Overview

overview

8

Static

static

3

fc3c2e5b1d...18.exe

windows7-x64

8

fc3c2e5b1d...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    147s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-04-2024 07:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fc3c2e5b1df6fc003987363171bb4798_JaffaCakes118.exe

  • Size

    637KB

  • MD5

    fc3c2e5b1df6fc003987363171bb4798

  • SHA1

    7aeb894742bbe79ff4bbb29f038db7878b4a3327

  • SHA256

    d05dc070814c52b512ff4aa1fd83caaf1ddf229bd09afee773c8305531185491

  • SHA512

    c4946a69f24de2b88d20e8e39a29b44bb183d40a9c1780df36a2796f1c41717350867e46ad0dffdb14f2c8ed270b7c9bcd519f68a49c158369fbd7617193f3ca

  • SSDEEP

    12288:ocv0NTBL22JUyhO42c95ZSzb0MLcqNUOq6MeC+Hxl0zLBW6zZCFpSZr6ptMRp:ocvkTBICJSNLbLHxlqLdsMZitMRp

Score
8/10
discoveryexploitpersistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Possible privilege escalation attempt 3 IoCs
    exploit
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • Enumerates connected drives 3 TTPs 4 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies registry class 26 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 49 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\fc3c2e5b1df6fc003987363171bb4798_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fc3c2e5b1df6fc003987363171bb4798_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4292
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FA00.tmp\FA4F.tmp\FA50.bat C:\Users\Admin\AppData\Local\Temp\fc3c2e5b1df6fc003987363171bb4798_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4300
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\1.vbs"
        3⤵
          PID:2748
        • C:\Users\Admin\AppData\Roaming\2.exe
          2.exe
          3⤵
          • Executes dropped EXE
          PID:4368
        • C:\Windows\system32\PING.EXE
          ping localhost -n 25
          3⤵
          • Runs ping.exe
          PID:4044
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im 2.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3464
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im explorer.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1440
        • C:\Windows\explorer.exe
          explorer.exe
          3⤵
          • Modifies Installed Components in the registry
          • Enumerates connected drives
          • Checks SCSI registry key(s)
          • Modifies registry class
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:1948
        • C:\Users\Admin\AppData\Roaming\3.exe
          3.exe
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: GetForegroundWindowSpam
          PID:2488
        • C:\Windows\System32\takeown.exe
          takeown /f *.dll
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:2876
        • C:\Windows\System32\icacls.exe
          icacls *.dll /grant Users:f
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:3216
        • C:\Windows\System32\icacls.exe
          icacls *.dll /grant Administrators:f
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2356
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3716 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:4260
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3704
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:532
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
          PID:3800
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
            PID:3392
          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
            1⤵
              PID:4840

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Initial Access

            Execution

            Persistence

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Privilege Escalation

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Defense Evasion

            Modify Registry

            1
            T1112

            File and Directory Permissions Modification

            1
            T1222

            Credential Access

            Discovery

            Query Registry

            4
            T1012

            System Information Discovery

            4
            T1082

            Peripheral Device Discovery

            2
            T1120

            Remote System Discovery

            1
            T1018

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Resource Development

            Reconnaissance

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
              Filesize

              471B

              MD5

              f3945b57f0f3c105bd40af2901e4822a

              SHA1

              93dabbe9a560f3d59ad8ce8d5dc941909fe21ec1

              SHA256

              60ede5fc5d4e90f27afe2e8c8a14ebb0cf75df70ad29f8524f4b748a04203d39

              SHA512

              212a88efd8a79e9b20aa86c83cb3f05e093a9233e4eb7e2d1064c599c8bbb5085b8ef45433d4d6266f80604af3d1e0a29dbbfbe124c5e18710ddb76b1ad2de0f

              Download Submit
            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
              Filesize

              412B

              MD5

              80dd9d08229784964c2c223ab7a14b78

              SHA1

              4d71f9ccccba677a6b625f79140a3ca6763b4e75

              SHA256

              6e168969aa7e80609d58a8404555ef2d283b35366480261f080100f9350de380

              SHA512

              49a5cd7ddd13b56a8b45e65fbed5faeeff20cf8d97097902a199e6f4ec2b9376534efb66da30c863efb09011a9f3e0930dea44b0893337eda877305b4950d23e

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\FA00.tmp\FA4F.tmp\FA50.bat
              Filesize

              338B

              MD5

              8af3b2e8dce4ec741aa745682f8e8d4c

              SHA1

              305e0958937de85afda2ede7a70496fd96447e4b

              SHA256

              00c777df441109c1a1bcf77d980f6f9b04e1ce0ea68df29afb5a60abc0a7f29d

              SHA512

              8539c6d0fe0af7ae389fb4dbba824092af239d340168ba57e557a5fa1a1c6c040be41157ab4f89ff434192746065f52f43f7650b6414d7994867eccf7276f159

              Download Submit
            • C:\Users\Admin\AppData\Roaming\1.vbs
              Filesize

              55B

              MD5

              ac7f65c30172d7719967db45b7c162cf

              SHA1

              29905104f5dd9242ddc134c627bfb96270d017ef

              SHA256

              171c6849a7918bd45bfa910825031c863711ed852895288659833faac42d67c0

              SHA512

              07761f178094fca19f3b2ea383450b9ba8a176a99fe3efac1a7ec6ecc2f2ee1082f54f6ce93887ab52d2d4a4f4fdd7e21ab3baa80173fdaee837e1d4a9f76195

              Download Submit
            • C:\Users\Admin\AppData\Roaming\2.exe
              Filesize

              12KB

              MD5

              833619a4c9e8c808f092bf477af62618

              SHA1

              b4a0efa26f790e991cb17542c8e6aeb5030d1ebf

              SHA256

              92a284981c7ca33f1af45ce61738479fbcbb5a4111f5498e2cb54931c8a36c76

              SHA512

              4f231fc16339d568b5cf9353133aeae835eb262dab68bc80d92f37b43df64dce4fae0e913cbaa3bb61351a759aeecf9d280bc5779b0853c980559a654d6cca11

              Download Submit
            • C:\Users\Admin\AppData\Roaming\3.exe
              Filesize

              1.1MB

              MD5

              f0a661d33aac3a3ce0c38c89bec52f89

              SHA1

              709d6465793675208f22f779f9e070ed31d81e61

              SHA256

              c20e78ce9028299d566684d35b1230d055e5ea0e9b94d0aff58f650e0468778a

              SHA512

              57cdb3c38f2e90d03e6dc1f9d8d1131d40d3919f390bb1783343c82465461319e70483dc3cd3efdbd9a62dfc88d74fc706f05d760ffd8506b16fd7686e414443

              Download Submit
            • memory/532-22-0x0000000004D90000-0x0000000004D91000-memory.dmp
              Filesize

              4KB

              Download