093b230ba4c569b847d0fe6319faac0fafe6c26fa808fa45f81def8f770c1a23

Analysis

max time kernel
142s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ac562c103f397bc360eb5a20f921a3c_JaffaCakes118.exe
Size

299KB
MD5

1ac562c103f397bc360eb5a20f921a3c
SHA1

6b850fca8a549ef197abf6f60b2f27ace6feea92
SHA256

093b230ba4c569b847d0fe6319faac0fafe6c26fa808fa45f81def8f770c1a23
SHA512

b78cae3dd26688507672f230531a18d5aaa3ce8fec90bab23f6ad867ceb24c3c67c43ad488c17233c0bb2071a7fe73be92786af505aaeaeda14be5d1d38c0bac
SSDEEP

6144:ef3tv8uK5A5phFKlrINwmIETCcH4JJ96KIi3eLWOStEB8wP2YGpLeBOrMwsg:ef3x8uKIphFKaN5TGJj7rzEP29VeW3sg

Score

7^/10

persistence upx vmprotect

Malware Config

Signatures

Executes dropped EXE 8 IoCs

Processes:

csboyDVD.dll³ÉÈË²¥·ÅÆ÷×îÐÂ°æ.exe_5BB3C7E96208784D787EB50FCE8B3E64F91223EF.exeservices.execsboyAuTo.dllservices.execsboyAuTo.dllservices.execsboyTT.dll

pid	process
1780	csboyDVD.dll
2796	³ÉÈË²¥·ÅÆ÷×îÐÂ°æ.exe_5BB3C7E96208784D787EB50FCE8B3E64F91223EF.exe
2100	services.exe
2616	csboyAuTo.dll
1652	services.exe
4444	csboyAuTo.dll
3296	services.exe
3220	csboyTT.dll

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Program Files\Common Files\Services\csboyAuTo.dll	upx
behavioral2/memory/2616-56-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/4444-52-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/4444-48-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/2616-41-0x0000000000400000-0x0000000000414000-memory.dmp	upx

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/3220-70-0x0000000000400000-0x0000000000418000-memory.dmp	vmprotect
C:\Program Files\Common Files\Services\csboyTT.dll	vmprotect
behavioral2/memory/3220-68-0x0000000000400000-0x0000000000418000-memory.dmp	vmprotect
behavioral2/memory/3220-77-0x0000000000400000-0x0000000000418000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

csboyAuTo.dllcsboyAuTo.dll

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Internet = "C:\\Program Files\\Common Files\\Services\\services.exe"	csboyAuTo.dll
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Internet = "C:\\Program Files\\Common Files\\Services\\services.exe"	csboyAuTo.dll

Drops file in Program Files directory 15 IoCs

Processes:

1ac562c103f397bc360eb5a20f921a3c_JaffaCakes118.exeservices.exeservices.exe

description	ioc	process
File created	C:\Program Files\Common Files\Services\csboyDvd.ocx	1ac562c103f397bc360eb5a20f921a3c_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Services\csboybind.au	1ac562c103f397bc360eb5a20f921a3c_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Services\csboyTT.dll	1ac562c103f397bc360eb5a20f921a3c_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\csboy_ing_Code.ini	services.exe
File created	C:\Program Files\Common Files\Services\csboyDVD.dll	1ac562c103f397bc360eb5a20f921a3c_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Services\csboyDw.ocx	1ac562c103f397bc360eb5a20f921a3c_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Services\csboyAuTo.ocx	1ac562c103f397bc360eb5a20f921a3c_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Services\csboyAuTo.dll	1ac562c103f397bc360eb5a20f921a3c_JaffaCakes118.exe
File created	C:\Program Files\Common Files\csboy_ing_Code.ini	services.exe
File opened for modification	C:\Program Files\Common Files\Services\csboyTT.dll	1ac562c103f397bc360eb5a20f921a3c_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Services\services.exe	1ac562c103f397bc360eb5a20f921a3c_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Services\services.exe	1ac562c103f397bc360eb5a20f921a3c_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Services\csboyDVD.dll	1ac562c103f397bc360eb5a20f921a3c_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Services\csboyAuTo.dll	1ac562c103f397bc360eb5a20f921a3c_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Services\csboyTj.ocx	1ac562c103f397bc360eb5a20f921a3c_JaffaCakes118.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3324 2100 WerFault.exe services.exe
3744 3296 WerFault.exe services.exe

