Overview

overview

10

Static

static

3

e9ed433a3d...18.exe

windows7-x64

10

e9ed433a3d...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-04-2024 11:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe

  • Size

    548KB

  • MD5

    e9ed433a3d2b4d3e1a1e1dca910263bd

  • SHA1

    a2361f4fc4dbd96b8ac807b19a0637906c5599a3

  • SHA256

    52a7437f9b9c21de2a389039153bc1fa8ac36fdf3be75105dec854a2c8b7a7d0

  • SHA512

    89c1cda887947efc4ecdd31da383ff4760a258f0adfbed4a81d95549d5fbde35290e46767baf88e9817e68a9f27afa9135fddd35a6e301b2ddff30f1fc9bfa09

  • SSDEEP

    12288:ugHsqmAdjxORA4GTe2Pr9hroyCMJOcddfm+Y8:aqmwjfz79iSJOUY8

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • UAC bypass 3 TTPs 13 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 31 IoCs
    persistence
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    evasiontrojan
  • Looks up external IP address via web service 7 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 32 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 32 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 41 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4224
    • C:\Users\Admin\AppData\Local\Temp\qcakdvziamk.exe
      "C:\Users\Admin\AppData\Local\Temp\qcakdvziamk.exe" "c:\users\admin\appdata\local\temp\e9ed433a3d2b4d3e1a1e1dca910263bd_jaffacakes118.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1056
      • C:\Users\Admin\AppData\Local\Temp\xggsw.exe
        "C:\Users\Admin\AppData\Local\Temp\xggsw.exe" "-C:\Users\Admin\AppData\Local\Temp\uozwlunbuizqtigd.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:2476
      • C:\Users\Admin\AppData\Local\Temp\xggsw.exe
        "C:\Users\Admin\AppData\Local\Temp\xggsw.exe" "-C:\Users\Admin\AppData\Local\Temp\uozwlunbuizqtigd.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:1620
    • C:\Users\Admin\AppData\Local\Temp\qcakdvziamk.exe
      "C:\Users\Admin\AppData\Local\Temp\qcakdvziamk.exe" "c:\users\admin\appdata\local\temp\e9ed433a3d2b4d3e1a1e1dca910263bd_jaffacakes118.exe"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System policy modification
      PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

5
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\cifopkppuuxapqajeemspyzu.zee
    Filesize

    272B

    MD5

    f499bfbe43607158ff7f8bf0b8b651e2

    SHA1

    41fdc06e8eae4b9035630136a048c7fc26aed619

    SHA256

    317d01dc0eecf0cd5c7eae17c34cc7575a76cc54d92521edb0ca96134c77a4f2

    SHA512

    03f721e00b06ce3401dc6d90f8d3ec06929156e3a4319c68225a5f8ee0e374fbf02a8aa66f45f929e3a020ccf971f348037e46c92804367b9dad9336a5bf56be

    Download Submit

  • C:\Program Files (x86)\cifopkppuuxapqajeemspyzu.zee
    Filesize

    272B

    MD5

    33356200a1b2c289756ecadd14bdf76f

    SHA1

    c1dfba2005d191c8ab0fa684de47eb5dbae85edd

    SHA256

    daa069b2a08c6f4e49b7f4010bc405c8c991c371b005f43fe51dd5b5dd10647b

    SHA512

    3959a82f95ef4e9d710e1e49bdfa5260eea6749af8393923db25efa387311b2e65350685d1fe7a52d861d09b2fec879b66a2f2aade2dc0ccebfccd978490b54f

    Download Submit

  • C:\Program Files (x86)\cifopkppuuxapqajeemspyzu.zee
    Filesize

    272B

    MD5

    780093641fde008888d5ecdd5455e4c2

    SHA1

    135626687831b1b610c3b35dd18af2fe283b44ff

    SHA256

    ef85be918660c5c413668599612436a3f678b4869c703ad85119b6e3abc66daf

    SHA512

    0147a83e0afdbce0234ab0c8bcd6725acffda29a3593544007c5a127329cdbafa5558a057324b85232ebb7f876222b65f56f47ea5038a04f202bd2a5c292d11d

    Download Submit

  • C:\Program Files (x86)\cifopkppuuxapqajeemspyzu.zee
    Filesize

    272B

    MD5

    14bc93fd1754a46e9e9932c89521b948

    SHA1

    c1d3844a2aa32527616d64bca236728bff085641

    SHA256

    7e447ea4ff18cee58561039c2f1367253d040faaa61e918d3dd6a253ada7c1b5

    SHA512

    6ac225e85b71d83d959018dbaabbe07d2f76b8e60c4fcb64bf0bd59dbc9f0fa1ad2cc0c8e939223ceb57ab0bc94827ad2d134b76b89442420f2c2c5d4f5c9eb4

