Analysis

  • max time kernel
    116s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-05-2024 13:49

General

  • Target

    41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe

  • Size

    538KB

  • MD5

    41b93173a8b5583daaf090438fb05004

  • SHA1

    a0db1a8f024e95fbc5c4c4930a4f6f905bbcab24

  • SHA256

    b87cfba8a4f2329b0b372326a7f169f5896459a6bdae0ad8857b576129722204

  • SHA512

    a770ed85694301daa0b8f9c46dbc25207411b888d6d1a358a816590f0c3bbfad05bd438545554e6c3ce391be6b640acbf69819f38aab0dd235caf2d17962be57

  • SSDEEP

    12288:kNi7Ynlwt1fL+RcGNh25nxXLZmW2PjlyjkvGha:kNk+lwrEcEc5nRLZj2PjlyTa

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Uses Tor communications 1 TTPs

    Malware can proxy its traffic through Tor for more anonymity.

  • Drops file in Windows directory 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Users\Admin\AppData\Local\Temp\notepad.exe
      "C:\Users\Admin\AppData\Local\Temp\notepad.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:6692
      • C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
        "C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
        3⤵
        • Executes dropped EXE
        PID:5848
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 6692 -s 1528
        3⤵
        • Program crash
        PID:344
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
    1⤵
      PID:6072
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "powershell.exe -command "Set-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\"""
        2⤵
          PID:6004
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -command "Set-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\""
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5956
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6692 -ip 6692
        1⤵
          PID:4184

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

          Filesize

          3KB

          MD5

          b4cd27f2b37665f51eb9fe685ec1d373

          SHA1

          7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

          SHA256

          91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

          SHA512

          e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wkghk1zd.iqr.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Users\Admin\AppData\Local\Temp\notepad.exe

          Filesize

          162KB

          MD5

          e92d3a824a0578a50d2dd81b5060145f

          SHA1

          50ef7c645fd5cbb95d50fbaddf6213800f9296ec

          SHA256

          87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

          SHA512

          40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

        • C:\Users\Admin\AppData\Local\Temp\nsv6F17.tmp\System.dll

          Filesize

          12KB

          MD5

          0d7ad4f45dc6f5aa87f606d0331c6901

          SHA1

          48df0911f0484cbe2a8cdd5362140b63c41ee457

          SHA256

          3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

          SHA512

          c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

        • C:\Users\Admin\AppData\Local\Temp\planula.dll

          Filesize

          72KB

          MD5

          6abeff0d3c52cf017e36e941f035c3e9

          SHA1

          ba0f193dd98a5502c29c4f5671ed066e2a3ae38c

          SHA256

          da93766a660b71b43492920bdb0478359fe86a17a3f51a0329cf6ac77e0852b2

          SHA512

          8b256cc4787c7aee904e36c3772916a5d06c5bde96e9bda3897ca1e7e7e1099d5e46e0d921bed64a1633a91508301ee8568211f02d7dac5dde9f84a57a5ac0a7

        • C:\Users\Admin\AppData\Local\Temp\x64btit.txt

          Filesize

          28B

          MD5

          2c59de1525addd4762cc303997abd6bc

          SHA1

          5c171c0a5ccbbc51bb649c71773f88322e484cae

          SHA256

          127fe125ee5dd9f16ab18ca9d92b5c994fb4cdfec22f1326366c170f4663947b

          SHA512

          9ac84fb6161ae4f2d4a036a65ce570158ab04b7858974600668860349ff3e7cbb02a47ee06cec6361d04802670675b4855b69437d7c6cbdbe7546b2a4783c439

        • C:\Windows\win.ini

          Filesize

          131B

          MD5

          9848e4efb0abd437d65e6d3d1d973adb

          SHA1

          f427ac7c50b19f66658ae7f92cbaf21110b49a47

          SHA256

          c8b84add37da849977a84fe62badb6cb908be99769edb70d60bcd04c0aec2a3f

          SHA512

          f90f1f65b6b824a526469b8d739f733a54a7f485d8b5f680de7a35fac90786bf6ba5a0b1d62e139663c5ee73b8d687cf32d4ccf188e18c53084ec12d8c216b17

