Overview

overview

7

Static

static

3

079eb5a552...18.exe

windows7-x64

7

079eb5a552...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    84s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    24-06-2024 09:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    079eb5a552d4cdfdb1491a546973594f_JaffaCakes118.exe

  • Size

    187KB

  • MD5

    079eb5a552d4cdfdb1491a546973594f

  • SHA1

    1b2cf8d1649681a992aee4ba54018a415689c9f8

  • SHA256

    d60c9af59db5680ef3b04d82d645bf870168e4e1119011c71c9cd17908e296ee

  • SHA512

    fad9ccc90d5772cd1f4dbcc7e35d29929425f4bc556a0a1cdaf220ada1651b9f689b669eee6010a0fd1a47d56b34054350c90c3f588b5df03a212b89cf580e12

  • SSDEEP

    3072:Xy86zL9oj9BTtppfNPZaW8AasMBIveT+t+UyhKLNg+fBrxk+/FcX3rHG:C7Kj9dPZaWdMBI4FKLlkIFCbm

Score
7/10
persistenceprivilege_escalation

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Unexpected DNS network traffic destination 8 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:480
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1356
        • C:\Users\Admin\AppData\Local\Temp\079eb5a552d4cdfdb1491a546973594f_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\079eb5a552d4cdfdb1491a546973594f_JaffaCakes118.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2648
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe"
            3⤵
            • Deletes itself
            PID:752

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • \systemroot\Installer\{60d07273-49d9-5bb7-b8e7-a0e69d61dc92}\@
        Filesize

        2KB

        MD5

        147299b6986f12e36ea3ffe01bfda497

        SHA1

        c909c10bd389322bb8be23e540211a40950ae712

        SHA256

        db43b2b94227d843862f46fb58df75df1a690207dddd4278b24aeeed844d9de4

        SHA512

        c5c4e29aa6783cb8d9cd66bb488413715c13c228f1d5cdac9e7fecd1a88d71fd37c26c64ab31665cb741fa1bdb5806c6833375872f1cfc80f24ce6c303712f63

        Download Submit

      • memory/480-25-0x0000000000130000-0x000000000013C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/480-41-0x00000000001D0000-0x00000000001DC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/480-30-0x00000000001D0000-0x00000000001DC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/480-32-0x0000000000100000-0x0000000000101000-memory.dmp

        Filesize

        4KB

        Download

      • memory/480-33-0x00000000001D0000-0x00000000001DC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/480-29-0x0000000000130000-0x000000000013C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1356-15-0x00000000024A0000-0x00000000024AC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1356-36-0x0000000002470000-0x0000000002471000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1356-16-0x0000000002470000-0x0000000002478000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1356-14-0x0000000002490000-0x000000000249C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1356-38-0x0000000002470000-0x0000000002478000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1356-10-0x0000000002490000-0x000000000249C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1356-6-0x0000000002490000-0x000000000249C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1356-3-0x0000000002470000-0x0000000002471000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1356-17-0x00000000024A0000-0x00000000024AC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2648-35-0x0000000000400000-0x0000000000426000-memory.dmp

        Filesize

        152KB

        Download

      • memory/2648-34-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/2648-37-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/2648-1-0x0000000000400000-0x0000000000426000-memory.dmp

        Filesize

        152KB

        Download

      • memory/2648-39-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/2648-40-0x0000000000400000-0x0000000000426000-memory.dmp

        Filesize

        152KB

        Download

      • memory/2648-2-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

        Download