Overview

overview

10

Static

static

3

1c7ed964dd...18.exe

windows7-x64

10

1c7ed964dd...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-05-2024 12:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1c7ed964dddd78ee5e8d3427e39fb613_JaffaCakes118.exe

  • Size

    731KB

  • MD5

    1c7ed964dddd78ee5e8d3427e39fb613

  • SHA1

    e34a8c0d58ffe8228ccd18adcab3bd155012f7bb

  • SHA256

    9f108d3210afe4fd08c411caa2cd5540c7d1501b419018c193d30eccca8b02df

  • SHA512

    e2995588fd9b0a02e19f1eb9443d507b6160ae34a6e6d5b7d8749ae895eceda19cdf55c24d1b563bb8841c6dc05fdcf8a8b857f5ccfdede7ebbeeee8d8d3546b

  • SSDEEP

    12288:164z/NTF6hT2H72/3DTYFC24a10Yw54xs0FzNiqosdA6F5mSZ/:gWF6hTCq3YFD4eosa6/

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 2 IoCs
  • Modifies data under HKEY_USERS 23 IoCs
  • Modifies registry class 32 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:780
    • C:\Windows\system32\backgroundTaskHost.exe
      "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
      2⤵
        PID:112
      • C:\Windows\system32\DllHost.exe
        C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
        2⤵
          PID:2576
        • C:\Windows\system32\backgroundTaskHost.exe
          "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
          2⤵
            PID:4164
          • C:\Windows\system32\BackgroundTransferHost.exe
            "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
            2⤵
              PID:1336
            • C:\Windows\system32\backgroundTaskHost.exe
              "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
              2⤵
                PID:1908
              • C:\Windows\system32\BackgroundTransferHost.exe
                "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                2⤵
                  PID:3220
                • C:\Windows\system32\backgroundTaskHost.exe
                  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                  2⤵
                    PID:4864
                  • C:\Windows\system32\BackgroundTransferHost.exe
                    "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                    2⤵
                      PID:5104
                    • C:\Windows\system32\BackgroundTransferHost.exe
                      "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                      2⤵
                        PID:1296
                      • C:\Windows\system32\backgroundTaskHost.exe
                        "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                        2⤵
                          PID:636
                        • C:\Windows\system32\BackgroundTransferHost.exe
                          "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                          2⤵
                            PID:4384
                          • C:\Windows\system32\BackgroundTransferHost.exe
                            "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                            2⤵
                              PID:1004
                            • C:\Windows\system32\DllHost.exe
                              C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                              2⤵
                                PID:1672
                              • C:\Windows\system32\backgroundTaskHost.exe
                                "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                2⤵
                                  PID:1640
                                • C:\Windows\system32\BackgroundTaskHost.exe
                                  "C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
                                  2⤵
                                    PID:5036
                                • C:\Users\Admin\AppData\Local\Temp\1c7ed964dddd78ee5e8d3427e39fb613_JaffaCakes118.exe
                                  "C:\Users\Admin\AppData\Local\Temp\1c7ed964dddd78ee5e8d3427e39fb613_JaffaCakes118.exe"
                                  1⤵
                                  • Suspicious use of SetThreadContext
                                  • Suspicious use of WriteProcessMemory
                                  PID:4624
                                  • C:\Users\Admin\AppData\Local\Temp\1c7ed964dddd78ee5e8d3427e39fb613_JaffaCakes118.exe
                                    "C:\Users\Admin\AppData\Local\Temp\1c7ed964dddd78ee5e8d3427e39fb613_JaffaCakes118.exe"
                                    2⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:3156
                                • C:\Users\Admin\AppData\Local\Temp\zdejkye.exe
                                  C:\Users\Admin\AppData\Local\Temp\zdejkye.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Suspicious use of SetThreadContext
                                  • Suspicious use of WriteProcessMemory
                                  PID:1040
                                  • C:\Users\Admin\AppData\Local\Temp\zdejkye.exe
                                    "C:\Users\Admin\AppData\Local\Temp\zdejkye.exe"
                                    2⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of WriteProcessMemory
                                    PID:4648
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 656
                                      3⤵
                                      • Program crash
                                      PID:2884
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 676
                                      3⤵
                                      • Program crash
                                      PID:4500
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4648 -ip 4648
                                  1⤵
                                    PID:1792
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4648 -ip 4648
                                    1⤵
                                      PID:4952

