e37938245442bf4c1114da250f93cb5cc2fea5c35e50883b819f3c8afc4ab363

Analysis

max time kernel
148s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
02-07-2024 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
Size

351KB
MD5

20582340f93fdefaaeb114ffd7f659e2
SHA1

2b298bc579a805f020d0f8c2a4ec8dafada61417
SHA256

e37938245442bf4c1114da250f93cb5cc2fea5c35e50883b819f3c8afc4ab363
SHA512

31bd2f9061d6026f9cd8ada6f57e07a4c1c4db7ee7ff9bb279cd6659b848f23917e264cf65af31fb3ce5f592a2a6358b931341d0e660f9f82c525379834bbb5d
SSDEEP

6144:kOzzBxDMAYloj1/L8YEAQwgG5hOm3Y/eUObRPlV:VvBxDMAzjN4YEAFMmo/AbRP

Score

8^/10

agilenet evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

1252 netsh.exe

pid	process
1252	netsh.exe

Drops startup file 2 IoCs

Processes:

UpdateGoogle.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4b11d4cad7102d66f494861052a39573.exe	UpdateGoogle.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4b11d4cad7102d66f494861052a39573.exe	UpdateGoogle.exe

Executes dropped EXE 2 IoCs

Processes:

UpdateGoogle.exeUpdateGoogle.exe

pid process

2436 UpdateGoogle.exe
2196 UpdateGoogle.exe
Loads dropped DLL 2 IoCs

Processes:

20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exeUpdateGoogle.exe

pid process

2672 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
2436 UpdateGoogle.exe
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
agilenet

Processes:

resource yara_rule

behavioral1/memory/1976-3-0x0000000005100000-0x0000000005128000-memory.dmp agile_net

pid	process
2436	UpdateGoogle.exe
2196	UpdateGoogle.exe

pid	process
2672	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
2436	UpdateGoogle.exe

resource	yara_rule
behavioral1/memory/1976-3-0x0000000005100000-0x0000000005128000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

UpdateGoogle.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\4b11d4cad7102d66f494861052a39573 = "\"C:\\Users\\Admin\\AppData\\Roaming\\UpdateGoogle.exe\" .."	UpdateGoogle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\4b11d4cad7102d66f494861052a39573 = "\"C:\\Users\\Admin\\AppData\\Roaming\\UpdateGoogle.exe\" .."	UpdateGoogle.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exeUpdateGoogle.exe

description	pid	process	target process
PID 1976 set thread context of 2672	1976	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
PID 2436 set thread context of 2196	2436	UpdateGoogle.exe	UpdateGoogle.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exeUpdateGoogle.exeUpdateGoogle.exe

pid process

1976 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
1976 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
2436 UpdateGoogle.exe
2436 UpdateGoogle.exe
2196 UpdateGoogle.exe
2196 UpdateGoogle.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exeUpdateGoogle.exeUpdateGoogle.exe

description pid process

Token: SeDebugPrivilege 1976 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
Token: SeDebugPrivilege 2436 UpdateGoogle.exe
Token: SeDebugPrivilege 2196 UpdateGoogle.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exeUpdateGoogle.exe

pid process

2672 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
2196 UpdateGoogle.exe

pid	process
1976	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
1976	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
2436	UpdateGoogle.exe
2436	UpdateGoogle.exe
2196	UpdateGoogle.exe
2196	UpdateGoogle.exe

description	pid	process
Token: SeDebugPrivilege	1976	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
Token: SeDebugPrivilege	2436	UpdateGoogle.exe
Token: SeDebugPrivilege	2196	UpdateGoogle.exe

pid	process
2672	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
2196	UpdateGoogle.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exeUpdateGoogle.exeUpdateGoogle.exe

