Overview

overview

10

Static

static

3

f5429e9d0b...18.exe

windows7-x64

10

f5429e9d0b...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    10s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    17-04-2024 07:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f5429e9d0b87173062141225c6ee9137_JaffaCakes118.exe

  • Size

    144KB

  • MD5

    f5429e9d0b87173062141225c6ee9137

  • SHA1

    54ba284aa2260557daa4857717d4cee24d7cdf3b

  • SHA256

    8879cdffed9a72aacab9e1616363fa52f3b2589023fd6eb5df8bf85821947211

  • SHA512

    8a25e2b83dd1343ecf94a32e2300aadae2f59b87b2370aedce4d155075ad5156f6fb10014f55a75a1c2bf55f86fbf66d767e05beafcc494ced7b25b67636542d

  • SSDEEP

    3072:zzruc1Gp7F1FplM2Ooz3aVIFun9wuhbVtLbf8E:v9ilXz3ahn9wStbfb

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5429e9d0b87173062141225c6ee9137_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f5429e9d0b87173062141225c6ee9137_JaffaCakes118.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Windows security modification
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2476
    • C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe"
      2⤵
      • Executes dropped EXE
      • Windows security modification
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2640
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Get-MpPreference -verbose
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2508
      • C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\svchosts.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\svchosts.exe"
        3⤵
          PID:2728

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3627615824-4061627003-3019543961-1000\9ea7b0ae1392bebe8f3f8ac5d174a165_12cce00e-511f-47e5-8588-7df67886da42
      Filesize

      2KB

      MD5

      8de91c4f830956990012f9fd1269e490

      SHA1

      5396852c5a98d586d3970638bebf52ac4d7da6b9

      SHA256

      4b1f314ed0d2dd0aedd922297f2b16cce1d5716a24469b72a9e17ea43bc40433

      SHA512

      4c0ef84683613edb6196a43e2da73c58203e080cdee1c4119ad6b3823db137fec0628eb7fa8f34a7da93aa142a13b001168959d59cb425ae858372b5d7f2d555

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe
      Filesize

      144KB

      MD5

      f5429e9d0b87173062141225c6ee9137

      SHA1

      54ba284aa2260557daa4857717d4cee24d7cdf3b

      SHA256

      8879cdffed9a72aacab9e1616363fa52f3b2589023fd6eb5df8bf85821947211

      SHA512

      8a25e2b83dd1343ecf94a32e2300aadae2f59b87b2370aedce4d155075ad5156f6fb10014f55a75a1c2bf55f86fbf66d767e05beafcc494ced7b25b67636542d

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\svchosts.exe
      Filesize

      18KB

      MD5

      d133d370c3858c9811e70f95d554d2c6

      SHA1

      bb09b1253ce571a49b76951283883a3499588295

      SHA256

      87a1711030512dd414bcbab0659a2b51c0c16505bd8a068a282a1cc2c9fdf93b

      SHA512

      db4d41fca43e496b2b0d8d47d936a9ce204e3b6c4c669a8a9810362776a977b5337359b843fcd1d20004455d2c91f9790b3accb5352f4e55ec53c7e5d359d778

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XQDL1D0W4MKSM7C36ZUF.temp
      Filesize

      7KB

      MD5

      64ffb0999d87e89dce1f4319a0de9447

      SHA1

      36bd8289877410f030c0f144c931f4ae2458ba64

      SHA256

      01878cc182f3bc592aa488c887198157b3f0f25891fea5207d1895a63de6d11d

      SHA512

      1840a100d875f9821a75addf5dd2b259474e17d1b462231bb12d8ae4e36e21c2bca0b1e37f9a79bfb3b25946356768a127746321a5e2777c0806f79544b46ee5

      Download Submit

    • memory/2476-30-0x0000000002BD0000-0x0000000002C50000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2476-34-0x000007FEF5BE0000-0x000007FEF657D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2476-33-0x0000000002BD0000-0x0000000002C50000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2476-19-0x000000001B610000-0x000000001B8F2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2476-23-0x0000000002230000-0x0000000002238000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2476-31-0x000007FEF5BE0000-0x000007FEF657D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2476-29-0x0000000002BD0000-0x0000000002C50000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2508-46-0x000007FEF5BE0000-0x000007FEF657D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2508-49-0x0000000002B70000-0x0000000002BF0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2508-50-0x000007FEF5BE0000-0x000007FEF657D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2508-48-0x000007FEF5BE0000-0x000007FEF657D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2508-47-0x0000000002B70000-0x0000000002BF0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2508-45-0x0000000002780000-0x0000000002788000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2508-44-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2640-24-0x000007FEF5BE0000-0x000007FEF657D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2640-32-0x0000000001E80000-0x0000000001F00000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2640-20-0x000007FEF5BE0000-0x000007FEF657D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2640-22-0x0000000001E80000-0x0000000001F00000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2728-60-0x000007FEF5BE0000-0x000007FEF657D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2728-61-0x0000000000AB0000-0x0000000000B30000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2728-62-0x000007FEF5BE0000-0x000007FEF657D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2728-63-0x0000000000AB0000-0x0000000000B30000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2848-21-0x000007FEF5BE0000-0x000007FEF657D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2848-0-0x000007FEF5BE0000-0x000007FEF657D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2848-3-0x0000000001EA0000-0x0000000001F20000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2848-1-0x0000000001EA0000-0x0000000001F20000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2848-2-0x000007FEF5BE0000-0x000007FEF657D000-memory.dmp

      Filesize

      9.6MB

      Download