Analysis

  • max time kernel
    120s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 01:54

General

  • Target

    27bcd7e1e7a4b83502a3057a580b2761_JaffaCakes118.exe

  • Size

    4.3MB

  • MD5

    27bcd7e1e7a4b83502a3057a580b2761

  • SHA1

    69a0b27289af0a6b68d020051ba5aef0e333e794

  • SHA256

    f9c81c2bffe6d3465ecdb13d659d36e03784575875fb2df21a117571062d1757

  • SHA512

    c9d9cec4768f615be82426a14bec15bca7be6795d2a8eb06ec488068dc39020c77cc720fd25fb3e6821c3956b7fc965186596e89327d3b4430b237c061c9b3a1

  • SSDEEP

    98304:aqSh5zRZwYeMMIV3PsU6Z8y6TaOphYLYSHinQpUt/YV5DyzFf:ajHYOpCm/s9y

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: RenamesItself 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\27bcd7e1e7a4b83502a3057a580b2761_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\27bcd7e1e7a4b83502a3057a580b2761_JaffaCakes118.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Drops file in Windows directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4252
    • C:\ProgramData\Чистилка\Чистилка.exe
      C:\ProgramData\Чистилка\Чистилка.exe /srvcreate
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3972
    • C:\Users\Admin\AppData\Local\Temp\27bcd7e1e7a4b83502a3057a580b2761_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\27bcd7e1e7a4b83502a3057a580b2761_JaffaCakes118.exe" /test
      2⤵
      • Executes dropped EXE
      PID:2320
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 1412
      2⤵
      • Program crash
      PID:3892
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4252 -ip 4252
    1⤵
      PID:4432

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Чистилка\Чистилка.exe

            Filesize

            4.3MB

            MD5

            27bcd7e1e7a4b83502a3057a580b2761

            SHA1

            69a0b27289af0a6b68d020051ba5aef0e333e794

            SHA256

            f9c81c2bffe6d3465ecdb13d659d36e03784575875fb2df21a117571062d1757

            SHA512

            c9d9cec4768f615be82426a14bec15bca7be6795d2a8eb06ec488068dc39020c77cc720fd25fb3e6821c3956b7fc965186596e89327d3b4430b237c061c9b3a1

          • C:\Users\Admin\AppData\Local\Temp\27bcd7e1e7a4b83502a3057a580b2761_JaffaCakes118.exe

            Filesize

            5.9MB

            MD5

            d7ebb78bf1f0e4a8278b2d63013b1134

            SHA1

            498b315dcba9bf4403d6748be61453d5d8991b61

            SHA256

            c5a685088c44b1fbd01f49587af753b6a0f8f793de8d3b3d7e170574fef27ba8

            SHA512

            ead20a19b5262ce34f13bae9c9d1082ce5bf740759ea82042d83600094e38de7aea87d7533fdd7660369ec5bb8549e107aff562fa477711515eb9c15c9c93312

          • memory/4252-39-0x0000000000800000-0x0000000000C5E000-memory.dmp

            Filesize

            4.4MB