Overview

overview

8

Static

static

3

03bacf112c...18.exe

windows7-x64

8

03bacf112c...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    20/06/2024, 06:42

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    03bacf112cb9cbabc9a5d807aaebcf8e_JaffaCakes118.exe

  • Size

    256KB

  • MD5

    03bacf112cb9cbabc9a5d807aaebcf8e

  • SHA1

    4d812070e43a4312636b7f39f87e1b6a0fc299c3

  • SHA256

    aeefdd9253151905bc051e071d29cbca18c5ed4531c949b6c12698f051894303

  • SHA512

    dbc1e5848ab80d1d9f24d1bf180e0793ff0bf9649f84e4e30d29020fc1bfaf6200040107ea4e1441b9e8cec16662d3ac5e39ced235b13e450f987b6129f6a814

  • SSDEEP

    6144:GZ86/lKv0HDYrkJd2y2PIGpB0ljmHfasED19+mVRUX1q2o:lyF2wqojm3ED1noq2o

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Sets file to hidden 1 TTPs 3 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 29 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\03bacf112cb9cbabc9a5d807aaebcf8e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\03bacf112cb9cbabc9a5d807aaebcf8e_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\Windows\SysWOW64\attrib.exe
      attrib +s +h "C:\Windows\system\zhqbs080412.exe"
      2⤵
      • Sets file to hidden
      • Drops file in Windows directory
      • Views/modifies file attributes
      PID:1932
    • C:\Windows\SysWOW64\attrib.exe
      attrib +s +h "C:\Windows\system\zhqbdf080412.dll"
      2⤵
      • Sets file to hidden
      • Drops file in Windows directory
      • Views/modifies file attributes
      PID:2656
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Windows\system\zhqbdf080412.dll zhqb16
      2⤵
      • Deletes itself
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2616
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "c:\zhqbdf.bat"
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2816
        • C:\Windows\system\zhqbs080412.exe
          "C:\Windows\system\zhqbs080412.exe" i
          4⤵
          • Adds policy Run key to start application
          • Executes dropped EXE
          • Drops file in Windows directory
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2520
          • C:\Windows\SysWOW64\attrib.exe
            attrib +s +h "C:\Windows\system\zhqb32.dll"
            5⤵
            • Sets file to hidden
            • Drops file in Windows directory
            • Views/modifies file attributes
            PID:2220
          • C:\program files\internet explorer\iexplore.exe
            "C:\program files\internet explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3052
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3052 CREDAT:275457 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2844

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Documents and Settings\All Users\zhqbdf16.ini
          Filesize

          159B

          MD5

          62d8cb9c034940513cf59a57ec47c11d

          SHA1

          e5567adaae89c0ed156d7888fa024147b8c5ec62

          SHA256

          c2fc3185334832ab5a383c6f708993111aa8d0cdd544c9bd220c9e54a1e5352f

          SHA512

          857177953c70141b1861c4812bbe581bdf86ed8097ac784ef5c51e32d4770f11f12082b156d5fd7dece61532f30c8d1d7743062382a7740d58cd8ec9ca9ddb62

          Download Submit

        • C:\Documents and Settings\All Users\zhqbdf16.ini
          Filesize

          258B

          MD5

          ea055648a8f9c52875ab4a826ac9bd5b

          SHA1

          36d75006866af3f2d93f57929a8fd3ab10320222

          SHA256

          7e0f280c584271050136119eba7c3f7d416b34e137ad076aae1030fb7c507783

          SHA512

          f82fad6cb9b8d7844feb69a5f2870c5984b8cd3e26d63871931c23b46380a7166a9aea26d7b0993eb76b52d22bad05a83a43580c1a9e1b21f91b510eca3fb9de

          Download Submit

        • C:\Documents and Settings\All Users\zhqbdf16.ini
          Filesize

          295B

          MD5

          3c730d65605b3abcabf3746cb6afa8b5

          SHA1

          b7763adf89dc5a7fd97c7b7003a4fc76807d4896

          SHA256

          fb9501651a328ebfc82729ecafad5de1768f1a206f058dcfbee0a98676d36138

          SHA512

          1d36071e11438df33bdb30ac98620ff72b450dc549b1e2eb1703939deba7d9f489a913bce9dac98df8ab882921b1a192c42493fd2f0fc46b0b9fa2c6299930eb

