Overview

overview

10

Static

static

3

1586cc3a13...18.exe

windows7-x64

10

1586cc3a13...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/06/2024, 09:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe

  • Size

    456KB

  • MD5

    1586cc3a130eecae62a61fae4e4db332

  • SHA1

    aa30896f6f3969335a5ac3bcc7023a7817875700

  • SHA256

    0799ce6bca68ee46cd9c7c6a4519bd1182678176e38e49a3415f759159eec046

  • SHA512

    a754074814fef94e0b0d6b73018eff7b1c94cecfbcc693db99df5dfe73d6159910dcc4c3b3e37de9b67014b66c4a8c0877f1b9e2bd60fedea429607609186651

  • SSDEEP

    6144:zg+GnUR3dZVzcqON3wlrfnvoGL4+kPKy/OIjw/5UR3dZVzcqON3wlrfnOeg+BKni:vVtQcrHapjy6VtQcrgnwXQPk

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 36 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 10 IoCs
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1586cc3a130eecae62a61fae4e4db332_JaffaCakes118.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Event Triggered Execution: Image File Execution Options Injection
    • Adds Run key to start application
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4976
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /s . /f /im taskmgr.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2620
    • C:\Windows\SysWOW64\go.exe
      go.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4764
      • C:\Windows\SysWOW64\Tokka.exe
        C:\Windows\SysWOW64\Tokka.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4428
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /s . /f /im taskmgr.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2292
        • C:\Windows\SysWOW64\go.exe
          go.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:388
          • C:\Windows\SysWOW64\Tokka.exe
            C:\Windows\SysWOW64\Tokka.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:428

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\autorun.inf
    Filesize

    112B

    MD5

    289b2b890f83ed21a1db157b74813226

    SHA1

    512fc87f2d105a9449aea9a3ceb19c5d1667cf73

    SHA256

    7e98ea87f04ca754a6b8f6abc74ff08f20faa50f85b9071af6bc322106d394cd

    SHA512

    5f6dd5f5f437b10f8d6efcfde7a5c28eaff00c7d42df8f4b0982fda25c9920dfef7464372d687c981418a1037549a6f598e5294620aa3cabd50fb786093bf35a

    Download Submit

  • C:\Windows\SysWOW64\Tokka.exe
    Filesize

    456KB

    MD5

    1586cc3a130eecae62a61fae4e4db332

    SHA1

    aa30896f6f3969335a5ac3bcc7023a7817875700

    SHA256

    0799ce6bca68ee46cd9c7c6a4519bd1182678176e38e49a3415f759159eec046

    SHA512

    a754074814fef94e0b0d6b73018eff7b1c94cecfbcc693db99df5dfe73d6159910dcc4c3b3e37de9b67014b66c4a8c0877f1b9e2bd60fedea429607609186651

    Download Submit

  • C:\Windows\SysWOW64\go.exe
    Filesize

    60KB

    MD5

    ac9223cd1090d3c19753028b8f63793f

    SHA1

    167e04c62af0c5413344eb1e69bc6df45dbe0545

    SHA256

    5c97e87d145f9beade1f6330b6db08e3bc499aaac7405326223209e4522746d6

    SHA512

    22b594a3c1a253745164414fd44ba542f7a361b4ada9959c36cd5cb251ad03e52b3d91b86ce9c1c03d80bf82ff3297792e326d6e80f04449eb58b303a8a6f5be

    Download Submit

  • memory/428-27-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/428-31-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/4976-0-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download