Overview
overview
8Static
static
7ab40b4d665...18.exe
windows7-x64
3ab40b4d665...18.exe
windows10-2004-x64
3$PLUGINSDIR/Aero.dll
windows7-x64
5$PLUGINSDIR/Aero.dll
windows10-2004-x64
5$PLUGINSDI...er.dll
windows7-x64
3$PLUGINSDI...er.dll
windows10-2004-x64
3$PLUGINSDI...md.dll
windows7-x64
3$PLUGINSDI...md.dll
windows10-2004-x64
3$PLUGINSDI...mp.exe
windows7-x64
1$PLUGINSDI...mp.exe
windows10-2004-x64
3$PLUGINSDIR/RP.exe
windows7-x64
4$PLUGINSDIR/RP.exe
windows10-2004-x64
7$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...er.exe
windows7-x64
$PLUGINSDI...er.exe
windows10-2004-x64
7$PLUGINSDIR/Aero.dll
windows7-x64
5$PLUGINSDIR/Aero.dll
windows10-2004-x64
5$PLUGINSDI...on.dll
windows7-x64
3$PLUGINSDI...on.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...le.dll
windows7-x64
3$PLUGINSDI...le.dll
windows10-2004-x64
3Uninstall.exe
windows7-x64
Uninstall.exe
windows10-2004-x64
$PLUGINSDI...on.dll
windows7-x64
3$PLUGINSDI...on.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28-11-2024 06:06
Behavioral task
behavioral1
Sample
ab40b4d6657e67053c9e36f9f6bf25cf_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
ab40b4d6657e67053c9e36f9f6bf25cf_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/Aero.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/Aero.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/Banner.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/Banner.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/ExecCmd.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/ExecCmd.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/JpgToBmp.exe
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/JpgToBmp.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$PLUGINSDIR/RP.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
$PLUGINSDIR/RP.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral14
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$PLUGINSDIR/UXTheme Patcher.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral16
Sample
$PLUGINSDIR/UXTheme Patcher.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$PLUGINSDIR/Aero.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
$PLUGINSDIR/Aero.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
$PLUGINSDIR/GetVersion.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral20
Sample
$PLUGINSDIR/GetVersion.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral22
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
$PLUGINSDIR/nsisFile.dll
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral26
Sample
$PLUGINSDIR/nsisFile.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
Uninstall.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral28
Sample
Uninstall.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
$PLUGINSDIR/GetVersion.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral30
Sample
$PLUGINSDIR/GetVersion.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral32
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
$PLUGINSDIR/RP.exe
-
Size
97KB
-
MD5
2b585ec745d0d5e94850e615f35dfcc0
-
SHA1
32b2b64e6c5090152c19e50339a5fbb175ce044e
-
SHA256
bb62a3f34f180e8becbba7bcc752bde4ee91e17c171d154939117c47d80994db
-
SHA512
91f6368b4043e9eebb184f9f79b444daafd5862cd7baade71e54ba6706371323d09cf9e4571b99bd7bfd053e9e2041506491919bf1cb940a705730cb014d92db
-
SSDEEP
1536:cfL8WaRkYVE2N/ghGf5TgeYPYlEZYhqqZYn9ACkxWr7uFc1U3leTW:I4lRkAehGfzmuqTPryFm8leK
Malware Config
Signatures
-
Drops file in Windows directory 3 IoCs
Processes:
DrvInst.exedescription ioc Process File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
RP.exeWScript.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Modifies data under HKEY_USERS 43 IoCs
Processes:
DrvInst.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
vssvc.exeDrvInst.exedescription pid Process Token: SeBackupPrivilege 2852 vssvc.exe Token: SeRestorePrivilege 2852 vssvc.exe Token: SeAuditPrivilege 2852 vssvc.exe Token: SeRestorePrivilege 1444 DrvInst.exe Token: SeRestorePrivilege 1444 DrvInst.exe Token: SeRestorePrivilege 1444 DrvInst.exe Token: SeRestorePrivilege 1444 DrvInst.exe Token: SeRestorePrivilege 1444 DrvInst.exe Token: SeRestorePrivilege 1444 DrvInst.exe Token: SeRestorePrivilege 1444 DrvInst.exe Token: SeLoadDriverPrivilege 1444 DrvInst.exe Token: SeLoadDriverPrivilege 1444 DrvInst.exe Token: SeLoadDriverPrivilege 1444 DrvInst.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
RP.exedescription pid Process procid_target PID 1948 wrote to memory of 2332 1948 RP.exe 30 PID 1948 wrote to memory of 2332 1948 RP.exe 30 PID 1948 wrote to memory of 2332 1948 RP.exe 30 PID 1948 wrote to memory of 2332 1948 RP.exe 30 PID 1948 wrote to memory of 2332 1948 RP.exe 30 PID 1948 wrote to memory of 2332 1948 RP.exe 30 PID 1948 wrote to memory of 2332 1948 RP.exe 30 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\RP.exe"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\RP.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\RP.vbs"2⤵
- System Location Discovery: System Language Discovery
PID:2332
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2852
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005DC" "00000000000005B4"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1444
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
386B
MD58edd615f3eafd0ba2c6a06d1b985c1d2
SHA1049ca4a40c0f66b0833466c1575cae1d972ede5b
SHA256ab1d81651e7d67ad10de277bdf5f68321daad851205b82c5a59990cb49b6b594
SHA51296de9456cd7d2e6e04361896d31d6ee4b2e0dae63d2634710523c14bd3b0b9187db7b4c984aaa569f0a02e94eb36f1765e9fd3a1f7772c6d79f13b5a85d597c8