fe2351aab904fea18c08e92562655bbcad81344f2d76694a706b579ef4d23344

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d50a85152019db21ee360180ae5980d4_JaffaCakes118.exe
Size

1.9MB
MD5

d50a85152019db21ee360180ae5980d4
SHA1

02dae0d2a018c4fd32d12113bb6a38bf7ac63f70
SHA256

fe2351aab904fea18c08e92562655bbcad81344f2d76694a706b579ef4d23344
SHA512

0d411a13a2fea9687e2b234e42ea6991832e1c02e90b40f7d79bf6b49a793432a6e555c6becbb38dd2f33f0d22751de94bfca92eee85aac8869460d23f1e8c22
SSDEEP

49152:IyC6Gn7rPcqIKaxPqAlTRo122ep1C+D/cHmfg6s:Il6GMdP0aTRYTep8+7cUF

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Cloud AV 2012v121.exe

Executes dropped EXE 2 IoCs

pid	Process
4840	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YaQH6dWK8R9TwUe8234A = "C:\\Windows\\system32\\Cloud AV 2012v121.exe"	d50a85152019db21ee360180ae5980d4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\l3onF4amH8234A = "C:\\Users\\Admin\\AppData\\Roaming\\ApnG5aQJ6W8R9Tw\\Cloud AV 2012v121.exe"	Cloud AV 2012v121.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cloud AV 2012v121.exe	d50a85152019db21ee360180ae5980d4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Cloud AV 2012v121.exe	Cloud AV 2012v121.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3880-2-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral2/memory/3880-8-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral2/memory/3880-9-0x0000000000400000-0x0000000000914000-memory.dmp	upx
behavioral2/memory/4840-12-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral2/memory/4840-16-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral2/memory/1632-88-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral2/memory/1632-99-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral2/memory/1632-110-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral2/memory/1632-131-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral2/memory/1632-142-0x0000000000400000-0x0000000000917000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cloud AV 2012v121.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cloud AV 2012v121.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d50a85152019db21ee360180ae5980d4_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4840	Cloud AV 2012v121.exe
4840	Cloud AV 2012v121.exe
4840	Cloud AV 2012v121.exe
4840	Cloud AV 2012v121.exe
4840	Cloud AV 2012v121.exe
4840	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	544	msiexec.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3880	d50a85152019db21ee360180ae5980d4_JaffaCakes118.exe
4840	Cloud AV 2012v121.exe
4840	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe
1632	Cloud AV 2012v121.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3880 wrote to memory of 4840	3880	d50a85152019db21ee360180ae5980d4_JaffaCakes118.exe	86
PID 3880 wrote to memory of 4840	3880	d50a85152019db21ee360180ae5980d4_JaffaCakes118.exe	86
PID 3880 wrote to memory of 4840	3880	d50a85152019db21ee360180ae5980d4_JaffaCakes118.exe	86
PID 4840 wrote to memory of 1632	4840	Cloud AV 2012v121.exe	87
PID 4840 wrote to memory of 1632	4840	Cloud AV 2012v121.exe	87
PID 4840 wrote to memory of 1632	4840	Cloud AV 2012v121.exe	87

C:\Users\Admin\AppData\Local\Temp\d50a85152019db21ee360180ae5980d4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d50a85152019db21ee360180ae5980d4_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3880
- C:\Windows\SysWOW64\Cloud AV 2012v121.exe
  C:\Windows\system32\Cloud AV 2012v121.exe 5985C:\Users\Admin\AppData\Local\Temp\d50a85152019db21ee360180ae5980d4_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4840
- - C:\Users\Admin\AppData\Roaming\ApnG5aQJ6W8R9Tw\Cloud AV 2012v121.exe
    C:\Users\Admin\AppData\Roaming\ApnG5aQJ6W8R9Tw\Cloud AV 2012v121.exe 5985C:\Windows\SysWOW64\Cloud AV 2012v121.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1632

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ahst.lni

Filesize
612B

MD5
902e80870dc41ffb635f276cabd280dc

SHA1
ebf3f2481d823ce896ac3029116a6aec0f9a66c7

SHA256
b438dc73b0bdd84c8dcda2340323ccc559e11f37955bf391e5409af628db05bd

SHA512
7a269c62d6b3b04ce22de9f6c357b73f13127817eaae8c750df61725951311f3d46d389d126a02bf65f47b718c121625442f23b198aed8c42deb4c078e7a99e8

Download Submit
C:\Users\Admin\AppData\Roaming\ahst.lni

Filesize
1KB

MD5
8cbc32a888d0c900a0f39774262f723f

SHA1
8f57125d83eb439c985842ab060c8ec20d3d7237

SHA256
a90d8095b135d6879450000e6537ed0e7e9d183625306b57c08de4e1e52e7d59

SHA512
2f7a560928f733fb9904066fad43bc628f9397bcdf9cf1bf89e1240748f230c73f59a517eb86bb187ac409f36e361b087190e55ffb9479aacf93d36c3d12c904

Download Submit
C:\Windows\SysWOW64\Cloud AV 2012v121.exe

Filesize
1.9MB

MD5
d50a85152019db21ee360180ae5980d4

SHA1
02dae0d2a018c4fd32d12113bb6a38bf7ac63f70

SHA256
fe2351aab904fea18c08e92562655bbcad81344f2d76694a706b579ef4d23344

SHA512
0d411a13a2fea9687e2b234e42ea6991832e1c02e90b40f7d79bf6b49a793432a6e555c6becbb38dd2f33f0d22751de94bfca92eee85aac8869460d23f1e8c22

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
50ab0dd716dd66ad0c3eb5fb63f2f118

SHA1
bd9641078264b2135d3b3b0007c98f977d057960

SHA256
1f9037b078250201c92f8e1ea1ad3023011039c76a5aa74d3710edc452fc6517

SHA512
24c0b8ca8650fb50f81b9a89bbb7e8e5492b303b065fbf846c55aeb76c9fc41ebb5b9c6163d168a1362941720473486fdf2596dab4764176ebb348ad264b61d6

Download Submit
memory/1632-88-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/1632-19-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/1632-99-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/1632-110-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/1632-131-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/1632-142-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/3880-9-0x0000000000400000-0x0000000000914000-memory.dmp

Filesize
5.1MB

Download
memory/3880-8-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/3880-2-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/3880-1-0x0000000000400000-0x0000000000914000-memory.dmp

Filesize
5.1MB

Download
memory/4840-11-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/4840-12-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/4840-16-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download