Overview

overview

8

Static

static

3

facb3b5aa7...18.exe

windows7-x64

8

facb3b5aa7...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    19/04/2024, 17:19

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    facb3b5aa784eeb415a2078507c1d0a9_JaffaCakes118.exe

  • Size

    191KB

  • MD5

    facb3b5aa784eeb415a2078507c1d0a9

  • SHA1

    2f4d6dc08cd1a0a107fd1f0eb59d1a79b7e3567b

  • SHA256

    605c0e0758b332bad9f8ab8d75b8454d93bdeb99d1be05820033b6b738ad6b31

  • SHA512

    915487fb00a5964d5b3a046e2c2db48f52044a6841ec41680d3972a0a1d1c61a889c3737140e0c1a0172941a1385b52cf3676eb167992887e3cc63c39e042841

  • SSDEEP

    3072:727BSpMbTehfcqclWYac67TJK5yqV3rHX/YAbdZQabfSDsvlferCmUL4EzZ/eEey:727gCbTehEqclWYac67TJxq9LgkdGazr

Score
8/10
evasion

Malware Config

Signatures

  • Drops file in Drivers directory 4 IoCs
  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\facb3b5aa784eeb415a2078507c1d0a9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\facb3b5aa784eeb415a2078507c1d0a9_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2964
    • C:\Users\Admin\rnm.exe
      "C:\Users\Admin\rnm.exe" R M H U
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2056
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\System32\explorer.exe" C:\Users\Admin\BatLnk.lnk
        3⤵
          PID:2612
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:2620
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2592
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\0.bat" "
        2⤵
        • Drops file in Drivers directory
        • Suspicious use of WriteProcessMemory
        PID:2604
        • C:\Windows\system32\chcp.com
          chcp 1251
          3⤵
            PID:2464
          • C:\Windows\system32\taskkill.exe
            taskkill.exe /f /im "praetorian.exe"
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2532
          • C:\Windows\system32\attrib.exe
            attrib +S +H +R "C:\Windows\System32\drivers\etc2\hosts"
            3⤵
            • Drops file in Drivers directory
            • Sets file to hidden
            • Views/modifies file attributes
            PID:2136

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\0.bat
              Filesize

              503B

              MD5

              1d5cb9c7c9364d2f404cf778041f0d38

              SHA1

              53ce3fe9ba67320a20d77ea84b29bdefa00ec2f7

              SHA256

              1651ef1d611c7d0d748556b85999c3656168a076bfcbfe46e46ba222c40afc10

              SHA512

              7c6519b81f9a606bacb407388056cfa32cb568d1d89e7784708e8021e6ab45eb586a7c278dfca556dc3c0cbea14d92455aa5f70e45f73c7c9e996e355205f329

              Download Submit

            • C:\Users\Admin\0000q0hb.jpg
              Filesize

              66KB

              MD5

              76e1c0bc345ec9c622b0d2f4113963d6

              SHA1

              cfb08784dbcd570be026cee4a4f7f63c17d68f58

              SHA256

              909bb98d0c7a68f091111a693ec034cc572413c97787467b2b74beef5b78124a

              SHA512

              2c4912210a4f2395b882265fdb2142ad3325b0446c12d16ad5e60f0681b06ec41f5da61e6509b1730e31a301753320b45839a45010d361fb35cf1a6a9710b5a4

              Download Submit

            • C:\Users\Admin\BatLnk.lnk
              Filesize

              1KB

              MD5

              6f06a428f5eb1305dc28972bca32afe2

              SHA1

              4fb02f2ee9c30a18df45f4f6a201e9b209b2c1df

              SHA256

              97e893c54b575d4f5ed83dcbd08182aa6aff4c59f0b07a2947751187a8719194

              SHA512

              de231e1e21c32849030a801f01a665bfa92e35da55e7b51deb74cf714adb6d1180f76a561c6d3ad94589caae29c391b1b06b4ce2367db4bc3e0b2d0dd9fe23a5

              Download Submit

            • C:\Users\Admin\BatLnk.lnk
              Filesize

              1KB

              MD5

              40f161e961ecba8d26adf40b107835b7

              SHA1

              cfc0ca65dd5d0f6ebbe2d723cfa7c8cfe2642714

              SHA256

              0a63db709797fc99c784a3ec65049748d04448bbc4dc38217b296e1e3539326d

              SHA512

              daa6b60ed3da5a79a6daa2956bde827ff76c6ad1fc467edf02ae281e497969b80e65e1f1c0fac238c964166d6cdd2847447ad8b9c5b36c20e76189735afce36f

              Download Submit

            • C:\Users\Admin\blank
              Filesize

              19B

              MD5

              4acc4b7d8613b7474f1ce85cf64cd04e

              SHA1

              c34f408a8f0c08a5587febf01f587d10ffa75156

              SHA256

              141f2ae6726c9419cc9f7475d93fa6bf30cbbedaa6c4b7f3c6039e17c84cfc62

              SHA512

              34c9f1baf458a4de4b97e68ae34175fb647d6c4604efca080f0efce11c2bf843941ac9f590810f90c077e869fbd732572c73c6f2598e4a380132d96ad7a50945

              Download Submit

            • C:\Users\Admin\source
              Filesize

              43B

              MD5

              d817a843365b6faa47e0728833e48939

              SHA1

              8b6082f8489fbe4975c35d3a786a21d03f122b5e

              SHA256

              0de0d4e6bcbde1bd04cbb749078aca8d0a239fe2b78528465441c8462bc063f2

              SHA512

              df5adcf0c1a9e363ac330555de431c9d72894ec243b9f3c7395f876880c523f34654b423f9b6f8bfc5fe0b349ac425ad43c530d5ff4899df118abd81d107d728

              Download Submit

            • \Users\Admin\Rnm.exe
              Filesize

              38KB

              MD5

              ee44de98bc6c187fb95c94f975033c93

              SHA1

              a719921232293a30d616a32988615988c4c7a1e5

              SHA256

              d1ea2b0c93139b0ce47c1d229f1a2c037848b7a3f18206b7d38488c165f377fb

              SHA512

              2a265993dea538fd3fd7e75375ba990af7d826fb83cc936b52ff186148bca973864ea53489085bfa6ce496cd1e4877930490227e3673ea500e08dcbfc029d8fd

              Download Submit

            • memory/2056-22-0x00000000027A0000-0x00000000027A2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/2056-28-0x0000000000400000-0x0000000000412000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2620-23-0x00000000001B0000-0x00000000001B2000-memory.dmp

              Filesize

              8KB

              Download