Analysis

  • max time kernel
    140s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    27/06/2024, 18:47

General

  • Target

    171cbefc4179440572eb137b65db294e_JaffaCakes118.exe

  • Size

    137KB

  • MD5

    171cbefc4179440572eb137b65db294e

  • SHA1

    d6810733d3a576aa83d059f67716f4033778b73e

  • SHA256

    c08556d3e92cb3ce9146679255bf971c3e6289f59773a0b9fc6135459aad63ec

  • SHA512

    aeab5f7478593559a19fac99f1914be58962007fcf4dd682aa6acecb6f3e3c34ab2f3956779fa9d15e529f4f9382c9911b15426e6b814af146e05520d52c4cb7

  • SSDEEP

    1536:e4m5hdG78SadgsB6qAVmO1IrScroNmf97wNyic2fkf1a4HaBRr9wzdggaWL:eFk7xGgs8q9jf97y7c2fVYaBRBmgg

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Stops running service(s) 4 TTPs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\171cbefc4179440572eb137b65db294e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\171cbefc4179440572eb137b65db294e_JaffaCakes118.exe"
    1⤵
    • Drops file in Drivers directory
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" import C:\Windows\323.mp3
      2⤵
        PID:1188
      • C:\Windows\SysWOW64\sc.exe
        "C:\Windows\System32\sc.exe" config PolicyAgent start= auto
        2⤵
        • Launches sc.exe
        PID:2528
      • C:\Windows\SysWOW64\sc.exe
        "C:\Windows\System32\sc.exe" stop PolicyAgent
        2⤵
        • Launches sc.exe
        PID:2652
      • C:\Windows\SysWOW64\sc.exe
        "C:\Windows\System32\sc.exe" start PolicyAgent
        2⤵
        • Launches sc.exe
        PID:2564
      • C:\Windows\SysWOW64\sc.exe
        "C:\Windows\System32\sc.exe" stop PolicyAgent
        2⤵
        • Launches sc.exe
        PID:2424
      • C:\Users\Admin\AppData\Local\Temp\259447945cba.exe
        "C:\Users\Admin\AppData\Local\Temp\259447945cba.exe"
        2⤵
        • Executes dropped EXE
        PID:264
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2428

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\323.mp3

      Filesize

      56KB

      MD5

      bc8025bc98da7f4ed891c9f9991d3ff1

      SHA1

      70a69a7fcebe9b43f00a1fa713e3a0621bf3ac6d

      SHA256

      59b9dc39d69f8b0aa350f550e42e632b396237865776d0ce75477f8fe3f9016f

      SHA512

      7f772261e003d2df9162ae4aeaab2bda674ee2721b3300cc8b2a2f4904af6bc9c565c7f2c3e67a7394eb1a387860a2544fc5bdc3e6de384b664f8d232ad6acf5

    • \PROGRA~1\Len0v0\One.dll

      Filesize

      10KB

      MD5

      b0e097256838fb16f979918102d13bb3

      SHA1

      1715a838b2b7e4f36424f06e16b543165d3d1792

      SHA256

      e2aa94cb988562c24f261927c1dfcd8e5139f570115abb6ef8f1cce37cc2a4e1

      SHA512

      82a7c493737e79277027132ebb6cba39a9cf7d488dad3e768fd10074eabc9454dd977a3e8a6882ddaf4b46c558d48f2a14f399a63ae8c824bf245efe1c322495

    • \Users\Admin\AppData\Local\Temp\259447945cba.exe

      Filesize

      15KB

      MD5

      6305c392101fc885092d409b5ee49595

      SHA1

      40d7099d7cf129df398766399fd9b6f5de54b5b2

      SHA256

      75c1230d1c81b01785fac864f909a8a2a358b06b77853136520cce095e0add2e

      SHA512

      48f4c611d6ef831f62b0ae92cd81244f2b6bb0efd348b72a590c19322c2e35c1c933cf624d783b01728206e5cf32e85191eccf51d6b3969974577597f345bc9b

    • \Windows\SysWOW64\kdnfdb.dll

      Filesize

      16KB

      MD5

      add4832059173fcdb135d949194ad52b

      SHA1

      33f1dfd83e76e0897bd134d380fd56431a7cde6b

      SHA256

      2f9b075862a8509928a48c20bd988215c4f754d2ee3171cf15320ffe6f77f957

      SHA512

      ac04e7ec33592423a85dbcd0aa7a40e5e63671ad712101f007db8551be49b407c508e17d80fd3dcdece2a9d0a8cf9980aae5aa76e8452af73485fd62f31ad0d5

    • memory/1704-0-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

    • memory/1704-9-0x0000000010000000-0x0000000010005000-memory.dmp

      Filesize

      20KB

    • memory/1704-18-0x0000000002650000-0x0000000002656000-memory.dmp

      Filesize

      24KB

    • memory/1704-19-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

    • memory/1704-32-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

    • memory/1704-34-0x0000000002650000-0x0000000002656000-memory.dmp

      Filesize

      24KB