        • memory/1976-33-0x0000000002F10000-0x0000000002F21000-memory.dmp

          Filesize

          68KB

        • memory/1976-40-0x0000000002F00000-0x0000000002F01000-memory.dmp

          Filesize

          4KB

        • memory/1976-39-0x0000000002EF0000-0x0000000002EF2000-memory.dmp

          Filesize

          8KB

        • memory/1976-10042-0x0000000003050000-0x0000000003070000-memory.dmp

          Filesize

          128KB

        • memory/5956-10097-0x0000000007120000-0x000000000712A000-memory.dmp

          Filesize

          40KB

        • memory/5956-10090-0x0000000006D50000-0x0000000006D6E000-memory.dmp

          Filesize

          120KB

        • memory/5956-10052-0x00000000047E0000-0x0000000004816000-memory.dmp

          Filesize

          216KB

        • memory/5956-10053-0x0000000004F30000-0x0000000005558000-memory.dmp

          Filesize

          6.2MB

        • memory/5956-10103-0x00000000073D0000-0x00000000073D8000-memory.dmp

          Filesize

          32KB

        • memory/5956-10102-0x00000000073F0000-0x000000000740A000-memory.dmp

          Filesize

          104KB

        • memory/5956-10101-0x00000000072F0000-0x0000000007304000-memory.dmp

          Filesize

          80KB

        • memory/5956-10100-0x00000000072E0000-0x00000000072EE000-memory.dmp

          Filesize

          56KB

        • memory/5956-10099-0x00000000072B0000-0x00000000072C1000-memory.dmp

          Filesize

          68KB

        • memory/5956-10098-0x0000000007330000-0x00000000073C6000-memory.dmp

          Filesize

          600KB

        • memory/5956-10064-0x0000000004ED0000-0x0000000004EF2000-memory.dmp

          Filesize

          136KB

        • memory/5956-10065-0x00000000056D0000-0x0000000005736000-memory.dmp

          Filesize

          408KB

        • memory/5956-10066-0x0000000005740000-0x00000000057A6000-memory.dmp

          Filesize

          408KB

        • memory/5956-10093-0x00000000070B0000-0x00000000070CA000-memory.dmp

          Filesize

          104KB

        • memory/5956-10076-0x00000000057B0000-0x0000000005B04000-memory.dmp

          Filesize

          3.3MB

        • memory/5956-10077-0x0000000005D70000-0x0000000005D8E000-memory.dmp

          Filesize

          120KB

        • memory/5956-10078-0x0000000005DB0000-0x0000000005DFC000-memory.dmp

          Filesize

          304KB

        • memory/5956-10079-0x0000000006350000-0x0000000006382000-memory.dmp

          Filesize

          200KB

        • memory/5956-10080-0x000000006F350000-0x000000006F39C000-memory.dmp

          Filesize

          304KB

        • memory/5956-10092-0x00000000076F0000-0x0000000007D6A000-memory.dmp

          Filesize

          6.5MB

        • memory/5956-10091-0x0000000006D70000-0x0000000006E13000-memory.dmp

          Filesize

          652KB

        • memory/6692-10057-0x0000000000400000-0x000000000049F000-memory.dmp

          Filesize

          636KB

        • memory/6692-10119-0x0000000000D80000-0x0000000000D86000-memory.dmp

          Filesize

          24KB

        • memory/6692-10051-0x0000000000400000-0x000000000049F000-memory.dmp

          Filesize

          636KB

        • memory/6692-10047-0x0000000000400000-0x000000000049F000-memory.dmp

          Filesize

          636KB

        • memory/6692-10096-0x0000000000400000-0x000000000049F000-memory.dmp

          Filesize

          636KB

        • memory/6692-10046-0x0000000000400000-0x000000000049F000-memory.dmp

          Filesize

          636KB

        • memory/6692-10050-0x0000000000D70000-0x0000000000D73000-memory.dmp

          Filesize

          12KB

        • memory/6692-10058-0x0000000000400000-0x000000000049F000-memory.dmp

          Filesize

          636KB

        • memory/6692-10095-0x0000000000400000-0x000000000049F000-memory.dmp

          Filesize

          636KB

        • memory/6692-10048-0x0000000000D80000-0x0000000000D86000-memory.dmp

          Filesize

          24KB

        • memory/6692-10055-0x0000000000400000-0x000000000049F000-memory.dmp

          Filesize

          636KB

        • memory/6692-10054-0x0000000000400000-0x000000000049F000-memory.dmp

          Filesize

          636KB

        • memory/6692-10106-0x0000000000400000-0x000000000049F000-memory.dmp

          Filesize

          636KB

        • memory/6692-10107-0x0000000000400000-0x000000000049F000-memory.dmp

          Filesize

          636KB

        • memory/6692-10108-0x0000000000400000-0x000000000049F000-memory.dmp

          Filesize

          636KB

        • memory/6692-10111-0x0000000000400000-0x000000000049F000-memory.dmp

          Filesize

          636KB

        • memory/6692-10112-0x0000000000400000-0x000000000049F000-memory.dmp

          Filesize

          636KB

        • memory/6692-10114-0x0000000000400000-0x000000000049F000-memory.dmp

          Filesize

          636KB

        • memory/6692-10056-0x0000000000400000-0x000000000049F000-memory.dmp

          Filesize

          636KB