62e0c7cc1cb4f9d1edaf9839e49a7bef19679421a3eab6e636676ab959c03431

Analysis

max time kernel
142s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe
Size

248KB
MD5

1aae227b0f58c80294d1ed62a69bdd51
SHA1

fa83306ddddf7a035dd6e3fc6efb30d8e62e0ccb
SHA256

62e0c7cc1cb4f9d1edaf9839e49a7bef19679421a3eab6e636676ab959c03431
SHA512

5131fe6d5d85b37784f20d9b32f15444d00b8bf841aa4d083d6bcbcef68cfdf68c2f0691114fcf5fc1436d81ec0254145f85f2b4166a3c589dd29b58cf9b19ee
SSDEEP

6144:b9OUGWO3I1zDqVSyJTEO9sabxuQbrSA6HVN+k:bsUDy9dxukSUk

Score

7^/10

persistence upx vmprotect

Malware Config

Signatures

Executes dropped EXE 8 IoCs

Processes:

A_v_DVD.dll°³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exeservices.exeA_v_AuTo.dllservices.exeA_v_AuTo.dllservices.exeA_v_TT.dll

pid process

2476 A_v_DVD.dll
564 °³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exe
3524 services.exe
1720 A_v_AuTo.dll
512 services.exe
4924 A_v_AuTo.dll
3932 services.exe
1304 A_v_TT.dll

pid	process
2476	A_v_DVD.dll
564	°³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exe
3524	services.exe
1720	A_v_AuTo.dll
512	services.exe
4924	A_v_AuTo.dll
3932	services.exe
1304	A_v_TT.dll

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Program Files\Common Files\microsoft shared\A_v_AuTo.dll	upx
behavioral2/memory/1720-56-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/memory/4924-55-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/memory/1720-43-0x0000000000400000-0x0000000000415000-memory.dmp	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll	vmprotect
behavioral2/memory/1304-67-0x0000000000400000-0x0000000000415000-memory.dmp	vmprotect
behavioral2/memory/1304-78-0x0000000000400000-0x0000000000415000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

A_v_AuTo.dllA_v_AuTo.dll

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Internet = "C:\\Program Files\\Common Files\\Microsoft Shared\\services.exe"	A_v_AuTo.dll
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Internet = "C:\\Program Files\\Common Files\\Microsoft Shared\\services.exe"	A_v_AuTo.dll

Drops file in Program Files directory 15 IoCs

Processes:

1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exeservices.exeservices.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\A_v_bind.au	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\A_v_Tj.ocx	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.ocx	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Au_ing_Code.ini	services.exe
File created	C:\Program Files\Common Files\Microsoft Shared\A_v_Dw.ocx	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\services.exe	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\services.exe	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Au_ing_Code.ini	services.exe
File created	C:\Program Files\Common Files\Microsoft Shared\A_v_Dvd.ocx	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3276 3524 WerFault.exe services.exe
4148 3932 WerFault.exe services.exe

pid	pid_target	process	target process
3276	3524	WerFault.exe	services.exe
4148	3932	WerFault.exe	services.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

A_v_AuTo.dllA_v_AuTo.dllA_v_TT.dll

pid	process
1720	A_v_AuTo.dll
1720	A_v_AuTo.dll
1720	A_v_AuTo.dll
1720	A_v_AuTo.dll
1720	A_v_AuTo.dll
1720	A_v_AuTo.dll
4924	A_v_AuTo.dll
4924	A_v_AuTo.dll
4924	A_v_AuTo.dll
4924	A_v_AuTo.dll
4924	A_v_AuTo.dll
4924	A_v_AuTo.dll
1304	A_v_TT.dll
1304	A_v_TT.dll
1304	A_v_TT.dll
1304	A_v_TT.dll
1304	A_v_TT.dll
1304	A_v_TT.dll
1304	A_v_TT.dll
1304	A_v_TT.dll

