Overview

overview

8

Static

static

3

21012d62a8...18.exe

windows7-x64

8

21012d62a8...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    03-07-2024 03:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21012d62a838dc37a068999ad1952716_JaffaCakes118.exe

  • Size

    540KB

  • MD5

    21012d62a838dc37a068999ad1952716

  • SHA1

    5b61cffdb878029d871940e2147c39ed3326ba57

  • SHA256

    5092d179585b593f0dde154d9a2faea4e6fd12eb387bc37255db97be7eca6ff6

  • SHA512

    f49a2b60cd519a50169407562d3391ea307fae923bb7f71356cb02975c212c88c73ea90a546b1e739c840e2ffb87199abb246c6359e027e7fa4fb950e2a4ba67

  • SSDEEP

    6144:JQp+JFxjMwfEDLHlH7vUONYAVa+1a4KxTvb:Ji+PxTfEDLFbv9zb1aBxTvb

Score
8/10
evasionexecutionpersistence

Malware Config

Signatures

  • Stops running service(s) 4 TTPs
    evasionexecution
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Boot or Logon Autostart Execution: Time Providers 1 TTPs 5 IoCs

    The Windows Time service (W32Time) enables time synchronization across and within domains.

    persistence
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 5 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\21012d62a838dc37a068999ad1952716_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\21012d62a838dc37a068999ad1952716_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1440
    • C:\496_496.exe
      "C:\496_496.exe"
      2⤵
      • Executes dropped EXE
      • Boot or Logon Autostart Execution: Time Providers
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1104
      • C:\windows\SysWOW64\rundll32.exe
        C:\windows\system32\rundll32.exe C:\TDDOWN~1\\KA6hW.8 itf2
        3⤵
        • Loads dropped DLL
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        PID:2712
      • C:\Windows\SysWOW64\sc.exe
        sc stop w32time
        3⤵
        • Launches sc.exe
        PID:2636
      • C:\Windows\SysWOW64\sc.exe
        sc config w32time start= auto
        3⤵
        • Launches sc.exe
        PID:2648
      • C:\Windows\SysWOW64\net.exe
        net start w32time
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2528
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 start w32time
          4⤵
            PID:2600
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:1880

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\game.jpg
      Filesize

      19KB

      MD5

      fefdd837a01e4a4e8768438bd617da05

      SHA1

      8f1faeaa9a86502eae9f6e1919efff1afffa53eb

      SHA256

      b20284b3d71bcf4f66b85ecd24c8e5fd3c91d6a1e9fec0b4c6929b84e6be3a89

      SHA512

      7d51087cd1cda4c850c8615f29a0ab79b2778889b2caa9b6f257d242d94d1c0a477dffe8df4023a25f474317e2f0102192631890f9d1a0c61135fe11954ca89d

      Download Submit

    • \TDDOWN~1\KA6hW.8
      Filesize

      157KB

      MD5

      43c7e1812a546ea9914e19c7fd606798

      SHA1

      fdfb3e8a52ee07f3fbe0822478f6b8b83705ab1c

      SHA256

      fca9cd165bd9123a09e0f66bd1f28c494080503c68ec50b4364a9ae483af28c9

      SHA512

      e81083675e6d5d70a033b5e941b98df4afa1c33eb51145ce9d971d7080e3d8210a62139e16991ba07f21c8866b5767c6410a4d886d7fea564de2576a3d408a2a

      Download Submit

    • memory/1440-1-0x0000000002FA0000-0x0000000002FA2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1440-15-0x0000000002FB0000-0x00000000083FA000-memory.dmp

      Filesize

      84.3MB

      Download

    • memory/1880-2-0x0000000000120000-0x0000000000122000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1880-3-0x00000000001E0000-0x00000000001E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1880-22-0x00000000001E0000-0x00000000001E1000-memory.dmp

      Filesize

      4KB

      Download