Filesize
92KB
MD57b6bd526430c3987be1f44245aa3ec38
SHA1e271078a59640b765fba87227f7b4401e5d6b35f
SHA2567128ddfa3e765a80f592205bf300d7a3168e22acf64d4efbe7c694aca3a5e95a
SHA512afd50c61bf32bd6a09c9aefdbb5e16d6a5a11c541c9b013691cc97605f3072ad1ab101754cab3f8694d143db86b428a96048f5d21c707f9ae4783c218c87d9fc
-
Filesize
135KB
MD50efc8c3587e3a4c9e5296628942445e4
SHA107f84a00303ca1c0611146c979489056159db29a
SHA25694edff236294e85cba575e3983b9be804d52265ba895b6b785f151c123749572
SHA51204a19f9d3dd0b33050dcf984c776ab490001686f094277c7c15834e0ecf0af3073bca4e8f626d8a39292631970013f818ce38c5880dfad287cbdd0d2ba165f9b
-
Filesize
415B
MD51a575dbe09ffd4493104d127c80a0db7
SHA1004f702b4e4aea196a94ce50d440e4a9f3055b76
SHA256aac4342578fb155c7531e981e33a1e423b8ed7e2abb979a0b8a0711e5413648c
SHA51216d47279e9544b51242b548018495c33792a0f902b15131f95e024c24b41b38f02705a80e6a94f0916064bf3020234bb07b7bb8a74f700763febe6f54b964b97
-
Filesize
129B
MD5e8d125eecfd718eb049687bc0bfe2252
SHA17be3dbb4578a9dfb836d8b420be7f54dfda0e332
SHA256ff389a2d72dad44c1173e0846a45f203a36702b2425ab879d26f002a4e786cac
SHA512bcfbd08de6075f57e18fb7048c23e770c6b86e00ee1f723d2e5f0fd248fe884c30e2e29208cc5229e4873245cec5a8bfad03dd9d4cc1a5e980f0b1029f7a624d
-
Filesize
92KB
MD5969e89dc4a97415805530b6717bc8f51
SHA1d46cedb74ecfc6eab0b089d0639263f97eeef618
SHA256b96665f4e65f014fbe43d2496273f6addf9a5ae799508ee2214ed5ba30180291
SHA5127fda06061c302a17c1129f08bd6a4d02e9217e18c67fa70b72a4d07fa5aa5505ef7cb29138d2f8630ae9d1ff43e36cf2698a0b1fcbc8d7af5c49f4b7640b5054
-
Filesize
523KB
MD5e92604e043f51c604b6d1ac3bcd3a202
SHA14154dda4a1e2a5ed14303dc3d36f448953ff6d33
SHA256fa252e501332b7486a972e7e471cf6915daa681af35c6aa102213921093eb2a3
SHA512ef396d94d83fd7a588c6e645ea5fcfe24390440a03b3bf0ecd05ca6749fd3f9561dfafe725ee0edea51a34d52af26cd311e768aa72f75686cc796abee4757d43
-
Filesize
75KB
MD594fb3b4a47c149ef0ae646c379697c63
SHA1115e466d3066b1f223acd9ec3abba24f9b40db64
SHA256212dde65e0b60c4518e0aa90dd3c2a7267e75b3227f550b3d56233fe500c3832
SHA5128f7df0814f6e8280efd34516171c1c293cfff6adf6f581ea0061645e8ef28cdd645c6452274d5902140ef06763bdadd0a1a2139fbc91f82f041e54a6baa6ac78
-
Filesize
5KB
MD5a7cd6206240484c8436c66afb12bdfbf
SHA10bb3e24a7eb0a9e5a8eae06b1c6e7551a7ec9919
SHA25669ac56d2fdf3c71b766d3cc49b33b36f1287cc2503310811017467dfcb455926
SHA512b9ee7803301e50a8ec20ab3f87eb9e509ea24d11a69e90005f30c1666acc4ed0a208bd56e372e2e5c6a6d901d45f04a12427303d74761983593d10b344c79904
-
Filesize
123KB
MD5c5fac72a6adb2183930a3e4ae9918a5f
SHA1a3a60097d6312bed4fcda4fa6c4ecd86c140da19
SHA256c27fd98bcf7260783b3b08776a3bbf93576c2e57bf386fa33e02220463496eaf
SHA51270eb0795169781d0e38d023c46e03c9bf2b121c489720a818a0a49a24582310c799b129bcfe412f6c57dac41f0ba43a3feca51cf81f731651cefa0c6391fa47a