Overview

overview

10

Static

static

10

1a70e1e36e...18.exe

windows7-x64

8

1a70e1e36e...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-06-2024 14:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1a70e1e36e6afa454f6457140ac3d2ec_JaffaCakes118.exe

  • Size

    95KB

  • MD5

    1a70e1e36e6afa454f6457140ac3d2ec

  • SHA1

    853c94da9a70900281a4345dab7c43812a467609

  • SHA256

    4d3a0ba910024c6ca1ca9e915eb43fff7f9610406105750383f716069e7dfb91

  • SHA512

    7ed173915292f8986cedfc4111ae644be0b497ba2d9e57a31d90699c5d8843b09646a94788f9644ddb732dc5ec6d6ee747e2de1fc4b0e852a64428d4398f1413

  • SSDEEP

    1536:yL6aduLanddV3DKTNKmeQAaswB18GF7ECWYevGwyvHYBAwnW4i9:yLFdPyjAaswzjVFOBA3

Score
8/10
persistence

Malware Config

Signatures

  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 14 IoCs
  • Drops file in Windows directory 3 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies data under HKEY_USERS 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a70e1e36e6afa454f6457140ac3d2ec_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1a70e1e36e6afa454f6457140ac3d2ec_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:3312
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c temp.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2984
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatibility\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d C:\Windows\system32\FastUserSwitchingCompatibilityex.dll
        3⤵
        • Server Software Component: Terminal Services DLL
        PID:4564
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Checks processor information in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1588
    • C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      2⤵
      • Gathers network information
      PID:3524

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\temp.bat
    Filesize

    211B

    MD5

    dde99ab936da8cbda74ea779ef0b2e67

    SHA1

    1e27e432e0b7c81b990b92595daebdf0539efea4

    SHA256

    ab6da77270cb63c49d1d12e854850e882d03f41ce48782e98c81bcede0c9ad80

    SHA512

    62a124172d34dc56d00328b45ac13a029c847c2b7e2843ec38270a7c4d813b68b7d66b9a8ef80b8adfa7b1a894f36b5f8c6365fa5551c35939c0b76cd4439437

    Download Submit

  • C:\Windows\SysWOW64\svchost.log
    Filesize

    605B

    MD5

    f3227521c45d4e6fbeff684a2466a5e3

    SHA1

    674707d204fd3cc410da70687931c8d95ee0f04a

    SHA256

    f72c06e5532bcd54ee8fc497543028bee41f89b5da4a6450525ace25e7554b8a

    SHA512

    775f3b8d2f0c12cc060ca318ee703968d5278d6ea300983cb57c6a967da6b00c6e97892ad43b127731132d160e2b147a264b2d6af6ac44b7dd4efff26ea64ba8

    Download Submit

  • C:\Windows\SysWOW64\system_t.dll
    Filesize

    1KB

    MD5

    2c924d2cbe0cb452708267e71688e166

    SHA1

    5967f9b11d0c210a25acaed0db356cf956917b63

    SHA256

    f28922f4f2cc5e08d42636611b802b15f04deb97b6619b936a25309540e211af

    SHA512

    0ee61cb196486f34363a6030ddc0558c543a48a32cf4b6f77207f764f38a5fff8a6d2f16fdada1a5aa52a4b215db75af33208e70838f0735ce293ed2bd1c8ab1

    Download Submit

  • C:\Windows\SysWOW64\system_t.dll
    Filesize

    495B

    MD5

    70eac4020cb5284dd535e21b4e702253

    SHA1

    2345ead46aa9185a3e16ece92f0371ff6ddb8df6

    SHA256

    a7c4ee29e115f592f030b3d27b2092133620145c8a21f1cfbb099428fc16cd2b

    SHA512

    0edf891d1d43f2801e69cc4b114f6b36f71e9d7c06f284b731cc8b863e80cce663f9a739641b410edf98445433e4ec141cec7cd3cf42cd6e94411f4e56ddb88b

    Download Submit

  • C:\Windows\SysWOW64\system_t.dll
    Filesize

    747B

    MD5

    1c18b11ace3e227bdce55b70e0bb6607

    SHA1

    09ce8dc28f3d0d92b197d015a6512bc2e824917d

    SHA256

    f91817f3efa29cc04eea0bbc2b3378f1d7f91744491d803b0fa991ee2687e8ff

    SHA512

    4afb972072adb5d6a552144239f883bd7917c31183a0b93fc85b45404211da01576ff341f36dcc975633d397fd8210a97d2b9bb35c7606f3a010e47bf8e38360

    Download Submit

  • C:\Windows\System\config_t.dat
    Filesize

    138B

    MD5

    ada008f2bbc8bf17b0a0287a289c688a

    SHA1

    61b609261c81c511aff48b9cd24ee1307c225a56

    SHA256

    97a7d664f16b924996af78d2ea84f336d8395c8db5829761ad02bf223e88f689

    SHA512

    08bf0e452c3182a18f427ba861a641922a17a7f7ac2b21b2d04af2e496ab5afacd5c6f44c685b0cf3ca9ed471434af2536a3ce1d13c48eed427368b0de388ffb

    Download Submit

  • C:\Windows\system\config_t.dat
    Filesize

    182B

    MD5

    ea72bea48bcb1dcad5a66609b5a1e81e

    SHA1

    f14a1bfe3d208c3d9d617484b122c779d50a10a6

    SHA256

    ec3eba5f4e5d72cf0bb6697a6eacc9f73a0eb0e89f0d9e498f48007689c46fb6

    SHA512

    255e0dae11114231a78773354fe9edbe2fa357fb47d2a5e11d1eec96655ee124356841929d3a27faf9f53bcd140bc855ebe88d8b53289c7cafe7dcc77a49c033

    Download Submit

  • \??\c:\windows\SysWOW64\fastuserswitchingcompatibilityex.dll
    Filesize

    45KB

    MD5

    452660884ebe3e88ddabe2b340113c8a

    SHA1

    b80d436afcf2f0493f2317ff1a38c9ba329f24b1

    SHA256

    ed6ad64dad85fe11f3cc786c8de1f5b239115b94e30420860f02e820ffc53924

    SHA512

    11c0bc211da6e083015d98cde3c34ce7f36fb492a9859936b1294e730f420f6ac8a68ceacb4367977d930b26ee8f99a0fd08eba59b895de23ac3b4d32ddfaa1c

    Download Submit