Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    25-06-2024 00:06

General

  • Target

    0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe

  • Size

    310KB

  • MD5

    0b6d1a782246c0afb602c1a6548892ab

  • SHA1

    26a13cec3e01beefab1ac83e0fffbbfaccc60616

  • SHA256

    0d13b46286128dd6e2dd217bb33c1cc6e48b444d9501e0843443d151bc339c32

  • SHA512

    ab9145e10232857577b279ed925034ba417df595267bf4d49a253e63d3f8df2dfdae3a899bc05d887d7c818bd7419d182576d676631d3ed5fba390a05ccfc814

  • SSDEEP

    6144:Vw8bgKZh/N1tysPVpfJxYWqMK2A9F3tGR7PapETwwUPd004ppQke:Vw80KZh/N1tygRxYIKP3tG7PHT2K0fv

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Document created with cracked Office version 1 IoCs

    Office document contains Grizli777 string known to be caused by using a cracked version of the software.

  • Drops file in System32 directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2960
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\WINDOWS\system32\config\vazb0620px.bat" "
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2428
      • C:\Windows\SysWOW64\config\vab0726ze.exe
        vab0726ze.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        PID:1796
      • C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" /s "C:\Windows\System32\config\vab0726ze.pps"
        3⤵
        • Drops file in System32 directory
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of WriteProcessMemory
        PID:2740
        • C:\Windows\splwow64.exe
          C:\Windows\splwow64.exe 12288
          4⤵
            PID:2764

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\config\vab0726ze.pps

      Filesize

      97KB

      MD5

      b8e80e2b539ff450e7f5ba4998bbcfa5

      SHA1

      ba42ff9c3353b0e84ca0dd2c5c34f6969712f358

      SHA256

      526f8ac5139e0ce09a6b098944bb81c15fda3d816c134eabb02f92e3c9d318f0

      SHA512

      f0064716ee1fe78055d895323e71b6ed2bf3e94b177512340513ec003aefa6cb3ea4edec245f36eb575e2f6d8873671ea364b4454aad01a675ff8e1e4823f4c7

    • C:\Windows\SysWOW64\config\vazb0620px.bat

      Filesize

      243B

      MD5

      c6a0739c021bb5858ec6c6de1bf4defc

      SHA1

      4333ec7cdc0477bc6c0d4d70c6655d933eccec3f

      SHA256

      9a03e38cd7c3930c4f0251e281310c359c0c328ef895c37d8ff935616f5ba94a

      SHA512

      50c21fe8b8197ce38d3f429757153b3d260a8473640330ff7a7b938f9fd180b7c659a3d77af31a99138b258171f66bda8a6350dfc6983f29cb7e70e09105f2c1

    • \Windows\SysWOW64\config\LdrAdc.dll

      Filesize

      88KB

      MD5

      c7cdd580237ffac1704ffc1c93a9a328

      SHA1

      a69ad77cf351be1cb53e6a3ca990a37b03297a1d

      SHA256

      d3e7ce933dc7ece16066033b740eb0ef7c9a0d45d496babd42e8b8b163f87bc4

      SHA512

      4ee4ec1828ebf99134c6f4a539b9a448566a333c1ef8baf45095f43ba90551105e2fd0ebc529094034644816baf0c4892dddd634ca40397367d1bde64f2d0fc3

    • \Windows\SysWOW64\config\vab0726ze.exe

      Filesize

      375KB

      MD5

      249c96ac98d01d6d33fe63045c244a6d

      SHA1

      caf03883a3dd584116bf4b5797c6a96bbdb06587

      SHA256

      5f0c62ab8647416443254a9f29dddbee33934a7082ef189d988ad78dcd1c3c68

      SHA512

      212fb0f9294483c62a0334d1ce142f82629d2a3ed315fe6e31c913777b5f1a176ed93d3419a8446a7ffbd2b3198d222cdb0e98330274a05408c82a6db25eccbf

    • memory/1796-23-0x0000000000020000-0x000000000003B000-memory.dmp

      Filesize

      108KB

    • memory/1796-24-0x0000000000250000-0x0000000000251000-memory.dmp

      Filesize

      4KB

    • memory/1796-46-0x0000000000400000-0x0000000000464000-memory.dmp

      Filesize

      400KB

    • memory/1796-48-0x0000000000250000-0x0000000000251000-memory.dmp

      Filesize

      4KB

    • memory/1796-47-0x0000000000020000-0x000000000003B000-memory.dmp

      Filesize

      108KB

    • memory/1796-51-0x0000000000400000-0x0000000000464000-memory.dmp

      Filesize

      400KB

    • memory/1796-61-0x0000000000400000-0x0000000000464000-memory.dmp

      Filesize

      400KB

    • memory/1796-64-0x0000000000020000-0x000000000003B000-memory.dmp

      Filesize

      108KB

    • memory/1796-63-0x0000000000400000-0x0000000000464000-memory.dmp

      Filesize

      400KB

    • memory/2740-33-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2740-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB