Analysis

  • max time kernel
    121s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    31/10/2024, 04:23

General

  • Target

    819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe

  • Size

    136KB

  • MD5

    819de36e469867c9d6c6fdf84bcd9a9d

  • SHA1

    8b61fe4d039453cb6f6ed9e116176b7a3a41f340

  • SHA256

    debc992881ed63f6c7fcb5c39e7cb69c26ec9735c4a9bb6febbfe8c9d0d818d5

  • SHA512

    420b375ee4c1d1eda4c7b77b7999fe0a2d88920bf7d0b0b1d958f21593319424233f7b17f0d3e9e4f6ef26213e1febd9e7860d3f04b5cbb6100fde90da5a0c0b

  • SSDEEP

    1536:S4+aEpOwd/VxDy/5X2++jCx3kdjKsPGR7ehp3vmLvsZIZwTcNhLx8bZJLtgm8iuA:obpDCw1p3vmLvsZIaVwiwDcD

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
  • Adds policy Run key to start application 2 TTPs 6 IoCs
  • Executes dropped EXE 6 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2960
    • C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      2⤵
      • Impair Defenses: Safe Mode Boot
      • System Location Discovery: System Language Discovery
      • Modifies registry key
      PID:2100
    • C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1080
      • C:\Users\Admin\AppData\Local\Temp\avscan.exe
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2784
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c c:\windows\W_X_C.bat
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2844
        • C:\windows\hosts.exe
          C:\windows\hosts.exe
          4⤵
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2848
          • C:\Users\Admin\AppData\Local\Temp\avscan.exe
            C:\Users\Admin\AppData\Local\Temp\avscan.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1916
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c c:\windows\W_X_C.bat
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2680
            • C:\windows\hosts.exe
              C:\windows\hosts.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2940
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
              6⤵
              • Adds policy Run key to start application
              • System Location Discovery: System Language Discovery
              PID:2932
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2988
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:828
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:1100
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:1504
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
          4⤵
          • Adds policy Run key to start application
          • System Location Discovery: System Language Discovery
          PID:804
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:784
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:2292
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:1484
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:600
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\W_X_C.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2760
      • C:\windows\hosts.exe
        C:\windows\hosts.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2776
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        3⤵
        • Adds policy Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2452

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

          Filesize

          320KB

          MD5

          3acf4594268b3692d899f15ecc821d08

          SHA1

          b6d04bdc23ef556b709ceb3e231083303b9232a9

          SHA256

          d7d2115cd7724aca7b40554f8e58ab3786bc3d7f3093c3c8108bf98dcd073dd0

          SHA512

          8b15dfdc6436a071f86cd6f71ace9bd9829fbe5b8818479cfcafd6bd87675c07b9bb7ef9267a6c44ed1a7bf0a9162f297e1ca2a3a5efeaaa2397ab126391a49a

        • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

          Filesize

          457KB

          MD5

          2b673985aae3c7a8fe4927404966a84f

          SHA1

          349e97ebee31aafb8046dd37ef2cf4812c36ce48

          SHA256

          723acfa9240ad38d92792afe7cc526ffa242f49d69724a64573a23ad823d4867

          SHA512

          13eaee9884bd08f467944c0c18bc0080eb53f5d74f08272f650ffd08a7abe8c8f8b2ce904abc26c000e2557b6e53bbf004d774a0ca5a6e0bbc625d64a6a38596

        • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

          Filesize

          593KB

          MD5

          20e177c2d59e823eedee317eab5291ef

          SHA1

          6b1bd74fa53e2210d49c235c8fa4a58241dee962

          SHA256

          b5a656be042dc297c73cd2b1edee0aa833d04e45a73e0a624d6649691a3ff66f

          SHA512

          e5efea0a6afaf3fd48539bb15c5667e1c36dfa10df62140cb79c84ac0f799645d1d9edb5b23ee158d389fc92d6b781781c14332704c75c9fccaec936db64df43

        • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

          Filesize

          729KB

          MD5

          950528c44009d2b635e960660b6cb20b

          SHA1

          d2ab938041e2b99a0a7002d9b5ee145553389a57

          SHA256

          08b4fdec80b523dc5dab2d07f49b105555b4571ebdc7dad0828241ee4b3bd74e

          SHA512

          ac268f4402022e0592db7a090c2dcc349a299456b3e5bbd5173d531578d877083d49c0a64a37ae09ebfa979ba4936d265f62f387452fc9661153d31f2eec2051

        • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

          Filesize

          866KB

          MD5

          124c4f5fb578efcdd0c711c7b04256ff

          SHA1

          1b474e1514aa703161a93bda2a80840a42d6d6dc

          SHA256

          debc471babe633232c8427c12a7a2f532639fd83ab4922e1937065a4b50260a5

          SHA512

          f4861da8cb13c249050de37525ccc8376ef21f285be7eec3e28728ba666217f351d17f8bd99ff7474cd711f28e9fb3462672b92e269f70bd26ebb523cb0721ee

        • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

          Filesize

          1002KB

          MD5

          c1571d11eb250671a536738c4aa78965

          SHA1

          bf6b1ff64c7da031dd54da639c8389ace3f224ce

          SHA256

          5e08375748cacf62f247e535b4e5a8e5bd63a23e5bf44d45f0cfa3fe61dfdc88

          SHA512

          7294e890c6db022453d130aef99c66ca81c9bcdd340370e378214b4fad26014c18de2df42bf48dd23bdb66f9739600c10fffd20d93e18f794939757c4d9c6690

        • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

          Filesize

          1.1MB

          MD5

          9053e2a2773e1573ffdcb5f795e80ff2

          SHA1

          69bf0208d0dc7f47fe51485fce6e25a08015fbc2

          SHA256

          44154bb54f8fbee6b9e471a1a4430d75a2c96f4b2103e8ff83eecd57c6b58fc1

          SHA512

          048287d4ba834d32408b4807221896d68378ef535db5a6c906af28a1ebdf0e071a2e8577bbc0575df8304553f503deccd3471a9b536d3475697629c51849194e

        • C:\Users\Admin\AppData\Local\Temp\avscan.exe

          Filesize

          136KB

          MD5

          6affc08c4cc74775a7bd9e2fdca55ee0

          SHA1

          533445d44d179a3e9e10666e5c91afdb002d7384

          SHA256

          01834cd5fcb17cc2d02d34c9299fda3dcaee13f2c46769ecea405bbd784a2ac9

          SHA512

          02854605877d1e2161d87bba95e1db8a3aef229d9176a31dbdb49a56857057b7ec6091417661408dbf2cbb801d712a4cbe496b6a146a10c146ccbc2fb45c4876

        • C:\Windows\W_X_C.vbs

          Filesize

          195B

          MD5

          e1551d79cbac725a6adfcbb4290820bb

          SHA1

          d66b66449fceeaa6715bea11a69986fe2ea0483f

          SHA256

          c7619c996c4bb083af1901d74b765b5058b4b0268d772c5f58c8215987734113

          SHA512

          e85b74bd0e11ef737753e323a6f6a587da48feda162c87d048840c58721a6ef1be6462fa3a2e855c6a846ba45da7280b134935dbbf246807f0b662352bded0df

        • C:\Windows\hosts.exe

          Filesize

          136KB

          MD5

          0113d3bfd3ef111307acbde36b22ad1f

          SHA1

          08cd63fbc51e5b37ef3efbca87a3b4668cc421f0

          SHA256

          8891f846340760ce99882b7877d867c91dfb0f3077c7d28245d09541328e14bd

          SHA512

          47203c016e49d8b302317f019ed81249ae02799ff9c533e1d3da3e6f669eb7c17224a34b274374b3b133b897b55a9f05288b7dfed4a8879f2550c1f2981b8a81

        • \??\c:\windows\W_X_C.bat

          Filesize

          336B

          MD5

          4db9f8b6175722b62ececeeeba1ce307

          SHA1

          3b3ba8414706e72a6fa19e884a97b87609e11e47

          SHA256

          d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

          SHA512

          1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

        • memory/2760-61-0x00000000024B0000-0x00000000025B0000-memory.dmp

          Filesize

          1024KB