Overview

overview

10

Static

static

3

ffe2d2dd73...18.exe

windows7-x64

10

ffe2d2dd73...18.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    21-04-2024 18:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ffe2d2dd736ffefc03ab601d330371c6_JaffaCakes118.exe

  • Size

    344KB

  • MD5

    ffe2d2dd736ffefc03ab601d330371c6

  • SHA1

    e255f41fe960ab48929fa65a32785f3e8c5a3abc

  • SHA256

    67672f834f933fed057ef630293221a5a46687c1d1656776cf378b8637062447

  • SHA512

    7b8b07e785ee2b6ce2e5db6ee825e220d6ce2ea480f83dc78d7d863f8e9fee3e3f16d5039f3fe09231a5e06babbd00ebd9b41dc2e63bcfb26ff9cbc6cd026a15

  • SSDEEP

    6144:7rOYeg8hY2Uw/M9sKBsEhPSVqW6kti4zDDcyMHKi4OTxXVmev+knrY2OM5t:27g8hYLa/4SVN6EzPcyMHKBOTxlmev+F

Score
10/10
evasiontrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables taskbar notifications via registry modification
    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Modifies registry class 22 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\ffe2d2dd736ffefc03ab601d330371c6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ffe2d2dd736ffefc03ab601d330371c6_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1884
    • C:\ProgramData\043A6A5B00014973000BB725B4EB2331\043A6A5B00014973000BB725B4EB2331.exe
      "C:\ProgramData\043A6A5B00014973000BB725B4EB2331\043A6A5B00014973000BB725B4EB2331.exe" -d "C:\Users\Admin\AppData\Local\Temp\ffe2d2dd736ffefc03ab601d330371c6_JaffaCakes118.exe"
      2⤵
      • UAC bypass
      • Windows security bypass
      • Deletes itself
      • Executes dropped EXE
      • Windows security modification
      • Checks whether UAC is enabled
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:2860

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Modify Registry

4
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\043A6A5B00014973000BB725B4EB2331\043A6A5B00014973000BB725B4EB2331
    Filesize

    328B

    MD5

    24a93889b716315baaba6ee76b3daaa5

    SHA1

    3b99f11f0e9f632e5b3f00fb616011ee8d3bc906

    SHA256

    76ca4b3f653b9cfa0a891b05095dbed3a2b1569743bfee96c163ca6a41c4d5b4

    SHA512

    fe912058b2c9248db9d01edfc8a3494310d3a501cace9c0afcf33dbf8d2c2cd39679456b2b045dc8182129606acfd4e516213438dd20108834336b2cc383b777

    Download Submit
  • C:\ProgramData\043A6A5B00014973000BB725B4EB2331\043A6A5B00014973000BB725B4EB2331.exe
    Filesize

    344KB

    MD5

    ffe2d2dd736ffefc03ab601d330371c6

    SHA1

    e255f41fe960ab48929fa65a32785f3e8c5a3abc

    SHA256

    67672f834f933fed057ef630293221a5a46687c1d1656776cf378b8637062447

    SHA512

    7b8b07e785ee2b6ce2e5db6ee825e220d6ce2ea480f83dc78d7d863f8e9fee3e3f16d5039f3fe09231a5e06babbd00ebd9b41dc2e63bcfb26ff9cbc6cd026a15

    Download Submit
  • memory/1884-2-0x0000000000400000-0x00000000004D1000-memory.dmp
    Filesize

    836KB

    Download
  • memory/1884-1-0x0000000000260000-0x0000000000262000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1884-0-0x0000000000250000-0x0000000000251000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1884-20-0x0000000000400000-0x00000000004D1000-memory.dmp
    Filesize

    836KB

    Download
  • memory/1884-22-0x0000000000260000-0x0000000000262000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1884-29-0x0000000000400000-0x00000000004D1000-memory.dmp
    Filesize

    836KB

    Download
  • memory/2860-11-0x0000000000400000-0x00000000004D1000-memory.dmp
    Filesize

    836KB

    Download
  • memory/2860-12-0x0000000000270000-0x0000000000272000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2860-21-0x0000000000400000-0x00000000004D1000-memory.dmp
    Filesize

    836KB

    Download
  • memory/2860-32-0x0000000000400000-0x00000000004D1000-memory.dmp
    Filesize

    836KB

    Download
  • memory/2860-33-0x0000000000400000-0x00000000004D1000-memory.dmp
    Filesize

    836KB

    Download
  • memory/2860-38-0x0000000000400000-0x00000000004D1000-memory.dmp
    Filesize

    836KB

    Download