Overview

overview

10

Static

static

3

a6961f6957...18.exe

windows7-x64

10

a6961f6957...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 16:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe

  • Size

    163KB

  • MD5

    a6961f695783bdf9b602551df545cbcd

  • SHA1

    9d6f35b80e752f24f28821979f164532f46b6ad6

  • SHA256

    99cd6c5bf2a0bccc76155ae1270c6c65aee26f07373886b90818e43d2947ce98

  • SHA512

    9707707a92b9f158f2130362997f86ba0c77160dd19e4a60046566614806a096229d827ff376b819c107ecdec6e0808c8b63f5e38a4986f8cd78601a97dcb4ef

  • SSDEEP

    3072:89JwqAaNrrDLrX7g5lRaBdMn67iCUF1sDpCUF1sD1L:8HwqAIfrylR+K6EF1sDDF1sD

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 42 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a6961f695783bdf9b602551df545cbcd_JaffaCakes118.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4712
    • C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe
      "C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Sets file execution options in registry
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2420

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe
    Filesize

    163KB

    MD5

    a6961f695783bdf9b602551df545cbcd

    SHA1

    9d6f35b80e752f24f28821979f164532f46b6ad6

    SHA256

    99cd6c5bf2a0bccc76155ae1270c6c65aee26f07373886b90818e43d2947ce98

    SHA512

    9707707a92b9f158f2130362997f86ba0c77160dd19e4a60046566614806a096229d827ff376b819c107ecdec6e0808c8b63f5e38a4986f8cd78601a97dcb4ef

    Download Submit
  • C:\Program Files (x86)\Common Files\uiui8.dll
    Filesize

    17KB

    MD5

    0cbc6b0568209d4ed0a0ff71db4fd13c

    SHA1

    8a7166784536e6ebe718d82667d2314c42938387

    SHA256

    d52d74da5230180634f0459f228202dc876c1c2a5661badd170f8308061f1a60

    SHA512

    4494eb6b4a1363b06b25bcf3504517279dbf99bc35ffc95d98e5f55804148ed1fbc68e99295fbc2971abb6f58d945e0e8d0f17e0e7f7bf9aa746486a580fc343

    Download Submit
  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\1681.lnk
    Filesize

    449B

    MD5

    ae342318b288719168082ba3f26d8e33

    SHA1

    0464e616edc87b677de3e514a5e5baf696ac92ec

    SHA256

    331939a00efce9cab0dc7e690b7be7de0e3d2378f7ea48640bc80ead177332ec

    SHA512

    2e7d224df58bdc39395208fae51726c6d7eff76752c1fdc746da3294b159c1b6fbc9440354ff935c41b2d18d6734cfcc6c18fb726b78fc7d73d870a32cebda34

    Download Submit
  • memory/2420-43-0x0000000000400000-0x000000000042B000-memory.dmp
    Filesize

    172KB

    Download
  • memory/2420-52-0x0000000000400000-0x000000000042B000-memory.dmp
    Filesize

    172KB

    Download
  • memory/2420-29-0x0000000000400000-0x000000000042B000-memory.dmp
    Filesize

    172KB

    Download
  • memory/2420-34-0x0000000000400000-0x000000000042B000-memory.dmp
    Filesize

    172KB

    Download
  • memory/2420-38-0x0000000000400000-0x000000000042B000-memory.dmp
    Filesize

    172KB

    Download
  • memory/2420-88-0x0000000000400000-0x000000000042B000-memory.dmp
    Filesize

    172KB

    Download
  • memory/2420-47-0x0000000000400000-0x000000000042B000-memory.dmp
    Filesize

    172KB

    Download
  • memory/2420-30-0x0000000000590000-0x000000000059B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/2420-56-0x0000000000400000-0x000000000042B000-memory.dmp
    Filesize

    172KB

    Download
  • memory/2420-61-0x0000000000400000-0x000000000042B000-memory.dmp
    Filesize

    172KB

    Download
  • memory/2420-65-0x0000000000400000-0x000000000042B000-memory.dmp
    Filesize

    172KB

    Download
  • memory/2420-70-0x0000000000400000-0x000000000042B000-memory.dmp
    Filesize

    172KB

    Download
  • memory/2420-75-0x0000000000400000-0x000000000042B000-memory.dmp
    Filesize

    172KB

    Download
  • memory/2420-79-0x0000000000400000-0x000000000042B000-memory.dmp
    Filesize

    172KB

    Download
  • memory/2420-83-0x0000000000400000-0x000000000042B000-memory.dmp
    Filesize

    172KB

    Download
  • memory/4712-23-0x0000000000400000-0x000000000042B000-memory.dmp
    Filesize

    172KB

    Download