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\ProgramData\SoftwareDistribution\fexlhzi
                                      Filesize

                                      654B

                                      MD5

                                      c56f94cd3b37a4cfb2a4963bd150d6b7

                                      SHA1

                                      ac7276f65b2601f68408d947475f16420d130b3f

                                      SHA256

                                      1e7594c7d039dbf626103532a78d1696615068578bb0df919ec3e166d50ad8e3

                                      SHA512

                                      d94848767ae7bbb872fcd34e063cb330db483d870b0156c9e84a9cdc5b359551f2c522e895c871ddd52f3d564dee2e9a5d46def1d072b4b515ad3c4d04b7347d

                                      Download Submit
                                    • C:\Users\Admin\AppData\Local\Temp\zdejkye.exe
                                      Filesize

                                      731KB

                                      MD5

                                      1c7ed964dddd78ee5e8d3427e39fb613

                                      SHA1

                                      e34a8c0d58ffe8228ccd18adcab3bd155012f7bb

                                      SHA256

                                      9f108d3210afe4fd08c411caa2cd5540c7d1501b419018c193d30eccca8b02df

                                      SHA512

                                      e2995588fd9b0a02e19f1eb9443d507b6160ae34a6e6d5b7d8749ae895eceda19cdf55c24d1b563bb8841c6dc05fdcf8a8b857f5ccfdede7ebbeeee8d8d3546b

                                      Download Submit
                                    • F:\$RECYCLE.BIN\S-1-5-18\desktop.ini
                                      Filesize

                                      129B

                                      MD5

                                      a526b9e7c716b3489d8cc062fbce4005

                                      SHA1

                                      2df502a944ff721241be20a9e449d2acd07e0312

                                      SHA256

                                      e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

                                      SHA512

                                      d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

                                      Download Submit
                                    • memory/780-17-0x0000000005610000-0x0000000005687000-memory.dmp
                                      Filesize

                                      476KB

                                      Download
                                    • memory/780-51-0x0000000005610000-0x0000000005687000-memory.dmp
                                      Filesize

                                      476KB

                                      Download
                                    • memory/780-20-0x0000000005610000-0x0000000005687000-memory.dmp
                                      Filesize

                                      476KB

                                      Download
                                    • memory/780-3400-0x0000000005610000-0x0000000005687000-memory.dmp
                                      Filesize

                                      476KB

                                      Download
                                    • memory/780-225-0x0000000005610000-0x0000000005687000-memory.dmp
                                      Filesize

                                      476KB

                                      Download
                                    • memory/780-19-0x0000000005610000-0x0000000005687000-memory.dmp
                                      Filesize

                                      476KB

                                      Download
                                    • memory/780-25-0x0000000005610000-0x0000000005687000-memory.dmp
                                      Filesize

                                      476KB

                                      Download
                                    • memory/780-23-0x0000000005610000-0x0000000005687000-memory.dmp
                                      Filesize

                                      476KB

                                      Download
                                    • memory/3156-8-0x0000000000400000-0x00000000004A4600-memory.dmp
                                      Filesize

                                      657KB

                                      Download
                                    • memory/3156-2-0x0000000000400000-0x00000000004A5000-memory.dmp
                                      Filesize

                                      660KB

                                      Download
                                    • memory/3156-0-0x0000000000400000-0x00000000004A5000-memory.dmp
                                      Filesize

                                      660KB

                                      Download
                                    • memory/3156-3-0x0000000000870000-0x0000000000A8A000-memory.dmp
                                      Filesize

                                      2.1MB

                                      Download
                                    • memory/3156-4-0x0000000000A90000-0x0000000000CDB000-memory.dmp
                                      Filesize

                                      2.3MB

                                      Download
                                    • memory/4648-14-0x0000000000960000-0x0000000000BAB000-memory.dmp
                                      Filesize

                                      2.3MB

                                      Download