Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04/04/2024, 13:27

General

  • Target

    b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe

  • Size

    97KB

  • MD5

    b98322e43d25ba7b38c3417dda1e16a4

  • SHA1

    a393719aadb658cca5ad6d151802ad35350b0c67

  • SHA256

    9b5efb363cb8516b3515051b3299689e23e34f1b2444fc2234233148a2f30e51

  • SHA512

    311599e2885fe7e4ccb4bad5d0c4d6ee948cf14307c5885b64398fd861951d86581406545395845daa666984b6f5eb2dbe6fcde66e13202033970b46623efeec

  • SSDEEP

    1536:5vOMoORizUPliPsm/gL16ZpQGh6MgHN+PhuLGR/11bvfMoOJ:ROxOMUMPsgQvTMY+PhGGR/117fxOJ

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Adds policy Run key to start application 2 TTPs 6 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 17 IoCs
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Adds policy Run key to start application
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2044
    • C:\Windows\SysWOW64\s4827\smss.exe
      "C:\Windows\system32\s4827\smss.exe" ~Brontok~Log~
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:2784

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\c_26742k.com

          Filesize

          97KB

          MD5

          b98322e43d25ba7b38c3417dda1e16a4

          SHA1

          a393719aadb658cca5ad6d151802ad35350b0c67

          SHA256

          9b5efb363cb8516b3515051b3299689e23e34f1b2444fc2234233148a2f30e51

          SHA512

          311599e2885fe7e4ccb4bad5d0c4d6ee948cf14307c5885b64398fd861951d86581406545395845daa666984b6f5eb2dbe6fcde66e13202033970b46623efeec

        • memory/2044-0-0x0000000000400000-0x0000000000417000-memory.dmp

          Filesize

          92KB

        • memory/2784-22-0x0000000000400000-0x0000000000417000-memory.dmp

          Filesize

          92KB