e37938245442bf4c1114da250f93cb5cc2fea5c35e50883b819f3c8afc4ab363

Analysis

max time kernel
148s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-07-2024 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
Size

351KB
MD5

20582340f93fdefaaeb114ffd7f659e2
SHA1

2b298bc579a805f020d0f8c2a4ec8dafada61417
SHA256

e37938245442bf4c1114da250f93cb5cc2fea5c35e50883b819f3c8afc4ab363
SHA512

31bd2f9061d6026f9cd8ada6f57e07a4c1c4db7ee7ff9bb279cd6659b848f23917e264cf65af31fb3ce5f592a2a6358b931341d0e660f9f82c525379834bbb5d
SSDEEP

6144:kOzzBxDMAYloj1/L8YEAQwgG5hOm3Y/eUObRPlV:VvBxDMAzjN4YEAFMmo/AbRP

Score

8^/10

agilenet evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

4452 netsh.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe

pid	process
4452	netsh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe

Drops startup file 2 IoCs

Processes:

UpdateGoogle.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4b11d4cad7102d66f494861052a39573.exe	UpdateGoogle.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4b11d4cad7102d66f494861052a39573.exe	UpdateGoogle.exe

Executes dropped EXE 2 IoCs

Processes:

UpdateGoogle.exeUpdateGoogle.exe

pid process

4932 UpdateGoogle.exe
2552 UpdateGoogle.exe
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
agilenet

Processes:

resource yara_rule

behavioral2/memory/432-6-0x0000000006DD0000-0x0000000006DF8000-memory.dmp agile_net

pid	process
4932	UpdateGoogle.exe
2552	UpdateGoogle.exe

resource	yara_rule
behavioral2/memory/432-6-0x0000000006DD0000-0x0000000006DF8000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

UpdateGoogle.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4b11d4cad7102d66f494861052a39573 = "\"C:\\Users\\Admin\\AppData\\Roaming\\UpdateGoogle.exe\" .."	UpdateGoogle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4b11d4cad7102d66f494861052a39573 = "\"C:\\Users\\Admin\\AppData\\Roaming\\UpdateGoogle.exe\" .."	UpdateGoogle.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exeUpdateGoogle.exe

description	pid	process	target process
PID 432 set thread context of 1860	432	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
PID 4932 set thread context of 2552	4932	UpdateGoogle.exe	UpdateGoogle.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exeUpdateGoogle.exeUpdateGoogle.exe

pid	process
432	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
432	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
4932	UpdateGoogle.exe
4932	UpdateGoogle.exe
2552	UpdateGoogle.exe
2552	UpdateGoogle.exe
2552	UpdateGoogle.exe
2552	UpdateGoogle.exe
2552	UpdateGoogle.exe
2552	UpdateGoogle.exe
2552	UpdateGoogle.exe
2552	UpdateGoogle.exe
2552	UpdateGoogle.exe
2552	UpdateGoogle.exe
2552	UpdateGoogle.exe
2552	UpdateGoogle.exe
2552	UpdateGoogle.exe
2552	UpdateGoogle.exe
2552	UpdateGoogle.exe
2552	UpdateGoogle.exe
2552	UpdateGoogle.exe
2552	UpdateGoogle.exe
2552	UpdateGoogle.exe
2552	UpdateGoogle.exe
2552	UpdateGoogle.exe
2552	UpdateGoogle.exe
2552	UpdateGoogle.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exeUpdateGoogle.exeUpdateGoogle.exe

description pid process

Token: SeDebugPrivilege 432 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
Token: SeDebugPrivilege 4932 UpdateGoogle.exe
Token: SeDebugPrivilege 2552 UpdateGoogle.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exeUpdateGoogle.exe

pid process

1860 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
2552 UpdateGoogle.exe

description	pid	process
Token: SeDebugPrivilege	432	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
Token: SeDebugPrivilege	4932	UpdateGoogle.exe
Token: SeDebugPrivilege	2552	UpdateGoogle.exe

pid	process
1860	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
2552	UpdateGoogle.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exeUpdateGoogle.exeUpdateGoogle.exe