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

services.exeservices.exe

description pid process

Token: SeDebugPrivilege 3524 services.exe
Token: SeDebugPrivilege 3932 services.exe

description	pid	process
Token: SeDebugPrivilege	3524	services.exe
Token: SeDebugPrivilege	3932	services.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

°³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exe

pid	process
564	°³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exe
564	°³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exe
564	°³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

°³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exe

pid	process
564	°³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exe
564	°³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exe
564	°³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

A_v_TT.dll

pid process

1304 A_v_TT.dll
1304 A_v_TT.dll

pid	process
1304	A_v_TT.dll
1304	A_v_TT.dll

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exeA_v_DVD.dllA_v_AuTo.dllA_v_AuTo.dll

description	pid	process	target process
PID 2308 wrote to memory of 2476	2308	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe	A_v_DVD.dll
PID 2308 wrote to memory of 2476	2308	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe	A_v_DVD.dll
PID 2308 wrote to memory of 2476	2308	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe	A_v_DVD.dll
PID 2476 wrote to memory of 564	2476	A_v_DVD.dll	°³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exe
PID 2476 wrote to memory of 564	2476	A_v_DVD.dll	°³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exe
PID 2476 wrote to memory of 564	2476	A_v_DVD.dll	°³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exe
PID 2308 wrote to memory of 3524	2308	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe	services.exe
PID 2308 wrote to memory of 3524	2308	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe	services.exe
PID 2308 wrote to memory of 3524	2308	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe	services.exe
PID 2308 wrote to memory of 1720	2308	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe	A_v_AuTo.dll
PID 2308 wrote to memory of 1720	2308	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe	A_v_AuTo.dll
PID 2308 wrote to memory of 1720	2308	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe	A_v_AuTo.dll
PID 1720 wrote to memory of 512	1720	A_v_AuTo.dll	services.exe
PID 1720 wrote to memory of 512	1720	A_v_AuTo.dll	services.exe
PID 1720 wrote to memory of 512	1720	A_v_AuTo.dll	services.exe
PID 4924 wrote to memory of 3932	4924	A_v_AuTo.dll	services.exe
PID 4924 wrote to memory of 3932	4924	A_v_AuTo.dll	services.exe
PID 4924 wrote to memory of 3932	4924	A_v_AuTo.dll	services.exe
PID 2308 wrote to memory of 1304	2308	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe	A_v_TT.dll
PID 2308 wrote to memory of 1304	2308	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe	A_v_TT.dll
PID 2308 wrote to memory of 1304	2308	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe	A_v_TT.dll

C:\Users\Admin\AppData\Local\Temp\1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2308

C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll
"C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476

C:\Users\Admin\AppData\Local\Temp\°³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exe
"C:\Users\Admin\AppData\Local\Temp\°³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:564

C:\Program Files\Common Files\Microsoft Shared\services.exe
"C:\Program Files\Common Files\Microsoft Shared\services.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 540
3⤵
- Program crash
PID:3276

C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll
"C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1720

C:\Program Files\Common Files\Microsoft Shared\services.exe
"C:\Program Files\Common Files\Microsoft Shared\services.exe"
3⤵
- Executes dropped EXE
PID:512

C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll
"C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1304

C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll
"C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4924

C:\Program Files\Common Files\Microsoft Shared\services.exe
"C:\Program Files\Common Files\Microsoft Shared\services.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 520
3⤵
- Program crash
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3524 -ip 3524
1⤵
PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3932 -ip 3932
1⤵
PID:1920

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll
Filesize
47.7MB

MD5
bd5cf0bfbb4e801d0420bd4521ddab4e

SHA1
d7cfe8e08bd6dabe811574f5fe639145e2b262b6

SHA256
4d1dc4f01c89a3bf46ac06c88253c51f06b8b2bbe433a83fdc7ae14b385ea7b1

SHA512
f1d6ad2a24ef41bb4a0e1688f9d47aa4d00237215a3de3b9b852aadba1be0590bfa4fd778a0f2762a42bdc925a87f0d794fd920eebfdaa33b187dc6eec8d26c9

