e8648c12edb71ba951b2306a7b235dbdc474f26e33319e8ba7219e4a50dd99bd

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2024 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe
Size

2.7MB
MD5

aeaea6351755710c58f417cb3950fa2c
SHA1

f70dd0ef55453aab682d9e7e7efb87c690160a9d
SHA256

e8648c12edb71ba951b2306a7b235dbdc474f26e33319e8ba7219e4a50dd99bd
SHA512

8f25389fdf030c6e432fffb73920f7c00bb4343c5f96e7c14743b277edf34f94ee40001912837f268d7191f1b6918d6c21e44d34e95eb6bdf673fd81b95af6ee
SSDEEP

49152:dJZoQrbTFZY1iacKz58Fcw8uaFKnS3Ubv/Ukd1Zau86XwNjI+zJD9PEe7M:dtrbTA1jr8smMkdDd86XwJXdd7M

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exe

pid	Process
3768	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TempNajaf.exeSystem.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	TempNajaf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	System.exe

Executes dropped EXE 4 IoCs

Processes:

System.exeSetup_FacebookPasswordHack 2014.exeTempNajaf.exeUpdate.exe

pid	Process
4480	System.exe
456	Setup_FacebookPasswordHack 2014.exe
4884	TempNajaf.exe
2764	Update.exe

Loads dropped DLL 1 IoCs

Processes:

Setup_FacebookPasswordHack 2014.exe

pid	Process
456	Setup_FacebookPasswordHack 2014.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Update.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8100c3226482ae95a43914b125e72414 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.exe\" .."	Update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\8100c3226482ae95a43914b125e72414 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.exe\" .."	Update.exe

Drops file in Windows directory 2 IoCs

Processes:

System.exe

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	System.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	System.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exeSystem.exeSetup_FacebookPasswordHack 2014.exeTempNajaf.exeUpdate.exenetsh.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	System.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup_FacebookPasswordHack 2014.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempNajaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
behavioral2/files/0x000b000000023caf-9.dat	nsis_installer_1
behavioral2/files/0x000b000000023caf-9.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

System.exe

pid	Process
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe
4480	System.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

System.exe

pid	Process
4480	System.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

System.exeUpdate.exe

description	pid	Process
Token: SeDebugPrivilege	4480	System.exe
Token: SeDebugPrivilege	2764	Update.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exeSystem.exeTempNajaf.exeUpdate.exe

description	pid	Process	procid_target
PID 2240 wrote to memory of 4480	2240	aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe	83
PID 2240 wrote to memory of 4480	2240	aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe	83
PID 2240 wrote to memory of 4480	2240	aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe	83
PID 2240 wrote to memory of 456	2240	aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe	84
PID 2240 wrote to memory of 456	2240	aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe	84
PID 2240 wrote to memory of 456	2240	aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe	84
PID 4480 wrote to memory of 4884	4480	System.exe	85
PID 4480 wrote to memory of 4884	4480	System.exe	85
PID 4480 wrote to memory of 4884	4480	System.exe	85
PID 4884 wrote to memory of 2764	4884	TempNajaf.exe	86
PID 4884 wrote to memory of 2764	4884	TempNajaf.exe	86
PID 4884 wrote to memory of 2764	4884	TempNajaf.exe	86
PID 2764 wrote to memory of 3768	2764	Update.exe	91
PID 2764 wrote to memory of 3768	2764	Update.exe	91
PID 2764 wrote to memory of 3768	2764	Update.exe	91

C:\Users\Admin\AppData\Local\Temp\aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Local\Temp\System.exe
  C:\Users\Admin\AppData\Local\Temp/System.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Users\Admin\AppData\Local\TempNajaf.exe
    "C:\Users\Admin\AppData\Local\TempNajaf.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4884
  - - C:\Users\Admin\AppData\Local\Temp\Update.exe
      "C:\Users\Admin\AppData\Local\Temp\Update.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2764
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Update.exe" "Update.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3768
- C:\Users\Admin\AppData\Local\Temp\Setup_FacebookPasswordHack 2014.exe
  "C:\Users\Admin\AppData\Local\Temp/Setup_FacebookPasswordHack 2014.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempNajaf.exe

Filesize
29KB

MD5
d9ed25466a77bc9106d5dedf76292e47

SHA1
ea583053caca2e0fa7187cab072dad3affa3a5d9

SHA256
755b1e8ec6fa24ffc9cd18dfca43dce46f05abd236e34b1cd16af9522b8a7989

SHA512
6de60891f5ae3ac2148b348c82d79b0d205cc7ed838616e5f73c2c25e9fd823d8b1475a87d688c895d27a02265dbe5b6053f54df73932455371997f00f50c485

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.exe

Filesize
53KB

MD5
6cf518f1d8ad355c81a88efb28b69295

SHA1
661136e0c9b252f61d12f14d854fc32688ccce13

SHA256
3c8d24ac4e77862e89e74732d94b37b2bf776610b5ed26634256ea96dd0322fc

SHA512
cbd3522d154c05251e3930d4694ce8f34f7dfc2b72b032107850ab891912c114286dfa7d88224e217a3b1fb3f20aa2c857323b214feabb760e954b5f5be12366

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut9367.tmp

Filesize
1.9MB

MD5
ee3ea9d01b1202549d0ea19da285eb68

SHA1
721027a19f98e12ef3c3d851875bde3827f3c496

SHA256
83bdd3882cfd3d5ac6a08ea79dc0be51d301300e03b23b7200881d3b690de8d5

SHA512
39f77797bc6840ad835319224f3dcd7cc200eb79d4b6fa3f15b72e9ea790bc29f6c0b552810a156d602414e38f4be11ca110cfb6ea4ae009d4f818150bdb702e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg956B.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg956B.tmp\isWelcome.ini

Filesize
437B

MD5
934b844a0a7facdaf68ec82afe475b21

SHA1
4e4caedd285f241fc5a55908614341ac8a4e2ee3

SHA256
685f412a2be4ce8ce5a586ead4bc65c7dbee7ca7802bd3b505f8da3d982cad2e

SHA512
80bf508acbeabb589ee62bc81295e907b0d56645a837b4ad98e3239c280535d6ed2c72f9cb6ad85f35693e84a6fd449ed859c1263e79a90f5a49a1b2655ea069

Download Submit
memory/4480-22-0x0000000073C90000-0x0000000074241000-memory.dmp

Filesize
5.7MB

Download
memory/4480-80-0x0000000073C90000-0x0000000074241000-memory.dmp

Filesize
5.7MB

Download
memory/4480-18-0x0000000073C92000-0x0000000073C93000-memory.dmp

Filesize
4KB

Download
memory/4480-100-0x0000000073C92000-0x0000000073C93000-memory.dmp

Filesize
4KB

Download
memory/4480-101-0x0000000073C90000-0x0000000074241000-memory.dmp

Filesize
5.7MB

Download
memory/4480-102-0x0000000073C90000-0x0000000074241000-memory.dmp

Filesize
5.7MB

Download
memory/4480-108-0x0000000073C90000-0x0000000074241000-memory.dmp

Filesize
5.7MB

Download
memory/4884-89-0x0000000073C90000-0x0000000074241000-memory.dmp

Filesize
5.7MB

Download
memory/4884-99-0x0000000073C90000-0x0000000074241000-memory.dmp

Filesize
5.7MB

Download