description	pid	process	target process
PID 432 wrote to memory of 1860	432	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
PID 432 wrote to memory of 1860	432	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
PID 432 wrote to memory of 1860	432	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
PID 432 wrote to memory of 1860	432	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
PID 432 wrote to memory of 1860	432	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
PID 432 wrote to memory of 1860	432	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
PID 432 wrote to memory of 1860	432	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
PID 432 wrote to memory of 1860	432	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
PID 1860 wrote to memory of 4932	1860	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe	UpdateGoogle.exe
PID 1860 wrote to memory of 4932	1860	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe	UpdateGoogle.exe
PID 1860 wrote to memory of 4932	1860	20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe	UpdateGoogle.exe
PID 4932 wrote to memory of 2552	4932	UpdateGoogle.exe	UpdateGoogle.exe
PID 4932 wrote to memory of 2552	4932	UpdateGoogle.exe	UpdateGoogle.exe
PID 4932 wrote to memory of 2552	4932	UpdateGoogle.exe	UpdateGoogle.exe
PID 4932 wrote to memory of 2552	4932	UpdateGoogle.exe	UpdateGoogle.exe
PID 4932 wrote to memory of 2552	4932	UpdateGoogle.exe	UpdateGoogle.exe
PID 4932 wrote to memory of 2552	4932	UpdateGoogle.exe	UpdateGoogle.exe
PID 4932 wrote to memory of 2552	4932	UpdateGoogle.exe	UpdateGoogle.exe
PID 4932 wrote to memory of 2552	4932	UpdateGoogle.exe	UpdateGoogle.exe
PID 2552 wrote to memory of 4452	2552	UpdateGoogle.exe	netsh.exe
PID 2552 wrote to memory of 4452	2552	UpdateGoogle.exe	netsh.exe
PID 2552 wrote to memory of 4452	2552	UpdateGoogle.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432

C:\Users\Admin\AppData\Local\Temp\20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe"
2⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1860

C:\Users\Admin\AppData\Roaming\UpdateGoogle.exe
"C:\Users\Admin\AppData\Roaming\UpdateGoogle.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4932

C:\Users\Admin\AppData\Roaming\UpdateGoogle.exe
"C:\Users\Admin\AppData\Roaming\UpdateGoogle.exe"
4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\UpdateGoogle.exe" "UpdateGoogle.exe" ENABLE
5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4452

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe.log
Filesize
1KB

MD5
8c199513f790ccc3d3fd67afc767a186

SHA1
b0bd5e13f9644f1cd15f80f154ac7b4af6e19a8c

SHA256
765a41772698b63bd9ab76b9ddf393271bd4a27f122b481a3bdd84977fdeaf6e

SHA512
1b7217845ce9606fdcecd2d262a7d45f70b6920cd9ac3cd26dab6a05cf3104908db1afb9934383ffad79d7beaf9632005624e6699f16913d0cdd3edc13ee13fe

Download Submit
C:\Users\Admin\AppData\Roaming\UpdateGoogle.exe
Filesize
351KB

MD5
20582340f93fdefaaeb114ffd7f659e2

SHA1
2b298bc579a805f020d0f8c2a4ec8dafada61417

SHA256
e37938245442bf4c1114da250f93cb5cc2fea5c35e50883b819f3c8afc4ab363

SHA512
31bd2f9061d6026f9cd8ada6f57e07a4c1c4db7ee7ff9bb279cd6659b848f23917e264cf65af31fb3ce5f592a2a6358b931341d0e660f9f82c525379834bbb5d

Download Submit
memory/432-10-0x00000000076F0000-0x0000000007704000-memory.dmp

Filesize
80KB

Download
memory/432-11-0x0000000009CE0000-0x0000000009CE6000-memory.dmp

Filesize
24KB

Download
memory/432-4-0x00000000059D0000-0x0000000005A6C000-memory.dmp

Filesize
624KB

Download
memory/432-5-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/432-6-0x0000000006DD0000-0x0000000006DF8000-memory.dmp

Filesize
160KB

Download
memory/432-7-0x0000000006E80000-0x0000000006EE6000-memory.dmp

Filesize
408KB

Download
memory/432-8-0x0000000006EF0000-0x0000000006F12000-memory.dmp

Filesize
136KB

Download
memory/432-9-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/432-0-0x000000007486E000-0x000000007486F000-memory.dmp

Filesize
4KB

Download
memory/432-3-0x0000000005930000-0x00000000059C2000-memory.dmp

Filesize
584KB

Download
memory/432-1-0x0000000000EA0000-0x0000000000EFE000-memory.dmp

Filesize
376KB

Download
memory/432-15-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/432-2-0x0000000005E40000-0x00000000063E4000-memory.dmp

Filesize
5.6MB

Download
memory/1860-16-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/1860-17-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/1860-12-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1860-29-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/4932-30-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/4932-35-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download