    Download Submit

  • C:\Program Files (x86)\cifopkppuuxapqajeemspyzu.zee
    Filesize

    272B

    MD5

    8c98aa7255dfd4120feda5841c803eb9

    SHA1

    65aae228159f0c9c85e111e7f5e34afbd3aa54bf

    SHA256

    eb80376c4ecc28e55a9ff99cce0a0bd795c8d48e3069859dc6686afeb1982246

    SHA512

    3574bfc251c047f8eb73a062cd1de487cd6be6f2652eaa0bc2a96d0d6ebfc4e4ae89580268fce7ef034c632052e6bcd0f71bcfd58d108bdf6f56517ad795012f

    Download Submit

  • C:\Program Files (x86)\cifopkppuuxapqajeemspyzu.zee
    Filesize

    272B

    MD5

    4ec1bd22e77862e3430e3eb34a5b7d37

    SHA1

    fe8e11df27384f429c4850024963eb82d3572809

    SHA256

    9abeade477da3ca7f6c60d3ac973ec7b3b1f000a568291f2089fb2031e2629bd

    SHA512

    33979e12379c2df50025372acaf796cd673000e7f512f1b6747d358c9da9633f912425f6a76599b08e29ed2521ee19ec650c8f26e2786185b41d31ded39555a8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\qcakdvziamk.exe
    Filesize

    320KB

    MD5

    b92314203327a733531042bc58e54f57

    SHA1

    1f3d0081f308a82c9659f4a57fc1ad551167a181

    SHA256

    d936bfd3b4264fe1650dee22119858b9d0cc58598e7e956ebecf72fb82f7c7d3

    SHA512

    2982559183e13830cd795c7badadb15b4dad50315155299d9713970aff034c827ade98c79d6da836aea743890aca71bc0f7d5348a32f2858b4f40884ecccf7f7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\xggsw.exe
    Filesize

    708KB

    MD5

    bb9986d5869e56c264ec9fa948a88923

    SHA1

    9128ab33fc0fb90b9320df37c17cb289196673d1

    SHA256

    47aa97c5afe0b31552cee42b958551f0dfde8eb71eaaaad1182714a7d0d797bd

    SHA512

    2c77c687f055b95a8045a61e36180e78a27808aa016dd2c3c8a1f5202d81887f7118a6ceb36c31bab7691f8d7b876aa0462c96129df902f469559cdd97dfecdd

    Download Submit

  • C:\Users\Admin\AppData\Local\cifopkppuuxapqajeemspyzu.zee
    Filesize

    272B

    MD5

    de31e29435a78e765a9217b2a103622d

    SHA1

    227d59075dfac85363a67e00957398037d4d3a36

    SHA256

    1a06b06f99cc61bb22b58a311d5773b0d3455508a7bffcfff2b38adb1f0420d9

    SHA512

    fc9741e873a82e16c1f1645065a88359d730e9a19da3321a438562c9d9367dbe2d35e8e1dc2a2bd0411d6f4b5755d8b40a8dc4f9f07d14c87247e70b64f30c83

    Download Submit

  • C:\Users\Admin\AppData\Local\lckeqwmxnymaamhbhslckeqwmxnymaamhbh.lck
    Filesize

    3KB

    MD5

    1228ca9bd10104440ebd86bbca7bac1a

    SHA1

    c72273bc52f781490150d65dd6dec1a36543eb40

    SHA256

    725b8e0643050b1b9872eecf152fd9f90a6f7bbea4c24abd63e0415ee4d76feb

    SHA512

    470c0deb7bb370f5970c36a7f2a2eea4f279e4ac9070e6169615b1842e0cc0daa496f7e2ba1ead8d1183f764ead7bbbd355c42c3c837ed9b5fb6259bf16129f4

    Download Submit

  • C:\Windows\SysWOW64\kgtsjupfaqjchyyxiy.exe
    Filesize

    548KB

    MD5

    e9ed433a3d2b4d3e1a1e1dca910263bd

    SHA1

    a2361f4fc4dbd96b8ac807b19a0637906c5599a3

    SHA256

    52a7437f9b9c21de2a389039153bc1fa8ac36fdf3be75105dec854a2c8b7a7d0

    SHA512

    89c1cda887947efc4ecdd31da383ff4760a258f0adfbed4a81d95549d5fbde35290e46767baf88e9817e68a9f27afa9135fddd35a6e301b2ddff30f1fc9bfa09

    Download Submit