Overview

overview

10

Static

static

10

177f14ed35...18.exe

windows7-x64

10

177f14ed35...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-05-2024 11:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    177f14ed35b25dcf4ffbcd1f021fb676_JaffaCakes118.exe

  • Size

    48KB

  • MD5

    177f14ed35b25dcf4ffbcd1f021fb676

  • SHA1

    ae362ea9477cdf633ee9b76b876be73c1e2a389c

  • SHA256

    8100783372daa78409859d33e26e64dd2a34fb7f945426b83b25f06e3c09a625

  • SHA512

    7ba8acf7c05f0dfb5c466a976343829d82560209f892a0b743b941eba5ca22aa022920b577d485f98047ed234ae991b6c3a7deca36b2cfcad4764dd9c7431111

  • SSDEEP

    768:Xynb12Aw5J6HC4kq5Jp9bjAzhyY55J+NStcEeUlyqgZl4p67GhPA2:Ib1MsHz3JDwhyWr+N95OTga6r2

Score
8/10
persistence

Malware Config

Signatures

  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Creates a Windows Service
    persistence
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\177f14ed35b25dcf4ffbcd1f021fb676_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\177f14ed35b25dcf4ffbcd1f021fb676_JaffaCakes118.exe"
    1⤵
    • Sets DLL path for service in the registry
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4136
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\AppData\Local\Temp\177f14ed35b25dcf4ffbcd1f021fb676_JaffaCakes118.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2684
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 1
        3⤵
        • Runs ping.exe
        PID:4544
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k "csrss"
    1⤵
      PID:5096
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k "csrss"
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      PID:4292

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\240595812.dll
      Filesize

      25KB

      MD5

      e15e36ac073f290b42b612e0cb50232f

      SHA1

      29ffa1fc5c1c0266a41a4d35cc1011c3bb224c84

      SHA256

      6a14fdbcee2e2292fdad61e69359751979c737c5bc919f6818b47925a4f420e2

      SHA512

      70159af6d56483594bc993d9b69a7312c74a20c8a33d69c8fab63d0a0d05daa3e3fe0277fe8b045522e2457a10c6aaff08a0c6c7dc2f65dca2061221d0b6b2aa

      Download Submit

    • C:\Windows\SysWOW64\csrss.exe
      Filesize

      60KB

      MD5

      889b99c52a60dd49227c5e485a016679

      SHA1

      8fa889e456aa646a4d0a4349977430ce5fa5e2d7

      SHA256

      6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

      SHA512

      08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

      Download Submit