          Download Submit

        • C:\ProgramData\zhqbdf16.ini
          Filesize

          211B

          MD5

          3826705efa74409b171d563f42be7630

          SHA1

          3ac4960754381f3b7872dc1d1463efd5fe599293

          SHA256

          19bdd94a810772ec235be22ecf4bc17f4799d62eead6d7fa3766c07db3a5363c

          SHA512

          04a6bb49179c4d89be5f2c05e25735e727b806b849b28e8630e9dd129308a25c96dd584889ee278bdb663ef4ea817d7afc32071d9c501e6268a50ebcfa8bfd57

          Download Submit

        • C:\ProgramData\zhqbdf16.ini
          Filesize

          96B

          MD5

          1a8a2ab4b194ef3ebb42c5cd6ed3ebe0

          SHA1

          cbf68209d7970677ac4c6e81c997bc57db710576

          SHA256

          204509340bf1f9b27a6d65f338a5238b0eafd7a71400d132111e349dfd6a2b9a

          SHA512

          52ec00a67d657706b888f85383410219a41b342649b5d078a18885500e818ac638359b76281810fcc0b9c10fe13aa5b5f2689374e3f6a6c6b1d925da160f4bec

          Download Submit

        • C:\Windows\system\zhqb32.dll
          Filesize

          499KB

          MD5

          0f0f8dac85b407c7ad674b2f01089179

          SHA1

          d4e9bd469f16dd97118f3d948cd1f18e9fc6f05a

          SHA256

          568396cbadf3dea36cd050105232adda38627a20d25424f4784c39603d9bff1d

          SHA512

          a5aa737b014cad8aa77b75f7fe4cc75ae7a6bd081292da6d6bf88c9489ca71da705ee374f77647fc768618ba5e494e257124a839d559ca2e3113d00fe064da91

          Download Submit

        • C:\Windows\system\zhqbdf080412.dll
          Filesize

          94KB

          MD5

          8802eae85499e8ac70db79e3a3b72e6e

          SHA1

          32ec518a7a856fa944f6c81fe258cbb349c85e36

          SHA256

          3b7ae0fbf40074e6630a9dd4367ea644386f15da242ace0c319ba2ed96e002b0

          SHA512

          474ccb8112142bbae35a89f6c2a5d10e0c624effe42c5e1d3b75389bbea95387b14498abdec109f15fdbd6e85958d8e5d1f1f753c9795b7936b943f76cc4e8a2

          Download Submit

        • C:\Windows\system\zhqbs080412.exe
          Filesize

          256KB

          MD5

          03bacf112cb9cbabc9a5d807aaebcf8e

          SHA1

          4d812070e43a4312636b7f39f87e1b6a0fc299c3

          SHA256

          aeefdd9253151905bc051e071d29cbca18c5ed4531c949b6c12698f051894303

          SHA512

          dbc1e5848ab80d1d9f24d1bf180e0793ff0bf9649f84e4e30d29020fc1bfaf6200040107ea4e1441b9e8cec16662d3ac5e39ced235b13e450f987b6129f6a814

          Download Submit

        • \??\c:\zhqbdf.bat
          Filesize

          47B

          MD5

          54348cb450f3ec5405808f92eb1936b3

          SHA1

          323bd7c51769fea7ce201bdf0945ff6700caf291

          SHA256

          c3acdba09ad877e99a7170c4dd0fc8dbe21da5d288ff1b99d79ce63a4ba4ae68

          SHA512

          3e96f60541a19262792a623f8e99621d2623b463b5041046c5f49174ee4fa257a5c8aa6390e5c9ce6b71a01c1bbf1707bbd887d1a55ac2bfe6491399d72f78bb

          Download Submit

        • memory/2616-43-0x0000000000400000-0x000000000041D000-memory.dmp

          Filesize

          116KB

          Download

        • memory/2616-61-0x0000000000400000-0x000000000041D000-memory.dmp

          Filesize

          116KB

          Download