Resubmissions

18-05-2024 14:39

240518-r1dttsgc3s 6

Analysis

  • max time kernel
    71s
  • max time network
    70s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-05-2024 14:39

General

  • Target

    4d68507752275a8607502b0ae14ef9a1_JaffaCakes118.exe

  • Size

    268KB

  • MD5

    4d68507752275a8607502b0ae14ef9a1

  • SHA1

    4e13b8267ca39e41b9dbf88dc3123fed37e409c0

  • SHA256

    6fee95a3e283d9ad09a399e99b086ef70c3679eb8ad548161bdfababe3da68fb

  • SHA512

    bbebbd027af9e953141efecbfde31137735d58e54ff26966475570c7414ddc03ee53636011fad404d60c8df0031a79d5f2b858819ded59428ead93a5d9732849

  • SSDEEP

    6144:dI4M7nO35HbqtMFurLa8BqUlv8TqE4TvLOJ5tEpo6LlE7:aj6qsE8UVk4TotEpNLlE

Score
6/10

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 33 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 56 IoCs
  • Suspicious use of SendNotifyMessage 55 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4d68507752275a8607502b0ae14ef9a1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4d68507752275a8607502b0ae14ef9a1_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3664
    • C:\Windows\SysWOW64\msiexec.exe
      msiexec.exe
      2⤵
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:3148
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\DisableUnprotect.gif
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3652
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3652 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1056
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3560

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\~DFE73DEAF5E9A46F8C.TMP

    Filesize

    16KB

    MD5

    1a24b12242ec79df20d43490ff46a180

    SHA1

    b6c093eb7b21033e45f2e2627007b11db3accacd

    SHA256

    09ed7b3c274f2d75cb56b6f392c6cd0e33539162d888fe2ea8cb8affd826b7cf

    SHA512

    14d9db6787b4346f57fbf6556fa00fcf484547b769a6d813a3dbacb7b80c54f599864d893f7270970e6e2ac80ab8a8499cb8fd0f3a93eaa31c7b2b1f25af1e2b

  • C:\Users\Admin\AppData\Roaming\Ofhai\ogeg.exe

    Filesize

    268KB

    MD5

    4d68507752275a8607502b0ae14ef9a1

    SHA1

    4e13b8267ca39e41b9dbf88dc3123fed37e409c0

    SHA256

    6fee95a3e283d9ad09a399e99b086ef70c3679eb8ad548161bdfababe3da68fb

    SHA512

    bbebbd027af9e953141efecbfde31137735d58e54ff26966475570c7414ddc03ee53636011fad404d60c8df0031a79d5f2b858819ded59428ead93a5d9732849

  • memory/3148-10-0x0000000000110000-0x0000000000136000-memory.dmp

    Filesize

    152KB

  • memory/3560-20-0x000001B77E6C0000-0x000001B77E6C1000-memory.dmp

    Filesize

    4KB

  • memory/3560-13-0x000001B77E6C0000-0x000001B77E6C1000-memory.dmp

    Filesize

    4KB

  • memory/3560-14-0x000001B77E6C0000-0x000001B77E6C1000-memory.dmp

    Filesize

    4KB

  • memory/3560-24-0x000001B77E6C0000-0x000001B77E6C1000-memory.dmp

    Filesize

    4KB

  • memory/3560-23-0x000001B77E6C0000-0x000001B77E6C1000-memory.dmp

    Filesize

    4KB

  • memory/3560-22-0x000001B77E6C0000-0x000001B77E6C1000-memory.dmp

    Filesize

    4KB

  • memory/3560-21-0x000001B77E6C0000-0x000001B77E6C1000-memory.dmp

    Filesize

    4KB

  • memory/3560-18-0x000001B77E6C0000-0x000001B77E6C1000-memory.dmp

    Filesize

    4KB

  • memory/3560-19-0x000001B77E6C0000-0x000001B77E6C1000-memory.dmp

    Filesize

    4KB

  • memory/3560-12-0x000001B77E6C0000-0x000001B77E6C1000-memory.dmp

    Filesize

    4KB

  • memory/3664-0-0x00000000006E0000-0x00000000006E1000-memory.dmp

    Filesize

    4KB

  • memory/3664-1-0x00000000006C0000-0x0000000000706000-memory.dmp

    Filesize

    280KB