description	pid	process	target process
PID 1976 wrote to memory of 2672	1976	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
PID 1976 wrote to memory of 2672	1976	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
PID 1976 wrote to memory of 2672	1976	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
PID 1976 wrote to memory of 2672	1976	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
PID 1976 wrote to memory of 2672	1976	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
PID 1976 wrote to memory of 2672	1976	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
PID 1976 wrote to memory of 2672	1976	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
PID 1976 wrote to memory of 2672	1976	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
PID 1976 wrote to memory of 2672	1976	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
PID 2672 wrote to memory of 2436	2672	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe	UpdateGoogle.exe
PID 2672 wrote to memory of 2436	2672	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe	UpdateGoogle.exe
PID 2672 wrote to memory of 2436	2672	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe	UpdateGoogle.exe
PID 2672 wrote to memory of 2436	2672	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe	UpdateGoogle.exe
PID 2672 wrote to memory of 2436	2672	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe	UpdateGoogle.exe
PID 2672 wrote to memory of 2436	2672	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe	UpdateGoogle.exe
PID 2672 wrote to memory of 2436	2672	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe	UpdateGoogle.exe
PID 2436 wrote to memory of 2196	2436	UpdateGoogle.exe	UpdateGoogle.exe
PID 2436 wrote to memory of 2196	2436	UpdateGoogle.exe	UpdateGoogle.exe
PID 2436 wrote to memory of 2196	2436	UpdateGoogle.exe	UpdateGoogle.exe
PID 2436 wrote to memory of 2196	2436	UpdateGoogle.exe	UpdateGoogle.exe
PID 2436 wrote to memory of 2196	2436	UpdateGoogle.exe	UpdateGoogle.exe
PID 2436 wrote to memory of 2196	2436	UpdateGoogle.exe	UpdateGoogle.exe
PID 2436 wrote to memory of 2196	2436	UpdateGoogle.exe	UpdateGoogle.exe
PID 2436 wrote to memory of 2196	2436	UpdateGoogle.exe	UpdateGoogle.exe
PID 2436 wrote to memory of 2196	2436	UpdateGoogle.exe	UpdateGoogle.exe
PID 2436 wrote to memory of 2196	2436	UpdateGoogle.exe	UpdateGoogle.exe
PID 2436 wrote to memory of 2196	2436	UpdateGoogle.exe	UpdateGoogle.exe
PID 2436 wrote to memory of 2196	2436	UpdateGoogle.exe	UpdateGoogle.exe
PID 2196 wrote to memory of 1252	2196	UpdateGoogle.exe	netsh.exe
PID 2196 wrote to memory of 1252	2196	UpdateGoogle.exe	netsh.exe
PID 2196 wrote to memory of 1252	2196	UpdateGoogle.exe	netsh.exe
PID 2196 wrote to memory of 1252	2196	UpdateGoogle.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976

C:\Users\Admin\AppData\Local\Temp\20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2672

C:\Users\Admin\AppData\Roaming\UpdateGoogle.exe
"C:\Users\Admin\AppData\Roaming\UpdateGoogle.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436

C:\Users\Admin\AppData\Roaming\UpdateGoogle.exe
"C:\Users\Admin\AppData\Roaming\UpdateGoogle.exe"
4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\UpdateGoogle.exe" "UpdateGoogle.exe" ENABLE
5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1252

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\UpdateGoogle.exe
Filesize
351KB

MD5
20582340f93fdefaaeb114ffd7f659e2

SHA1
2b298bc579a805f020d0f8c2a4ec8dafada61417

SHA256
e37938245442bf4c1114da250f93cb5cc2fea5c35e50883b819f3c8afc4ab363

SHA512
31bd2f9061d6026f9cd8ada6f57e07a4c1c4db7ee7ff9bb279cd6659b848f23917e264cf65af31fb3ce5f592a2a6358b931341d0e660f9f82c525379834bbb5d

Download Submit
memory/1976-18-0x0000000074010000-0x00000000746FE000-memory.dmp

Filesize
6.9MB

Download
memory/1976-1-0x0000000000A80000-0x0000000000ADE000-memory.dmp

Filesize
376KB

Download
memory/1976-2-0x0000000074010000-0x00000000746FE000-memory.dmp

Filesize
6.9MB

Download
memory/1976-3-0x0000000005100000-0x0000000005128000-memory.dmp

Filesize
160KB

Download
memory/1976-4-0x0000000074010000-0x00000000746FE000-memory.dmp

Filesize
6.9MB

Download
memory/1976-5-0x0000000000770000-0x0000000000784000-memory.dmp

Filesize
80KB

Download
memory/1976-6-0x0000000000710000-0x0000000000716000-memory.dmp

Filesize
24KB

Download
memory/1976-0-0x000000007401E000-0x000000007401F000-memory.dmp

Filesize
4KB

Download
memory/2196-40-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2436-30-0x0000000000410000-0x0000000000424000-memory.dmp

Filesize
80KB

Download
memory/2436-29-0x00000000008E0000-0x000000000093E000-memory.dmp

Filesize
376KB

Download
memory/2672-10-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2672-17-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2672-13-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2672-19-0x0000000074010000-0x00000000746FE000-memory.dmp

Filesize
6.9MB

Download
memory/2672-15-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2672-21-0x0000000074010000-0x00000000746FE000-memory.dmp

Filesize
6.9MB

Download
memory/2672-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2672-9-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2672-28-0x0000000074010000-0x00000000746FE000-memory.dmp

Filesize
6.9MB

Download
memory/2672-8-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2672-7-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download