Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    15-06-2024 05:51

General

  • Target

    ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe

  • Size

    996KB

  • MD5

    ad10830a3342900f70cac19a8d1b6abe

  • SHA1

    205261ebec6b48d1eda0ff543198fa23a62490a1

  • SHA256

    1648342127afbaed5c1eab686168efe8d174f0a8115f2357b67ca1da021f3270

  • SHA512

    297c715bf5197a44188a7041ec879e7e4ee91a0fba895fa1057d1af102221bda0b06a4a95b26370d549c90bc1ddbeb16d45eaeb7aa514de2bf0771d5a8ac2d3a

  • SSDEEP

    12288:HrGuxcx90nsc2x4d6Z7Zw4ySVz0Mw4kdKH7JW/heXGb18EYMtxGDunB8aebR:HrG2CR4N4PwMw4r7VQ6zMtImyL

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:956
    • C:\ProgramData\TFjXAla\PgYcv.exe
      "C:\ProgramData\TFjXAla\PgYcv.exe"
      2⤵
      • Executes dropped EXE
      PID:2204

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    eaea292e9ad408e6fc74b0ae54b91ed7

    SHA1

    8b159ddb466091c6b31e60113087a2f3b8cba16b

    SHA256

    64a233c63533ca64b45d0b02a8c6c0c01352754f4570182fcdda35ab123f9438

    SHA512

    8724ee6738a95895107da81e0b27cc95d4ac9abb3b76f399be1769ef8ddea88b06f61ee15f5bbf0e30645f4074d5e98a9b634fd86c72c4b5095a5cd8bf6f1608

  • C:\Users\Admin\AppData\Local\Temp\Cab7503.tmp

    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

  • C:\Users\Admin\AppData\Local\Temp\TarBE45.tmp

    Filesize

    177KB

    MD5

    435a9ac180383f9fa094131b173a2f7b

    SHA1

    76944ea657a9db94f9a4bef38f88c46ed4166983

    SHA256

    67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

    SHA512

    1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

  • \ProgramData\TFjXAla\PgYcv.exe

    Filesize

    996KB

    MD5

    ad10830a3342900f70cac19a8d1b6abe

    SHA1

    205261ebec6b48d1eda0ff543198fa23a62490a1

    SHA256

    1648342127afbaed5c1eab686168efe8d174f0a8115f2357b67ca1da021f3270

    SHA512

    297c715bf5197a44188a7041ec879e7e4ee91a0fba895fa1057d1af102221bda0b06a4a95b26370d549c90bc1ddbeb16d45eaeb7aa514de2bf0771d5a8ac2d3a

  • memory/956-0-0x0000000073FF1000-0x0000000073FF2000-memory.dmp

    Filesize

    4KB

  • memory/956-1-0x0000000073FF0000-0x000000007459B000-memory.dmp

    Filesize

    5.7MB

  • memory/956-25-0x0000000073FF0000-0x000000007459B000-memory.dmp

    Filesize

    5.7MB

  • memory/956-26-0x0000000073FF0000-0x000000007459B000-memory.dmp

    Filesize

    5.7MB

  • memory/956-40-0x0000000073FF0000-0x000000007459B000-memory.dmp

    Filesize

    5.7MB

  • memory/2204-39-0x0000000073FF0000-0x000000007459B000-memory.dmp

    Filesize

    5.7MB

  • memory/2204-49-0x0000000073FF0000-0x000000007459B000-memory.dmp

    Filesize

    5.7MB