pid	pid_target	process	target process
3324	2100	WerFault.exe	services.exe
3744	3296	WerFault.exe	services.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

csboyAuTo.dllcsboyAuTo.dllcsboyTT.dll

pid	process
2616	csboyAuTo.dll
2616	csboyAuTo.dll
2616	csboyAuTo.dll
2616	csboyAuTo.dll
2616	csboyAuTo.dll
2616	csboyAuTo.dll
4444	csboyAuTo.dll
4444	csboyAuTo.dll
4444	csboyAuTo.dll
4444	csboyAuTo.dll
4444	csboyAuTo.dll
4444	csboyAuTo.dll
3220	csboyTT.dll
3220	csboyTT.dll
3220	csboyTT.dll
3220	csboyTT.dll
3220	csboyTT.dll
3220	csboyTT.dll
3220	csboyTT.dll
3220	csboyTT.dll

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

services.exeservices.exe

description pid process

Token: SeDebugPrivilege 2100 services.exe
Token: SeDebugPrivilege 3296 services.exe

description	pid	process
Token: SeDebugPrivilege	2100	services.exe
Token: SeDebugPrivilege	3296	services.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

³ÉÈË²¥·ÅÆ÷×îÐÂ°æ.exe_5BB3C7E96208784D787EB50FCE8B3E64F91223EF.exe

pid	process
2796	³ÉÈË²¥·ÅÆ÷×îÐÂ°æ.exe_5BB3C7E96208784D787EB50FCE8B3E64F91223EF.exe
2796	³ÉÈË²¥·ÅÆ÷×îÐÂ°æ.exe_5BB3C7E96208784D787EB50FCE8B3E64F91223EF.exe
2796	³ÉÈË²¥·ÅÆ÷×îÐÂ°æ.exe_5BB3C7E96208784D787EB50FCE8B3E64F91223EF.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

³ÉÈË²¥·ÅÆ÷×îÐÂ°æ.exe_5BB3C7E96208784D787EB50FCE8B3E64F91223EF.exe

pid	process
2796	³ÉÈË²¥·ÅÆ÷×îÐÂ°æ.exe_5BB3C7E96208784D787EB50FCE8B3E64F91223EF.exe
2796	³ÉÈË²¥·ÅÆ÷×îÐÂ°æ.exe_5BB3C7E96208784D787EB50FCE8B3E64F91223EF.exe
2796	³ÉÈË²¥·ÅÆ÷×îÐÂ°æ.exe_5BB3C7E96208784D787EB50FCE8B3E64F91223EF.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

csboyTT.dll

pid process

3220 csboyTT.dll
3220 csboyTT.dll

pid	process
3220	csboyTT.dll
3220	csboyTT.dll

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

1ac562c103f397bc360eb5a20f921a3c_JaffaCakes118.execsboyDVD.dllcsboyAuTo.dllcsboyAuTo.dll