Download Submit
C:\Program Files\Common Files\microsoft shared\A_v_AuTo.dll
Filesize
47.7MB

MD5
e2761aef940baddff5f6962b48a3a2cb

SHA1
7db8418dcb17a3cb44ed86ab284236edc4a70de3

SHA256
71e94bdb43262714ec74a89101b64789aee6a00ba3bcb88367280d932aeab649

SHA512
1088a76190239ef0dd29d4836823300db2ee417f070f587d99bb8ed868a4d6885743da7542c05ae259bb10b0d28d86633566161630dbb42e116f510ab45c7543

Download Submit
C:\Program Files\Common Files\microsoft shared\A_v_DVD.dll
Filesize
606KB

MD5
4cc47cec087ec8bf6f64e676022b9ac9

SHA1
67a25b2c0584e2817239c94a04c62007ae4a3a41

SHA256
5d6cd581a0b4ea4dbeb320b89098ecd026510c8657e2b46c010edbf035eaebcc

SHA512
119111f1195a9398f8abb74248d02a7e95f89659f2099da617d31122602e0fe783775d7aae9ad2c686ca1e89ed5188c1262e12608d1d21183079beef2a244ebe

Download Submit
C:\Program Files\Common Files\microsoft shared\services.exe
Filesize
47.7MB

MD5
fce80f47e512ea702e1455b6cd2b22ad

SHA1
277640fe9195af4bb74b8a35dbf8dd7c532e427f

SHA256
8c271b9f3e39915e549633848f09119713ef31ebad731e25f9594e711553d9af

SHA512
f8bfd96df23af420b8a40eeae5115d3ba19a464e1c422ed6e7aaf4abbfb53964544efe5c36c80da9bd61684ac5cac30cb67143f93c8b83623cece380144876b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\°³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exe
Filesize
252KB

MD5
c160a0cd4b855d9f0e3ff55f82b563af

SHA1
6f92cd78041a1466ec07c58a96c0667185d41ae8

SHA256
e1843a739a6be0a7e4e0ba31fc55aefe4ec67d9ee7050d38f43ce61bef1f1c51

SHA512
f7ee486ff8e2e1fc5e36b6632598b92da69bc0126eb80132bd4a838326d539acfc52fa056a17f0a17de8c1340d2e17c505a4b9117f21d563aa9bf9c9145d5fd5

Download Submit
memory/512-46-0x0000000000400000-0x0000000000417A4E-memory.dmp

Filesize
94KB

Download
memory/512-48-0x0000000000400000-0x0000000000417A4E-memory.dmp

Filesize
94KB

Download
memory/512-45-0x0000000000400000-0x0000000000417A4E-memory.dmp

Filesize
94KB

Download
memory/564-18-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1304-67-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1304-78-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1720-56-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1720-43-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2308-36-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/2308-69-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2308-59-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2308-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2308-24-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2308-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2308-1-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/2476-35-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2476-11-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2476-10-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2476-13-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/3524-30-0x00000000022A0000-0x00000000022EB000-memory.dmp

Filesize
300KB

Download
memory/3524-51-0x0000000000400000-0x0000000000417A4E-memory.dmp

Filesize
94KB

Download
memory/3524-31-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/3524-32-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/3524-33-0x000000000040B000-0x000000000040C000-memory.dmp

Filesize
4KB

Download
memory/3524-29-0x0000000000400000-0x0000000000417A4E-memory.dmp

Filesize
94KB

Download
memory/3524-27-0x0000000000400000-0x0000000000417A4E-memory.dmp

Filesize
94KB

Download
memory/3932-53-0x0000000000400000-0x0000000000417A4E-memory.dmp

Filesize
94KB

Download
memory/3932-52-0x0000000000400000-0x0000000000417A4E-memory.dmp

Filesize
94KB

Download
memory/3932-72-0x0000000000400000-0x0000000000417A4E-memory.dmp

Filesize
94KB

Download
memory/4924-55-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download