Overview

overview

8

Static

static

3

17fcce7ddc...18.exe

windows7-x64

8

17fcce7ddc...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    27/06/2024, 23:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    17fcce7ddc62571712cd89cef81e48b2_JaffaCakes118.exe

  • Size

    149KB

  • MD5

    17fcce7ddc62571712cd89cef81e48b2

  • SHA1

    55170d636650a49b7952cab38ba745c4c22e0752

  • SHA256

    9c972e7287041af9b3b93f8795b34c772d4825822f698a847f0e977d0d843d93

  • SHA512

    7b2d94811e366a5877cf10e43a01454e3d9e7812cc25c615e5771e08975f5c425df092cae74599f92e26bfcb052324fc3f61c1a0bd3b577ad8a781c8e0f2dd31

  • SSDEEP

    3072:iqedeWF8S5fjpPG0DZoRoGjtoh0VibaALlhNqo1:iqedeWF8i1+01oRdyhggjLlhNj

Score
8/10
persistence

Malware Config

Signatures

  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\17fcce7ddc62571712cd89cef81e48b2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\17fcce7ddc62571712cd89cef81e48b2_JaffaCakes118.exe"
    1⤵
    • Server Software Component: Terminal Services DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1736
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /t /im ZhuDongFangYu.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1692
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • Suspicious behavior: GetForegroundWindowSpam
    PID:2696

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \??\c:\documents and settings\local server\baibi.dll
    Filesize

    132KB

    MD5

    70d69446a6f1ebb61710fb16528803a4

    SHA1

    262e0ab570da921de9ed3c36044ca94eb7e63eea

    SHA256

    19d927474f8a9b83265f9646faffd967d096fe19a388ae82ba79cc377644f6e7

    SHA512

    c8365163593c6485425b32724f94410436894814c49759e937a96e525896762592345b4d66031a9fc98b250186c2db838433f2f1054877875c53f70a56c4f811

    Download Submit

  • memory/1736-0-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download

  • memory/1736-5-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2696-4-0x0000000010000000-0x0000000010023000-memory.dmp

    Filesize

    140KB

    Download