Overview

overview

10

Static

static

5

04368110d5...18.exe

windows7-x64

10

04368110d5...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-04-2024 02:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    04368110d5ce090681d01deaadea2409_JaffaCakes118.exe

  • Size

    747KB

  • MD5

    04368110d5ce090681d01deaadea2409

  • SHA1

    37e7ae7b04b6511ec525a0c23a4d5211438f0cdc

  • SHA256

    09e7e0993d2c44f85eb203e790a8e77004b59b09c69b93efe8151b2c366a3978

  • SHA512

    06977afcfffda85e58f16da09d86619156d2ba61140605a57e7e233cb219ac6e9ecc25466d4388cfeb7e6f00f4d706dfcb79e938c4abaa7629077de84bcbe652

  • SSDEEP

    12288:chkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcbNt0vACQ:URmJkcoQricOIQxiZY1WNyYCQ

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Drivers directory 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\04368110d5ce090681d01deaadea2409_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\04368110d5ce090681d01deaadea2409_JaffaCakes118.exe"
    1⤵
    • UAC bypass
    • Drops file in Drivers directory
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • System policy modification
    PID:4540

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    46ba454edc9d9038b2e3f4b6fea4849d

    SHA1

    99d2069256ce74899ff67e5c06ef3d4052ef4ab4

    SHA256

    99e4b9f09b7f675428038c9e1d72531dafe9f2534593c53711481028d7120864

    SHA512

    e217cb8f5cef48756167327df6ccd5406d45c00064615cdd84abbbbffb910a83e1563149a33c272eeb5e5dc9d134e31236e0f105e3a7aefef8d6f2fd294306f2

    Download Submit
  • memory/4540-0-0x0000000000400000-0x00000000004CD000-memory.dmp
    Filesize

    820KB

    Download