Overview

overview

10

Static

static

3

16d143711c...18.exe

windows7-x64

10

16d143711c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-06-2024 17:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe

  • Size

    280KB

  • MD5

    16d143711c1d631e3034c279d6a5cb88

  • SHA1

    fb931528d88d8e4107c5bdda1125c00a341d5656

  • SHA256

    0359fe210e864779b977a9b12ad000fa0cbaa97ea4c8e12af197ba0a30303b58

  • SHA512

    1824afc66ab91756d995a39acb32a8392cc59b79968fa897a750046f16141afe31014ee5a26d446659ae5ae64a67728121b18eb6b7e904ae94ddd19cc3aaf088

  • SSDEEP

    6144:Mi1TzaLuFWa1lW6QNT1gC3B7n/4K51z2abHL/nDOYNHUbUQcDKbtavfw8a:t1TzaLulqgC3B7N50abHL/nDOYljQrbh

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies security service 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3544
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rst.bat" "
      2⤵
        PID:1936
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "Explorer" /d "C:\Users\Admin\AppData\Local\Temp\explorer.exe" /t REG_SZ
        2⤵
        • Adds Run key to start application
        • Modifies registry key
        PID:5632
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c net stop "Security Center"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1644
        • C:\Windows\SysWOW64\net.exe
          net stop "Security Center"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:6000
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Security Center"
            4⤵
              PID:5504
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c net stop SharedAccess
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:5768
          • C:\Windows\SysWOW64\net.exe
            net stop SharedAccess
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:5500
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop SharedAccess
              4⤵
                PID:5508
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
            2⤵
              PID:5776
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:3376
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
                3⤵
                • Modifies security service
                PID:5972
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:5340
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
                3⤵
                • Modifies security service
                PID:5872
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\copy.bat" "
              2⤵
              • Drops file in System32 directory
              PID:4408
            • C:\Windows\SysWOW64\regsvr32.exe
              regsvr32 C:\Windows\system32\PELoader.ocx /s
              2⤵
                PID:5904
              • C:\Windows\SysWOW64\cmd.exe
                cmd
                2⤵
                  PID:5536
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3904 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
                1⤵
                  PID:3084

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\PELoader.ocx
                  Filesize

                  28KB

                  MD5

                  5b19a2d3c7a1c97fcbac23d9c0661c0c

                  SHA1

                  34bff82bd1008e6bbc7afaaa48be6a977cbc7de7

                  SHA256

                  26387fa757f9d8a0e8532d330b5b3bbfee37c2df0125f43d458c36e95cab9a25

                  SHA512

                  b23fd7d09da6814351f3156f9bff0ed3fb7328f17324fb5ffc0483069d9f1187793f622fb92140fa4c9a9b308614c823783891247d50912bee28c794cbacc748

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\copy.bat
                  Filesize

                  90B

                  MD5

                  cfb653509db21d1f42180210a19477ac

                  SHA1

                  34ef6c12321929363aad04a802c709a07c6e075c

                  SHA256

                  9fd81e595efb9d9f949ba3a0360297a258d21c74a6fcb676b4ed7ecb42e5c0c2

                  SHA512

                  a37b46519e41a38799b8742a629bc9d51614b696984792c75e4a4db091f79a8206caaf7bbdb1fdc9f86592e6b3cca4228346e477244d4bccf17fbc9113dfc06f

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\file.rst
                  Filesize

                  280KB

                  MD5

                  16d143711c1d631e3034c279d6a5cb88

                  SHA1

                  fb931528d88d8e4107c5bdda1125c00a341d5656

                  SHA256

                  0359fe210e864779b977a9b12ad000fa0cbaa97ea4c8e12af197ba0a30303b58

                  SHA512

                  1824afc66ab91756d995a39acb32a8392cc59b79968fa897a750046f16141afe31014ee5a26d446659ae5ae64a67728121b18eb6b7e904ae94ddd19cc3aaf088

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\rst.bat
                  Filesize

                  280B

                  MD5

                  0df18a68e203268750eea8f099deac66

                  SHA1

                  ce8c8edcb67dde60f239705b2c0315a30fb65fc9

                  SHA256

                  87093bdce5668ba3a3e01083229df751c311c457cddb3eab7169f3ceac0b187c

                  SHA512

                  dec1faae69be706874e04b8ef10ead52d63ada3e693dcff87a9855b9fa18fd3dd16f1133b6498ddfb0fb05c1dd5e0d5ff7f50f1639956ceea7a46a0b096eaa5f

                  Download Submit