Overview

overview

7

Static

static

5

2621326533...18.exe

windows7-x64

6

2621326533...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    08-05-2024 18:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    262132653358194edf6a20bd6477825b_JaffaCakes118.exe

  • Size

    2.2MB

  • MD5

    262132653358194edf6a20bd6477825b

  • SHA1

    7f51c6ae16a71abac42ee32f4973250b92839282

  • SHA256

    9bbc1ed623d8ff84aed6a4ad000cdf10165a2ead32896aa02b7525c40ffffe3b

  • SHA512

    b88b80bdf663f94bd75f3c7ab55805fce229635f9044a8f3aaf0f57405447a0431ecfd71fa8059b524c71d14ac18a3a7a4d7e58bf29af25ba121c4462521f644

  • SSDEEP

    49152:IkxOm+7TjsPnztyDMmaf0qC6TuRhB0Cd4Ik0ZD5FJ9X+:IJotyDJTuIRZD5FLX

Score
6/10

Malware Config

Signatures

  • Modifies boot configuration data using bcdedit 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 43 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\262132653358194edf6a20bd6477825b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\262132653358194edf6a20bd6477825b_JaffaCakes118.exe"
    1⤵
    • Modifies system certificate store
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2980
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c echo 2
      2⤵
        PID:3024
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\bcdedit /export C:\FRST\Hives\BCD
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2564
        • C:\Windows\system32\bcdedit.exe
          C:\Windows\system32\bcdedit /export C:\FRST\Hives\BCD
          3⤵
          • Modifies boot configuration data using bcdedit
          • Suspicious use of AdjustPrivilegeToken
          PID:2656
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2588
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000058C" "0000000000000570"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:2628

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\FRST\w3Pf4Kh6C\NTUSER.DAT
      Filesize

      768KB

      MD5

      aebed9f842d9eb7e34aa778a08956e4e

      SHA1

      ff98a29bf56c44e7727822f688114f3f6033d26b

      SHA256

      30f77a3f9c3a99c744e19a906227ae7d138973344bd2ec7f9515632f2cb6bb64

      SHA512

      4e5a0bb47019637b8dddb62de6ae8d7d8c4c34bb686865418f91cef767423a02db9a23a0bdd0e15c2b72e233ace74294de325d2f7000a19a1b36db1a23b4098b

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      abcdf813bf5fefe8f48a39fce841ef07

      SHA1

      cfb8f8b5145e6e27cadb1b67aa75efe38496061a

      SHA256

      d1dd72c502db7b347f6c91fcf547594a3b60be5ce72b0a9b68767e86d6df34f9

      SHA512

      eab913ad206578e929dde862dab6459c7a9ed736edbfe3298bed0d719a215a81924e1ad2a0cf0b8b4d5c681d09eb4eef88f4af2670016676df499a23caa21cd1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab4A9A.tmp
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar4B0A.tmp
      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      Download Submit