Overview

overview

8

Static

static

3

23c493ab28...18.exe

windows7-x64

8

23c493ab28...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    03/07/2024, 23:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    23c493ab28e1bdb0502fb1533ebbb3a7_JaffaCakes118.exe

  • Size

    350KB

  • MD5

    23c493ab28e1bdb0502fb1533ebbb3a7

  • SHA1

    51d84fa61b3ec7fecce693b8d7d665ffe2578178

  • SHA256

    a760e30220f02f3a75a638403433a35c38d59cf8ffc4d3beb6fccc94974c0f4d

  • SHA512

    b7e3e4fa61800eceb6acafaec5b69704b0998074a471e8123f210fb2aa64a0a9cfd9ca9c931adeea2e735ebc891ab5ee9951434184055b0d0ad024f7951fb9a3

  • SSDEEP

    6144:lR6VWA3ZOEBlhuj1KAtaFnY0MIq0rJjQ+IG3unvrlJcsS7VZI9d9hyjr:/6VWNcxFYxIq2ZIK+vrlJcd77n

Score
8/10
persistence

Malware Config

Signatures

  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\smss.exe
    \SystemRoot\System32\smss.exe
    1⤵
      PID:256
    • C:\Windows\system32\csrss.exe
      %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
      1⤵
        PID:332
      • C:\Windows\system32\wininit.exe
        wininit.exe
        1⤵
          PID:380
          • C:\Windows\system32\services.exe
            C:\Windows\system32\services.exe
            2⤵
              PID:472
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k DcomLaunch
                3⤵
                  PID:608
                  • C:\Windows\system32\DllHost.exe
                    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                    4⤵
                      PID:2484
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k RPCSS
                    3⤵
                      PID:692
                    • C:\Windows\System32\svchost.exe
                      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                      3⤵
                        PID:768
                      • C:\Windows\System32\svchost.exe
                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                        3⤵
                          PID:828
                          • C:\Windows\system32\Dwm.exe
                            "C:\Windows\system32\Dwm.exe"
                            4⤵
                              PID:1168
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k netsvcs
                            3⤵
                              PID:856
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k LocalService
                              3⤵
                                PID:976
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k NetworkService
                                3⤵
                                  PID:284
                                • C:\Windows\System32\spoolsv.exe
                                  C:\Windows\System32\spoolsv.exe
                                  3⤵
                                    PID:552
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                                    3⤵
                                      PID:1056
                                    • C:\Windows\system32\taskhost.exe
                                      "taskhost.exe"
                                      3⤵
                                        PID:1112
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                                        3⤵
                                          PID:2940
                                        • C:\Windows\system32\sppsvc.exe
                                          C:\Windows\system32\sppsvc.exe
                                          3⤵
                                            PID:1568
                                          • C:\Windows\G_Server.exe
                                            C:\Windows\G_Server.exe
                                            3⤵
                                            • Executes dropped EXE
                                            PID:2784
                                            • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                                              "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                                              4⤵
                                                PID:2828
                                          • C:\Windows\system32\lsass.exe
                                            C:\Windows\system32\lsass.exe
                                            2⤵
                                              PID:488
                                            • C:\Windows\system32\lsm.exe
                                              C:\Windows\system32\lsm.exe
                                              2⤵
                                                PID:496
                                            • C:\Windows\system32\csrss.exe
                                              %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                              1⤵
                                                PID:388
                                                • C:\Windows\system32\conhost.exe
                                                  \??\C:\Windows\system32\conhost.exe "-554049328802007548-1810836141-176129199720827212261559086776-836922318-1205926825"
                                                  2⤵
                                                    PID:2300
                                                • C:\Windows\system32\winlogon.exe
                                                  winlogon.exe
                                                  1⤵
                                                    PID:428
                                                  • C:\Windows\Explorer.EXE
                                                    C:\Windows\Explorer.EXE
                                                    1⤵
                                                      PID:1204
                                                      • C:\Users\Admin\AppData\Local\Temp\23c493ab28e1bdb0502fb1533ebbb3a7_JaffaCakes118.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\23c493ab28e1bdb0502fb1533ebbb3a7_JaffaCakes118.exe"
                                                        2⤵
                                                        • Sets service image path in registry
                                                        • Loads dropped DLL
                                                        • Drops file in Windows directory
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious behavior: LoadsDriver
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        • Suspicious use of SetWindowsHookEx
                                                        • Suspicious use of WriteProcessMemory
                                                        PID:2188
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          cmd /c C:\Windows\uninstal.bat
                                                          3⤵
                                                          • Deletes itself
                                                          • Loads dropped DLL
                                                          PID:2760

