Overview

overview

10

Static

static

3

1834f4a674...18.exe

windows7-x64

10

1834f4a674...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-06-2024 00:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1834f4a674f575c2f1fd5b8794b49f69_JaffaCakes118.exe

  • Size

    78KB

  • MD5

    1834f4a674f575c2f1fd5b8794b49f69

  • SHA1

    ecb4122e1b48d88d8cdaf70bba1c4598741c4b3b

  • SHA256

    d6770f616e4fac15397b905fa174deaf6a09803a28553c214fcdd4a9fc6303c7

  • SHA512

    b8b69836b1bf4573232ce85092118474d312258f1daab651c36dfbe7dadb509aea279ddc3a76e75d480125e9b4eb0043d9341cdeb0fce11079d5c5da9857a25c

  • SSDEEP

    1536:8Fa5WBIAXkzOtVFnwhzPxVnekJsCZAPBcQAiUBe:8s5taVFU3nlTmPBcQAiUBe

Score
10/10
evasionpersistenceprivilege_escalation

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 4 IoCs
    evasion
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 3 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1834f4a674f575c2f1fd5b8794b49f69_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1834f4a674f575c2f1fd5b8794b49f69_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2264
    • C:\file1.exe
      C:\file1.exe
      2⤵
      • Modifies firewall policy service
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3200
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram 1.exe 1 ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        PID:228
      • C:\Windows\Msnsnger.exe
        "C:\Windows\Msnsnger.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:412

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\file1.exe
    Filesize

    56KB

    MD5

    b031dfdfd97a07c38cd1a08e344eafd5

    SHA1

    8adc9143176bed9844d4089c6a2e5cc8d126112e

    SHA256

    3ac8a0afb801ddd9e0b1bb3689bc24606ac09a7e000c3ba7cf35931904cb9f07

    SHA512

    4f2b7ddb824beb457c732dc456dc79934e72a8e727df592620765c5f48cac6004d6eb289e96d13e7370af4199f7e6707a9605fc1bc6fd252605598e3724f3259

    Download Submit

  • memory/2264-9-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download