Overview

overview

8

Static

static

3

07318e0f78...18.exe

windows7-x64

8

07318e0f78...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/06/2024, 15:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    07318e0f780396ca081a819416da696b_JaffaCakes118.exe

  • Size

    261KB

  • MD5

    07318e0f780396ca081a819416da696b

  • SHA1

    a4faad74e9123890c8e1f4d8b0635cb7b4f27f9f

  • SHA256

    c6659983a0f5ea9359c5166198ae672f52a999f19cf84da355cdb829a1bce03a

  • SHA512

    ddab7e2a695aa65ad6c8caa3ba6883c44dcb194f9b51c955e7f5de72bd16bd358cd21d4ce59d4d9efb91b5eb38236916ac5a4477e1dbd247e400c8da2a60f17f

  • SSDEEP

    6144:61c6Mr9tv4sDVsDtiY99SQDdaWUu8ioX5jF25JuWDtR:61cxht9DVssY9PdaVuzoJK

Score
8/10
persistenceprivilege_escalation

Malware Config

Signatures

  • Event Triggered Execution: AppCert DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes.

    persistenceprivilege_escalation
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\07318e0f780396ca081a819416da696b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\07318e0f780396ca081a819416da696b_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3440
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" "C:\Windows\system32\Gameonce64.dll",CreateProcessNotify
      2⤵
      • Loads dropped DLL
      PID:2952
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240620671.bat" "C:\Users\Admin\AppData\Local\Temp\07318e0f780396ca081a819416da696b_JaffaCakes118.exe""
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:4632
      • C:\Windows\SysWOW64\attrib.exe
        attrib -s -r -h"C:\Users\Admin\AppData\Local\Temp\07318e0f780396ca081a819416da696b_JaffaCakes118.exe"
        3⤵
        • Views/modifies file attributes
        PID:2364
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 424
        3⤵
        • Program crash
        PID:3200
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3440 -ip 3440
    1⤵
      PID:2904
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4632 -ip 4632
      1⤵
        PID:3952

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\240620671.bat
        Filesize

        97B

        MD5

        d226a657b279c5fc0a892748230a56ff

        SHA1

        fa7e4fb6d6de3c4769001cbfce0a00ba02ef28a5

        SHA256

        9dae2767b8e3499d37418a75ddd04d457c7ec8d6c8f312ee109c95a8a97e7761

        SHA512

        07d55ccf3b511c3be64f6dcd05cea3feaafb286196e5d7ba30016ab6d9c0d656fb7cde8eb1ce0ef28a41f1f3f00f0e29020c92479619fd43e4ed47b829f8bf2a

        Download Submit

      • C:\Windows\SysWOW64\Gameonce.dll
        Filesize

        87KB

        MD5

        22045dd8686f7f968e05649d4a6e78e7

        SHA1

        72eeb58cdf8912c6c95bcbc9bf2e449e8c642b51

        SHA256

        1a165fe57c3d5bb9033d94992cfe2e1c8b2e97b3bd5be2eeb85d984de541c173

        SHA512

        4ebe4b2c2aecdb71d044725dd1c1cc13aeda52dcb973d96a4513b3d5f71a5e401a471e5ac17e77f7610813c2eb7efbeba05a07ec9b84266473302ddddce006f5

        Download Submit

      • C:\Windows\System32\Gameonce64.dll
        Filesize

        99KB

        MD5

        e48bff63ea6663bf241fc915fb7f2546

        SHA1

        fde9195c95116d87ba15b1739611ea494bea39b7

        SHA256

        96a8028512e1299fe95af8dfce475f46c90fa6db751c28a679acbebac5a71484

        SHA512

        3e9caaa4d06ee01a2dbc71e6ba422bc2cacbccb7ac30beaa61c86693dcb9b4af37a5aff6eed413bd21cd83b38dc350a12fd89831d0cb58d23b3d620a0d9f41a6

        Download Submit

      • memory/2952-14-0x000001DA93310000-0x000001DA93311000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3440-1-0x0000000000990000-0x00000000009D0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/3440-2-0x0000000001000000-0x0000000001043000-memory.dmp

        Filesize

        268KB

        Download

      • memory/3440-3-0x0000000001000000-0x0000000001043000-memory.dmp

        Filesize

        268KB

        Download

      • memory/3440-9-0x0000000001000000-0x0000000001043000-memory.dmp

        Filesize

        268KB

        Download

      • memory/3440-10-0x0000000000990000-0x00000000009D0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/3440-17-0x0000000001000000-0x0000000001043000-memory.dmp

        Filesize

        268KB

        Download