description	pid	process	target process
PID 2592 wrote to memory of 1780	2592	1ac562c103f397bc360eb5a20f921a3c_JaffaCakes118.exe	csboyDVD.dll
PID 2592 wrote to memory of 1780	2592	1ac562c103f397bc360eb5a20f921a3c_JaffaCakes118.exe	csboyDVD.dll
PID 2592 wrote to memory of 1780	2592	1ac562c103f397bc360eb5a20f921a3c_JaffaCakes118.exe	csboyDVD.dll
PID 1780 wrote to memory of 2796	1780	csboyDVD.dll	³ÉÈË²¥·ÅÆ÷×îÐÂ°æ.exe_5BB3C7E96208784D787EB50FCE8B3E64F91223EF.exe
PID 1780 wrote to memory of 2796	1780	csboyDVD.dll	³ÉÈË²¥·ÅÆ÷×îÐÂ°æ.exe_5BB3C7E96208784D787EB50FCE8B3E64F91223EF.exe
PID 1780 wrote to memory of 2796	1780	csboyDVD.dll	³ÉÈË²¥·ÅÆ÷×îÐÂ°æ.exe_5BB3C7E96208784D787EB50FCE8B3E64F91223EF.exe
PID 2592 wrote to memory of 2100	2592	1ac562c103f397bc360eb5a20f921a3c_JaffaCakes118.exe	services.exe
PID 2592 wrote to memory of 2100	2592	1ac562c103f397bc360eb5a20f921a3c_JaffaCakes118.exe	services.exe
PID 2592 wrote to memory of 2100	2592	1ac562c103f397bc360eb5a20f921a3c_JaffaCakes118.exe	services.exe
PID 2592 wrote to memory of 2616	2592	1ac562c103f397bc360eb5a20f921a3c_JaffaCakes118.exe	csboyAuTo.dll
PID 2592 wrote to memory of 2616	2592	1ac562c103f397bc360eb5a20f921a3c_JaffaCakes118.exe	csboyAuTo.dll
PID 2592 wrote to memory of 2616	2592	1ac562c103f397bc360eb5a20f921a3c_JaffaCakes118.exe	csboyAuTo.dll
PID 2616 wrote to memory of 1652	2616	csboyAuTo.dll	services.exe
PID 2616 wrote to memory of 1652	2616	csboyAuTo.dll	services.exe
PID 2616 wrote to memory of 1652	2616	csboyAuTo.dll	services.exe
PID 4444 wrote to memory of 3296	4444	csboyAuTo.dll	services.exe
PID 4444 wrote to memory of 3296	4444	csboyAuTo.dll	services.exe
PID 4444 wrote to memory of 3296	4444	csboyAuTo.dll	services.exe
PID 2592 wrote to memory of 3220	2592	1ac562c103f397bc360eb5a20f921a3c_JaffaCakes118.exe	csboyTT.dll
PID 2592 wrote to memory of 3220	2592	1ac562c103f397bc360eb5a20f921a3c_JaffaCakes118.exe	csboyTT.dll
PID 2592 wrote to memory of 3220	2592	1ac562c103f397bc360eb5a20f921a3c_JaffaCakes118.exe	csboyTT.dll

C:\Users\Admin\AppData\Local\Temp\1ac562c103f397bc360eb5a20f921a3c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1ac562c103f397bc360eb5a20f921a3c_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2592

C:\Program Files\Common Files\Services\csboyDVD.dll
"C:\Program Files\Common Files\Services\csboyDVD.dll"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780

C:\Users\Admin\AppData\Local\Temp\³ÉÈË²¥·ÅÆ÷×îÐÂ°æ.exe_5BB3C7E96208784D787EB50FCE8B3E64F91223EF.exe
"C:\Users\Admin\AppData\Local\Temp\³ÉÈË²¥·ÅÆ÷×îÐÂ°æ.exe_5BB3C7E96208784D787EB50FCE8B3E64F91223EF.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2796

C:\Program Files\Common Files\Services\services.exe
"C:\Program Files\Common Files\Services\services.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 536
3⤵
- Program crash
PID:3324

C:\Program Files\Common Files\Services\csboyAuTo.dll
"C:\Program Files\Common Files\Services\csboyAuTo.dll"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2616

C:\Program Files\Common Files\Services\services.exe
"C:\Program Files\Common Files\Services\services.exe"
3⤵
- Executes dropped EXE
PID:1652

C:\Program Files\Common Files\Services\csboyTT.dll
"C:\Program Files\Common Files\Services\csboyTT.dll"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3220

C:\Program Files\Common Files\Services\csboyAuTo.dll
"C:\Program Files\Common Files\Services\csboyAuTo.dll"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4444

C:\Program Files\Common Files\Services\services.exe
"C:\Program Files\Common Files\Services\services.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 512
3⤵
- Program crash
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2100 -ip 2100
1⤵
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3296 -ip 3296
1⤵
PID:1392

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Services\csboyAuTo.dll
Filesize
47.7MB

MD5
a48d21d88d5b1185663baa9e80cc3f1b

SHA1
3297b71c8d8d12209c2c3b0b6fad439245f43bd6

SHA256
609a1b3db77a7826d4873170677f8c0145dc927c493799a15aa5f024a07d186a

SHA512
60b07a32cc2483be2fde7715f9be9272a0bdf75b4cba8257515cc191b55e07d2f9022f5a63e7c8ec891eb525917895358a609dfdf039bd50e85f0e6d40938147

