cbad509a0e6fae8870308ae58dbc10507c5a76159315e8cfe1923086924491d6

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Size

143KB
MD5

1b0345e97b24720ac1f907b04f84f1ef
SHA1

cde1d9dceb37cf0adebdf8d318a24b3ac1406af8
SHA256

cbad509a0e6fae8870308ae58dbc10507c5a76159315e8cfe1923086924491d6
SHA512

3f7d1c0a83b865b743a1ff01718ac99b254cda3fea7366ea304b5f7c39c6490d3f928afe88da772f0fe8092c6d7b1681c76ba24b39dde0418504c57470fc4bf3
SSDEEP

3072:JaiKXvKJW5zpd7rVXJ1RRA/SlXJKY/X1AKmo7D9NJO0vS:B6vKJqzNw/+vF2eDnvS

Score

8^/10

persistence privilege_escalation vmprotect

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

344 cmd.exe
Loads dropped DLL 6 IoCs

Processes:

rundll32.execmd.exe

pid process

2192 rundll32.exe
2192 rundll32.exe
344 cmd.exe
2192 rundll32.exe
2192 rundll32.exe
2192 rundll32.exe
VMProtect packed file 1 IoCs
Detects executables packed with VMProtect commercial packer.
vmprotect

Processes:

resource yara_rule

C:\Windows\SysWOW64\HIMYM.dll vmprotect

pid	process
344	cmd.exe

pid	process
2192	rundll32.exe
2192	rundll32.exe
344	cmd.exe
2192	rundll32.exe
2192	rundll32.exe
2192	rundll32.exe

resource	yara_rule
C:\Windows\SysWOW64\HIMYM.dll	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Disker = "rundll32.exe C:\\Windows\\SysWOW64\\HIMYM.dll,DW"	rundll32.exe

Drops file in System32 directory 1 IoCs

Processes:

1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe

description ioc process

File created C:\Windows\SysWOW64\HIMYM.DLL 1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\HIMYM.DLL	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe

pid	process
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

rundll32.exe

pid process

2192 rundll32.exe

pid	process
2192	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe

description	pid	process	target process
PID 2428 wrote to memory of 2192	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe	rundll32.exe
PID 2428 wrote to memory of 2192	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe	rundll32.exe
PID 2428 wrote to memory of 2192	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe	rundll32.exe
PID 2428 wrote to memory of 2192	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe	rundll32.exe
PID 2428 wrote to memory of 2192	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe	rundll32.exe
PID 2428 wrote to memory of 2192	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe	rundll32.exe
PID 2428 wrote to memory of 2192	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe	rundll32.exe
PID 2428 wrote to memory of 344	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe	cmd.exe
PID 2428 wrote to memory of 344	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe	cmd.exe
PID 2428 wrote to memory of 344	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe	cmd.exe
PID 2428 wrote to memory of 344	2428	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\HIMYM.DLL,DW
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:2192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe"
2⤵
- Deletes itself
- Loads dropped DLL
PID:344

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\HIMYM.dll
Filesize
136KB

MD5
d78eb3893db89f73e2947070d04d1ebc

SHA1
926717219c5294b2b8710cba75250f508afda351

SHA256
5e47e54283cf3cdf6a2012edfe8ee3973dafcc445888e4ba0288b23895930c14

SHA512
9f6c6b37c141a2500908e644ece23a0f2396677b3d6d05174f417fc5a62e004666de3d26f6f5d208de8f5f8404a783bd3c92eab965c1e775967bc911d48fe93a

Download Submit
memory/2428-0-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2428-2-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads