Overview

overview

8

Static

static

3

239918b0fb...18.exe

windows7-x64

8

239918b0fb...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    147s
  • max time network
    117s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/07/2024, 20:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    239918b0fbfe3c0533efeabe3ab38e80_JaffaCakes118.exe

  • Size

    110KB

  • MD5

    239918b0fbfe3c0533efeabe3ab38e80

  • SHA1

    2e4888fcc5e3f4d536e4408e4147c2b123b5c5f9

  • SHA256

    6dc67e911889b91fe2c5a58b719193b90b8f491997e1a89b58f06495d1908091

  • SHA512

    5fcafe79a57c0d6bce66bd95de8482749ae9ae198a2afc0302cb93e8a12dccc51f5fd468ae3adf3daec99c96782c110df3a82f2bb30dbe031c72c89632db68ad

  • SSDEEP

    1536:33KwIU4VH7qfUKU5nY2RduEw5miXdOxBguYm4goGHxyBw8JG3d0o7cLy1eK/y+7H:ZIUKZE2buEwAOYxBGndGHxd/Hx1zaoB

Score
8/10
persistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 7 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 16 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\239918b0fbfe3c0533efeabe3ab38e80_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\239918b0fbfe3c0533efeabe3ab38e80_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4376
    • C:\Windows\SysWOW64\inf\svchosts.exe
      "C:\Windows\system32\inf\svchosts.exe" C:\Windows\system32\lwfdfia16_080524.dll tanlt88
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2428
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "c:\mylstecj.bat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1108
        • C:\Windows\system\sgcxcxxaspf080524.exe
          "C:\Windows\system\sgcxcxxaspf080524.exe" i
          4⤵
          • Adds policy Run key to start application
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4128
          • C:\Program Files\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1352
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1352 CREDAT:17410 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1740

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\inf\svchosts.exe
    Filesize

    60KB

    MD5

    889b99c52a60dd49227c5e485a016679

    SHA1

    8fa889e456aa646a4d0a4349977430ce5fa5e2d7

    SHA256

    6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

    SHA512

    08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

    Download Submit

  • C:\Windows\SysWOW64\lwfdfia16_080524.dll
    Filesize

    30KB

    MD5

    513706bb78cc32b4b66f990f7f8bfb7c

    SHA1

    d4cd418910d6836fda76b98ae05a4a50cdc3486a

    SHA256

    d50abd3c754ecff4f6ead59a9ce8a9eeef4e98b74085c1d12d04dc5f46f13ff8

    SHA512

    a95c2a77d2feddef52393f07c092ee13c8938a67f52cafbd580a78fc403f6edcb79837022a583facace06f78d0d1c99634ae4da8f849bb9bd7d154fd0cce3205

    Download Submit

  • C:\Windows\SysWOW64\mdbbccasys32_080524.dll
    Filesize

    219KB

    MD5

    ed7669743669bea3e93673bde0dc6e77

    SHA1

    993cb45adf0d7d02c938e4de1e790e97f0328156

    SHA256

    2334fe36f6f25b463497b50ce2d17e2c5660f114cd84ff8db43923c990445f9a

    SHA512

    9e41b013b9da82fc7d8ddc38744d2f4b90c41b2ca56e892688053441833005c71fbc1f3d849e84c577920c9ab8d4bd18318587279c6b9b8c2ab1fed434a358a6

    Download Submit

  • C:\Windows\System\sgcxcxxaspf080524.exe
    Filesize

    110KB

    MD5

    239918b0fbfe3c0533efeabe3ab38e80

    SHA1

    2e4888fcc5e3f4d536e4408e4147c2b123b5c5f9

    SHA256

    6dc67e911889b91fe2c5a58b719193b90b8f491997e1a89b58f06495d1908091

    SHA512

    5fcafe79a57c0d6bce66bd95de8482749ae9ae198a2afc0302cb93e8a12dccc51f5fd468ae3adf3daec99c96782c110df3a82f2bb30dbe031c72c89632db68ad

    Download Submit

  • C:\Windows\pwisys.ini
    Filesize

    46B

    MD5

    ad050d7e1d59564c9d02540298eabb59

    SHA1

    84c271cca9dca7096b39afd0d11ea2b6d5a3f5b7

    SHA256

    f7a66cdb82fbd033de93095a19cbd516378ce7e519e61be5a9a0f78770fb4f20

    SHA512

    3be127925bcd668a16fb654c17d61cf434317529c01466b2b1c6932f42370b2ebfe5bd4102343f807f4011ff15a506ab6a73e45149e4f62215959ffb56bfc8fc

    Download Submit

  • C:\Windows\pwisys.ini
    Filesize

    464B

    MD5

    e331b04e396f5d660139d913d382662c

    SHA1

    f74b8255006ae8f630665ebed91c9808905b2439

    SHA256

    7ad31811c5a4a6798917e9956777bbf35611c9b4d6c82b7de1ae1c6d5c12b986

    SHA512

    14753b1f75b3ea2c7462cd0e6a86bba5ec49ac89595fddff05f7be097724722015c33d50decf02c596ab4ea9248b0de2c5e826d7db12998b9468576863af017a

    Download Submit

  • C:\Windows\pwisys.ini
    Filesize

    380B

    MD5

    692018dc24b0ae2408d4a060b73ba028

    SHA1

    44a9d184c99dc777a36e5b302688e5e18c03851d

    SHA256

    a3af1d7ff5be26ce9da2d98945e3d75f33735763d83031cfc48e74289fca6bd8

    SHA512

    bc6d707ed081e9385ecf65eaa15318fc24c58682bf95d71f366306fea1482c5425cd173b292c17bf024b9fe396dbe8a4f3a9ea07f580fffe2b7784fd7bf3166d

    Download Submit

  • C:\Windows\pwisys.ini
    Filesize

    408B

    MD5

    3dea3d3e2ffbb453b20c4575693abb35

    SHA1

    84347a27a694c3a95473b1815a2f867b20d4cc0c

    SHA256

    a9128b743e854e677fcde0835e14bd69f9c77ac556d9c115d15a540d18de1aec

    SHA512

    f107b6fdb4342713c3bb8fabaa33a79b415483667f7be933408f5612972305b587bf40f43d594d02b1d653248164009ab3ac54cd52464a0591cdbc40168cd4ce

    Download Submit

  • C:\Windows\pwisys.ini
    Filesize

    414B

    MD5

    fd083048a8cec89d237918e92f96784e

    SHA1

    104b23a9943cd2f74eabd5e8df0628d246c3857f

    SHA256

    1513fedb387080f469c025922c6b2b2e9c8a06069b56faa311e899d6ebb1b755

    SHA512

    ce6ebc8a60fee5562f2e8f82123af849520e082bdd788f0ea6d132dfa4d60ddde417dab60134ed9d5065936e6ef9cb25cf09e89901acb2cd16e9f4bdde03a12d

    Download Submit

  • C:\Windows\pwisys.ini
    Filesize

    447B

    MD5

    675bd5b520aaa08937d253dc723aeb5b

    SHA1

    504c830583b1578a21d5e3c2d471a5153e31b5a7

    SHA256

    4f31953ecc05911304a0066704ac809af295be182ecba756581d57658d86e223

    SHA512

    04943b51f2172218b7516c186035fe5fd8cf56499f3840bad8fa94aabd8f542abd18cd811d0efbcd4692b5cde4871df1e4e97cb59443798db904a23f22d7c560

    Download Submit

  • C:\Windows\pwisys.ini
    Filesize

    474B

    MD5

    02658167ada7375cf9d5b2a77a02928e

    SHA1

    1fef7d24d781f27daf514fa9d3dbf05d4a0da3e4

    SHA256

    7abfe30394716269903b3315878fdf72a21fc9b5e83bdc38248bb68f16347c76

    SHA512

    bac080aebd638f96349798bbf83d00e7a5b8407e2e28a277f78f89b5ae87a922fb2ecf211cb0180c13ad59da91490fc14cfa01019120de42ab8027bbb9b2cd44

    Download Submit

  • \??\c:\mylstecj.bat
    Filesize

    53B

    MD5

    eb2f5dc6301407527c05e3d4353b0f0c

    SHA1

    bc555d826341ab4b5b4704e3276e195325317b6d

    SHA256

    d5348c5dcb991966a942758a8234ab6445c4a687d347095b1382b4fa1f2f534c

    SHA512

    5c58e5f8c97394350d3da6607792707716cd2dc7196eabdd18a6172f572a0722a08d042ed2d1846dc212cdf085724ef4f28e7786c12e8c2347b1b30c0794624d

    Download Submit

  • memory/2428-67-0x00000000001F0000-0x00000000001FE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2428-56-0x00000000001F0000-0x00000000001FE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2428-88-0x00000000001F0000-0x00000000001FE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2428-96-0x00000000001F0000-0x00000000001FE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2428-97-0x00000000001F0000-0x00000000001FE000-memory.dmp

    Filesize

    56KB

    Download