                                                    Network

                                                    MITRE ATT&CK Enterprise v15

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • C:\Windows\G_Server.exe
                                                      Filesize

                                                      350KB

                                                      MD5

                                                      23c493ab28e1bdb0502fb1533ebbb3a7

                                                      SHA1

                                                      51d84fa61b3ec7fecce693b8d7d665ffe2578178

                                                      SHA256

                                                      a760e30220f02f3a75a638403433a35c38d59cf8ffc4d3beb6fccc94974c0f4d

                                                      SHA512

                                                      b7e3e4fa61800eceb6acafaec5b69704b0998074a471e8123f210fb2aa64a0a9cfd9ca9c931adeea2e735ebc891ab5ee9951434184055b0d0ad024f7951fb9a3

                                                      Download Submit

                                                    • C:\Windows\uninstal.bat
                                                      Filesize

                                                      218B

                                                      MD5

                                                      46d40c1b130d9560ddb84cd2abcd8a14

                                                      SHA1

                                                      915672abdb6326694cab40fd46d1c3916f5c2ca9

                                                      SHA256

                                                      02a0a0ea1d4b61414ce445a0f39db55491e9252ef718ad67df9c6b824506a373

                                                      SHA512

                                                      edd0856aed9538b612cef31de6253f137af98d76570902e0a17c08815e369bb5e58ea7b2963569428dcb10d2a86d57a0fb1cce454e8d474d7f1c4cb503bbdd52

                                                      Download Submit

                                                    • \Users\Admin\AppData\Local\Temp\JRKLYX.TMP
                                                      Filesize

                                                      17KB

                                                      MD5

                                                      55bca483834624d9d1235ba3ac43d8fd

                                                      SHA1

                                                      c3eb3baaa9863583f38cc7fce67e1914c1bd710f

                                                      SHA256

                                                      897c541e061f6c9a120ba8c711f2d7b96e1b588d70528412bdea9761fb02ceed

                                                      SHA512

                                                      e9aaeab71538d5782f3ec8c2ebea1ae8e8cd2e1a7986e26e62a448413a027e1bc5fcba92f93acb73b8555bf16c85c5631477367f9a90c55243a5a8e238deb8df

                                                      Download Submit

                                                    • \Users\Admin\AppData\Local\Temp\NJLDTW.TMP
                                                      Filesize

                                                      65KB

                                                      MD5

                                                      13f1364c10aaaa09a4f66059c2c8f859

                                                      SHA1

                                                      a05a28eba992e2e15e6b7184b48ba5017a3e4e32

                                                      SHA256

                                                      d9fc7f19c1204e634de4c44cf8bc78eb7bbc879c5c2b64649c72aa48c60fc436

                                                      SHA512

                                                      1f0da83575993d4f7036a474a2ec1b5e2a676225782d6c234515e732f7113cf72f600a2de3286f80e2a7ced4f6f9f71ba4f52f5380534891793112a93d635d3d

                                                      Download Submit

                                                    • \Users\Admin\AppData\Local\Temp\PJDMUL.TMP
                                                      Filesize

                                                      33KB

                                                      MD5

                                                      884d60a1209c2c16046d4e4c8f481698

                                                      SHA1

                                                      3bdaa577777cd70b744492010da99d74cc34e549

                                                      SHA256

                                                      5b1b9e753974893937869b01b3373ed34f5e8e1e046d909d33fa4756428c92e7

                                                      SHA512

                                                      edb70444ca24124012d4860d552e4eaa656f7cac81cf7e512ec8dacee0a97c883feaba65bdbab1792e294413bcf0c800a8b69fe7b62bb398f383815a576bd4e1

                                                      Download Submit

                                                    • memory/256-20-0x000000005F000000-0x000000005F001000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2188-0-0x0000000000400000-0x00000000004D2000-memory.dmp

                                                      Filesize

                                                      840KB

                                                      Download

                                                    • memory/2188-98-0x000000005F000000-0x000000005F001000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2188-2-0x00000000002E0000-0x00000000002E1000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2188-115-0x0000000000400000-0x00000000004D2000-memory.dmp

                                                      Filesize

                                                      840KB

                                                      Download

                                                    • memory/2784-106-0x0000000000400000-0x00000000004D2000-memory.dmp

                                                      Filesize

                                                      840KB

                                                      Download

                                                    • memory/2784-107-0x0000000000260000-0x0000000000261000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2784-110-0x0000000000400000-0x00000000004D2000-memory.dmp

                                                      Filesize

                                                      840KB

                                                      Download