Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2024, 13:27

General

  • Target

    b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe

  • Size

    97KB

  • MD5

    b98322e43d25ba7b38c3417dda1e16a4

  • SHA1

    a393719aadb658cca5ad6d151802ad35350b0c67

  • SHA256

    9b5efb363cb8516b3515051b3299689e23e34f1b2444fc2234233148a2f30e51

  • SHA512

    311599e2885fe7e4ccb4bad5d0c4d6ee948cf14307c5885b64398fd861951d86581406545395845daa666984b6f5eb2dbe6fcde66e13202033970b46623efeec

  • SSDEEP

    1536:5vOMoORizUPliPsm/gL16ZpQGh6MgHN+PhuLGR/11bvfMoOJ:ROxOMUMPsgQvTMY+PhGGR/117fxOJ

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 16 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 8 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 8 IoCs
  • Adds policy Run key to start application 2 TTPs 18 IoCs
  • Disables RegEdit via registry modification 8 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Adds Run key to start application 2 TTPs 16 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Windows directory 31 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Discovers systems in the same network 1 TTPs 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Adds policy Run key to start application
    • Disables RegEdit via registry modification
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4920
    • C:\Windows\SysWOW64\s4827\smss.exe
      "C:\Windows\system32\s4827\smss.exe" ~Brontok~Log~
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:4476
      • C:\Windows\SysWOW64\s4827\winlogon.exe
        "C:\Windows\system32\s4827\winlogon.exe" ~Brontok~Is~The~Best~
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3832
        • C:\Windows\SysWOW64\s4827\services.exe
          "C:\Windows\system32\s4827\services.exe" ~Brontok~Serv~
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Adds policy Run key to start application
          • Disables RegEdit via registry modification
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Drops file in Windows directory
          PID:3472
        • C:\Windows\SysWOW64\s4827\csrss.exe
          "C:\Windows\system32\s4827\csrss.exe" ~Brontok~SpreadMail~
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Adds policy Run key to start application
          • Disables RegEdit via registry modification
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Drops file in Windows directory
          PID:2488
        • C:\Windows\SysWOW64\s4827\lsass.exe
          "C:\Windows\system32\s4827\lsass.exe" ~Brontok~Network~
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Adds policy Run key to start application
          • Disables RegEdit via registry modification
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Enumerates connected drives
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:4900
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c net view /domain > "C:\Windows\system32\s4827\domlist.txt"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:4036
            • C:\Windows\SysWOW64\net.exe
              net view /domain
              6⤵
              • Discovers systems in the same network
              PID:2960
        • C:\Windows\Ad10218\qm4623.exe
          "C:\Windows\Ad10218\qm4623.exe" ~Brontok~Back~Log~
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Adds policy Run key to start application
          • Disables RegEdit via registry modification
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Drops file in Windows directory
          PID:3496
        • C:\Windows\SysWOW64\s4827\m4623.exe
          "C:\Windows\system32\s4827\m4623.exe" ~Brontok~Back~Log~
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Adds policy Run key to start application
          • Disables RegEdit via registry modification
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Drops file in Windows directory
          PID:2688
        • C:\Windows\SysWOW64\at.exe
          "C:\Windows\System32\at.exe" /delete /y
          4⤵
            PID:928
          • C:\Windows\SysWOW64\at.exe
            "C:\Windows\System32\at.exe" 17:08 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Local\jalak-93927015-bali.com"
            4⤵
              PID:392
            • C:\Windows\SysWOW64\at.exe
              "C:\Windows\System32\at.exe" 11:03 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Local\jalak-93927015-bali.com"
              4⤵
                PID:5064

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Windows\Ad10218\qm4623.exe

                Filesize

                97KB

                MD5

                d7c9c847bb18e1d8d660a8d7131a0bd4

                SHA1

                e71a019cd991b55a0d2dbe28fd6849ad3fb5652f

                SHA256

                0bec29a05754b63ec110080bf220584759ffbf0aa73afb702babed788329d855

                SHA512

                45d44a5fdb76e3106f6f7d0f87cff33c4c989e06e6ac1d15b48d864710b8c81cc77e1e0737c33fca3ffeba45b5727e1f0d73a4a14995fa74c7d117bc7d23b4d7

              • C:\Windows\SysWOW64\c_25122k.com

                Filesize

                97KB

                MD5

                b98322e43d25ba7b38c3417dda1e16a4

                SHA1

                a393719aadb658cca5ad6d151802ad35350b0c67

                SHA256

                9b5efb363cb8516b3515051b3299689e23e34f1b2444fc2234233148a2f30e51

                SHA512

                311599e2885fe7e4ccb4bad5d0c4d6ee948cf14307c5885b64398fd861951d86581406545395845daa666984b6f5eb2dbe6fcde66e13202033970b46623efeec

              • C:\Windows\SysWOW64\s4827\lsass.exe

                Filesize

                97KB

                MD5

                b3c64b09b9545db87fb18d1c61eea5e4

                SHA1

                304279ac23e6fbc57ddf944b0bc7d5411cbe5b43

                SHA256

                e53ba6b4b3653c15b1215d9861b8cbd23cb6abc9f1e2aa8d5439fb8686f1799d

                SHA512

                bef8d808dd4c37038b3f3228c6b9d165702e439b43106ba0d5406015eaaa46400c80e4bd6d3ac6a13eb67efd79576ac3da9ffed04cdc6e41f0f589c6dd1f4c4b

              • C:\Windows\SysWOW64\s4827\m4623.exe

                Filesize

                97KB

                MD5

                87e74a75a08c6314c15653161ae3fe37

                SHA1

                3c8be278b74c15d3c2770ab89ba98aff1aaf2130

                SHA256

                4ab2da8beaf54f5e68844d2450973b4f98a7110ad732a45e13c55aa18eb0c634

                SHA512

                ea287553c6eb2b5c7f4b0e2105cff3f3d7a2a43ae8799f91e883f556579e5e1cc1b03eadf1f9a4e7388d5cce0a2874a2b6835be9137e2633457452cbf83b648c

              • C:\Windows\SysWOW64\s4827\winlogon.exe

                Filesize

                97KB

                MD5

                43683a4440b56ea4d970c69f58b3fc6f

                SHA1

                21ae77d2ec00138f45cfe1282d1147f3a213c988

                SHA256

                d69550dff7298724248f01164066b715ab8117346b43d78294d102039f41a1da

                SHA512

                a06adc52c0e0d3cbedafe1368f4790365f890b117481d0d3b328d29cc0b60a796b4c0a42b562a071ed27e916b62623cef2863910f7ced1ef42b91b159e744ef3

              • memory/2688-164-0x0000000000400000-0x0000000000417000-memory.dmp

                Filesize

                92KB

              • memory/3496-149-0x0000000000400000-0x0000000000417000-memory.dmp

                Filesize

                92KB

              • memory/3832-72-0x0000000000400000-0x0000000000417000-memory.dmp

                Filesize

                92KB

              • memory/4476-45-0x0000000000400000-0x0000000000417000-memory.dmp

                Filesize

                92KB

              • memory/4900-145-0x0000000000400000-0x0000000000417000-memory.dmp

                Filesize

                92KB

              • memory/4920-0-0x0000000000400000-0x0000000000417000-memory.dmp

                Filesize

                92KB