Download Submit
C:\Program Files\Common Files\Services\csboyDVD.dll
Filesize
606KB

MD5
a1d054fe6432de825fffd202ae760e80

SHA1
16040f867221ce7191b0653840ce5989c99710b1

SHA256
1ddb450f29fbf62d80447fec9e8629f51ab74902f163963a76157cff75e9db9a

SHA512
6e42f8acc1cff53032d8ec3cae48e0bb93864d46137d872e35f4e46f5514c267e1b7ba02f64b90108ae6b8f04e16a35f8966e95e886e5728e8f9368221fd90b1

Download Submit
C:\Program Files\Common Files\Services\csboyTT.dll
Filesize
47.7MB

MD5
e0543f7b26904208a24b6d14750abbe4

SHA1
991b8ce1c3903122b9733e88daa7821f114131ba

SHA256
49250843107d36be1cbe6ccc5f2442db8ac33cfce3ffc108df3be904fd09f1c2

SHA512
a175afdf830da027d0bc38aea92470b479c1a5c1796606f06a22bb8fabebb36f170843f90b0e9e6ed36963973ceeb9ce7beee7165b86ea5ec15f139e0122c5c5

Download Submit
C:\Program Files\Common Files\Services\services.exe
Filesize
47.8MB

MD5
16b56f9aa9b5cf71985c439960f425a6

SHA1
cdf32dad677a7eeb909ec3b098dadd02fe3eaa4c

SHA256
cb164f83a6450489d4d195d56250eca2c2da188acbea883fc8b0c963659d1642

SHA512
a29088d1d9baef2dda02c3238af78b68a023a19bfdcc8b1aff31bfb7dbcbfc1970543a2d7f1d1d897b2d35c90e0d694e287d9b042434696d4b6a0bde0a8e3f25

Download Submit
C:\Users\Admin\AppData\Local\Temp\³ÉÈË²¥·ÅÆ÷×îÐÂ°æ.exe_5BB3C7E96208784D787EB50FCE8B3E64F91223EF.exe
Filesize
252KB

MD5
90027e51a3b1807742cd15fd33721d7e

SHA1
cfb69530f4e0f0b8cded8d28f527c74ad8fa9546

SHA256
13df7b5cd1da553331134b0105523bf20662da9bdd7416c7b98f6a562fd06b15

SHA512
29729d843c8ca71624078bf22e8374f3a41f7b2f39f51c552a72d1d33bf8518d434873ad2bd23e48874978e9896869b2505f03dbbf32269ade501b876b2f7df1

Download Submit
memory/1652-44-0x0000000000400000-0x0000000000430F69-memory.dmp

Filesize
195KB

Download
memory/1652-46-0x0000000000400000-0x0000000000430F69-memory.dmp

Filesize
195KB

Download
memory/1652-43-0x0000000000400000-0x0000000000430F69-memory.dmp

Filesize
195KB

Download
memory/1780-8-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1780-11-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1780-12-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/2100-62-0x0000000000401000-0x000000000041B000-memory.dmp

Filesize
104KB

Download
memory/2100-26-0x0000000000400000-0x0000000000430F69-memory.dmp

Filesize
195KB

Download
memory/2100-27-0x0000000000401000-0x000000000041B000-memory.dmp

Filesize
104KB

Download
memory/2100-28-0x0000000000400000-0x0000000000430F69-memory.dmp

Filesize
195KB

Download
memory/2100-30-0x0000000000400000-0x0000000000430F69-memory.dmp

Filesize
195KB

Download
memory/2100-29-0x0000000000400000-0x0000000000430F69-memory.dmp

Filesize
195KB

Download
memory/2592-40-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2592-0-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2592-71-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2592-1-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/2592-22-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2592-33-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/2616-41-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2616-56-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2796-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3220-70-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3220-68-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3220-77-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3296-54-0x0000000000400000-0x0000000000430F69-memory.dmp

Filesize
195KB

Download
memory/3296-50-0x0000000000400000-0x0000000000430F69-memory.dmp

Filesize
195KB

Download
memory/3296-53-0x0000000000400000-0x0000000000430F69-memory.dmp

Filesize
195KB

Download
memory/3296-73-0x0000000000400000-0x0000000000430F69-memory.dmp

Filesize
195KB

Download
memory/4444-48-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4444-52-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download