72a9721c2098fa1760d735bf2482caee20df5b3b56437ab776639825f4f0f8a7

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2025 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe
Size

1.9MB
MD5

560c57996398b6d5fcda78ca1372dfe7
SHA1

2881fb19501b0bfb91cd80b0270e7bbc04853a27
SHA256

72a9721c2098fa1760d735bf2482caee20df5b3b56437ab776639825f4f0f8a7
SHA512

f520e3bc1d3df2dfe34758dbab202a476223973db52b3b8d0e262d5816a1d184d919b9d53e4ef0f2b93f4b1b63ee3bf211254fd2051a32a2987978496bf4db44
SSDEEP

24576:Uc9ZDtTS7od7341D2+jjqBicDSdwAO3BECoRypw649dq3YayQUP99R11GJ:Ucdh73WD2IcicDsZO3Bjw964zqOt114

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Cloud AV 2012v121.exe

Executes dropped EXE 2 IoCs

pid	Process
3292	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZTXwjUVelBz0c1v8234A = "C:\\Windows\\system32\\Cloud AV 2012v121.exe"	JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YG5aQJ6dE8R9YwU8234A = "C:\\Users\\Admin\\AppData\\Roaming\\HEL8gTZqjCkVzN\\Cloud AV 2012v121.exe"	Cloud AV 2012v121.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cloud AV 2012v121.exe	JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe
File created	C:\Windows\SysWOW64\Cloud AV 2012v121.exe	Cloud AV 2012v121.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4028-2-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral2/memory/4028-8-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral2/memory/4028-9-0x0000000000400000-0x0000000000914000-memory.dmp	upx
behavioral2/memory/3292-12-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral2/memory/3292-17-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral2/memory/1660-88-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral2/memory/1660-99-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral2/memory/1660-110-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral2/memory/1660-131-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral2/memory/1660-142-0x0000000000400000-0x0000000000917000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cloud AV 2012v121.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cloud AV 2012v121.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3292	Cloud AV 2012v121.exe
3292	Cloud AV 2012v121.exe
3292	Cloud AV 2012v121.exe
3292	Cloud AV 2012v121.exe
3292	Cloud AV 2012v121.exe
3292	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3908	msiexec.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4028	JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe
3292	Cloud AV 2012v121.exe
3292	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe
1660	Cloud AV 2012v121.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 3292	4028	JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe	86
PID 4028 wrote to memory of 3292	4028	JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe	86
PID 4028 wrote to memory of 3292	4028	JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe	86
PID 3292 wrote to memory of 1660	3292	Cloud AV 2012v121.exe	89
PID 3292 wrote to memory of 1660	3292	Cloud AV 2012v121.exe	89
PID 3292 wrote to memory of 1660	3292	Cloud AV 2012v121.exe	89

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Windows\SysWOW64\Cloud AV 2012v121.exe
  C:\Windows\system32\Cloud AV 2012v121.exe 5985C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_560c57996398b6d5fcda78ca1372dfe7.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3292
- - C:\Users\Admin\AppData\Roaming\HEL8gTZqjCkVzN\Cloud AV 2012v121.exe
    C:\Users\Admin\AppData\Roaming\HEL8gTZqjCkVzN\Cloud AV 2012v121.exe 5985C:\Windows\SysWOW64\Cloud AV 2012v121.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1660

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ahst.lni

Filesize
612B

MD5
a0bbefbdae3d6768f67e4c36e72efeee

SHA1
ecfd049a8db533233ad15c26b3d6d3b70a195d20

SHA256
9fc373b21a11d6b4ce31e0dc4208aea1ceb2bf350dae0ce10d4aebfe8c9a04b3

SHA512
ad543692684322eaa581e386e55d4132dfd4be806a32c9e27d8a48d4e0e56dfb0e1f85934762f425ec201d36a5124d22fe1ab58e29ec9babde8b10449d1e086b

Download Submit
C:\Users\Admin\AppData\Roaming\ahst.lni

Filesize
1KB

MD5
fb264e98a9916b7d89a7b8198e16c663

SHA1
408e224cfff8bb4b72846e8bfad163d21cb27292

SHA256
a3b3a11bf443fb253cb79a716f63f45887a62f58a8766ee31c530dbd204a91d7

SHA512
86cefc67d72ed23f2b2a02b54c35aaf0e3803595ba3ad74fa53432d2be1276e8e96afe8f6f4566a31d7edd740ce273d68b67e56273a3ea43b7bebb49d9c6ff73

Download Submit
C:\Windows\SysWOW64\Cloud AV 2012v121.exe

Filesize
1.9MB

MD5
560c57996398b6d5fcda78ca1372dfe7

SHA1
2881fb19501b0bfb91cd80b0270e7bbc04853a27

SHA256
72a9721c2098fa1760d735bf2482caee20df5b3b56437ab776639825f4f0f8a7

SHA512
f520e3bc1d3df2dfe34758dbab202a476223973db52b3b8d0e262d5816a1d184d919b9d53e4ef0f2b93f4b1b63ee3bf211254fd2051a32a2987978496bf4db44

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
848c85055eb22b06f25e0ef2b71d966f

SHA1
899082528ad2908798e26456efbdda0a07ff9fc1

SHA256
7b787af8c470e687c9eec11ec8485f74298a3ec41141cf2408a4b2e45b1d0803

SHA512
38358b8effb55518732b3d989e601cc40ebdc21ce404a876e620b3a44b61b8bc141a97bdb55aa3c8a5453ba6c5e3e15a269102dbbd4f69dd985e73b2828fcec5

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
b6576736f1b835f265b638979326c981

SHA1
e26801da785f5fc091cc8c0f6c6ab76ff2d5c3cc

SHA256
e20a836e30cc9e1437a889dfea1649e81b947af867e912f18340c68ea2984a70

SHA512
d38e429ad7c4998cb5f3d65d86e140d3fd642602fa88172dabd48df777f3150b499a19e019863f19730fb8e888043944b01a175f829e7af88779c5cf683bc44f

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
51fc10f3256bce3376cb579a6c222fda

SHA1
4fc1f93f5bb319431957454f0b5da0305c6d956e

SHA256
fad1ba61af982646aadc990662bf26e874c325e48b1bdfaea589b18803bcb740

SHA512
609d943f425e255604c19bc341d6905fd66230359b705f6c3207b515a55502c0513212992e59239f3661cf26375a5a56c7748518e3a0cd330821eae359b02ea3

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
50ab0dd716dd66ad0c3eb5fb63f2f118

SHA1
bd9641078264b2135d3b3b0007c98f977d057960

SHA256
1f9037b078250201c92f8e1ea1ad3023011039c76a5aa74d3710edc452fc6517

SHA512
24c0b8ca8650fb50f81b9a89bbb7e8e5492b303b065fbf846c55aeb76c9fc41ebb5b9c6163d168a1362941720473486fdf2596dab4764176ebb348ad264b61d6

Download Submit
memory/1660-88-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/1660-99-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/1660-110-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/1660-131-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/1660-142-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/3292-17-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/3292-12-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/3292-11-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/4028-9-0x0000000000400000-0x0000000000914000-memory.dmp

Filesize
5.1MB

Download
memory/4028-8-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/4028-1-0x0000000000400000-0x0000000000914000-memory.dmp

Filesize
5.1MB

Download
memory/4028-2-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download