Overview

overview

10

Static

static

3

25aae6ba9b...18.exe

windows7-x64

10

25aae6ba9b...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-07-2024 17:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    25aae6ba9b88f8cb3d49fe0f78827fe8_JaffaCakes118.exe

  • Size

    86KB

  • MD5

    25aae6ba9b88f8cb3d49fe0f78827fe8

  • SHA1

    0164e22a977189ad02dfeeff0c346d3fceb5bae9

  • SHA256

    be13c234396cdf8735450786edb014517352e7896646c6639e05367f5abf9e29

  • SHA512

    7d43f8cd0e1a08add7651acf5fe14fd6e1c6573786cff2f1de081a6aa62a301ff3449e92ef8be640c22e744f1f6231bc02f574dfc8acfdb2af5b1848c621fdd7

  • SSDEEP

    1536:Za3+ddygX7y9v7Z+NoykJHBOAFRfBjG3EdoIX:w8dfX7y9DZ+N7eB+hIX

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 8 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 29 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\25aae6ba9b88f8cb3d49fe0f78827fe8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\25aae6ba9b88f8cb3d49fe0f78827fe8_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4920
    • C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\recycled\SVCHOST.EXE
        C:\recycled\SVCHOST.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2340
      • F:\recycled\SVCHOST.EXE
        F:\recycled\SVCHOST.EXE :agent
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4484
        • C:\recycled\SVCHOST.EXE
          C:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:3980
        • F:\recycled\SVCHOST.EXE
          F:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1020
        • C:\recycled\SPOOLSV.EXE
          C:\recycled\SPOOLSV.EXE :agent
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:216
          • C:\recycled\SVCHOST.EXE
            C:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:656
          • F:\recycled\SVCHOST.EXE
            F:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:996
          • C:\recycled\SPOOLSV.EXE
            C:\recycled\SPOOLSV.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3432
      • C:\recycled\SPOOLSV.EXE
        C:\recycled\SPOOLSV.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1404
    • F:\recycled\SVCHOST.EXE
      F:\recycled\SVCHOST.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2016
    • C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2012
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\25aae6ba9b88f8cb3d49fe0f78827fe8_JaffaCakes118.doc" /o ""
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3168

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Recycled\SPOOLSV.EXE
    Filesize

    86KB

    MD5

    522ffaf2918251f934653b5095a39977

    SHA1

    b26051fe3101d2dcb25911179af7001457972c5f

    SHA256

    daf346af2c8523e90eabe2275527669a1dfbef7a1b50a76e1f0b18423705508a

    SHA512

    bd5174c36a16c1c8adb0ef17fa6c7eb0dedc643da64510e73a66f9386a73ee92aef623ae5554456e66c2dd10b173360b5f0842ae31f6fd7db61ff63c925b50aa

    Download Submit

  • C:\Recycled\SVCHOST.EXE
    Filesize

    86KB

    MD5

    4d9bb5fae8deb06ff8525afaeba3d1fe

    SHA1

    a5128d69d7ac3fd9f1188fdcbda6fc1b906212eb

    SHA256

    96c797abfc60fc8205ad8e5be6dc7bef51a45369c5f7beb93d483408e94b4788

    SHA512

    96966b6e3a3d002aebc173dcf8a34acc3c2f30d0f6a2ea9c83a897daa6601f3f0e5e1585c7073804b10022206e7f5c8a578a50148a21607562f0c1b2e84385c7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt
    Filesize

    2KB

    MD5

    1a1dce35d60d2c70ca8894954fd5d384

    SHA1

    58547dd65d506c892290755010d0232da34ee000

    SHA256

    2661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c

    SHA512

    4abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e

    Download Submit

  • C:\Windows\Fonts\ Explorer.exe
    Filesize

    86KB

    MD5

    e78c78b539e46f12580bf310adf35a06

    SHA1

    a109b20c2a64cfa0b16c75bb25e7d45d673cc238

    SHA256

    97cb831ae79c0461abfa215b860c3374fa06c94959aaa183daee3cb7a206b9da

    SHA512

    72c9d6a9be1270677e7d77f5f6597e208084a92ac99975875d780ea7b9153006b9192c72911c1e01504c4546e658a91138cb1aee70b799c6b3fe5bca8bcdac9c

    Download Submit

  • C:\Windows\Fonts\ Explorer.exe
    Filesize

    86KB

    MD5

    d4b6f5c9fe85290c50bde6aaeb9c8b79

    SHA1

    0e96f105ce3abc601557f80348fb139f3586a169

    SHA256

    24c79921755f753b224cbcb5aed3713addcf308b13bc0d98686eed8c0d13ed0d

    SHA512

    56fdc71e2d8323d98adc2eed53e3b2f3a70c303148d1472797958d81b3011f438e973fa9d35a79173ea58e430ef4d65578f9dff70ff812881200a3d4b4b2bcef

    Download Submit

  • C:\Windows\Fonts\ Explorer.exe
    Filesize

    86KB

    MD5

    e7dfcae24ad55f2386f46463b1b94954

    SHA1

    a2b3e57968de1d0a5839b7389299f22117081a49

    SHA256

    8e25b301825618c606cce26279c616dbc4042571cfdcbdd3bed8767cb73eb6c2

    SHA512

    24f62acb4e59f3df35566a15c61d7a464212f50f56203688947a4e89684feadf5173e9d0a8235c363e85ecfdde7d83c5bd4b2249c8fe6b0c4cf69af649d9a494

    Download Submit

  • C:\begolu.txt
    Filesize

    2B

    MD5

    2b9d4fa85c8e82132bde46b143040142

    SHA1

    a02431cf7c501a5b368c91e41283419d8fa9fb03

    SHA256

    4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

    SHA512

    c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

    Download Submit

  • F:\Recycled\SVCHOST.EXE
    Filesize

    86KB

    MD5

    e88413e67964cfdafb7e4e43c6953064

    SHA1

    0cb13aaf206bf551cce20121b43804f6951d7edf

    SHA256

    9d041915b206434c119df67a30e7f51ecfb7d297ea56ac3f2a093f6363188f94

    SHA512

    b17e1e7358c65cfb3f9775944ed7582560f28d2a16fd9f44b33fa7b0f136f92b1c455f13783deb88678a267d1327fc3b961ad1e1ddaa90dbb607cc6a59e0e7fa

    Download Submit

  • memory/216-52-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/656-64-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/996-68-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1020-46-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1020-49-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1404-75-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2012-83-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2016-80-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2340-27-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2340-33-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2552-18-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3168-86-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3168-88-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3168-87-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3168-89-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3168-90-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3168-91-0x00007FF95C9A0000-0x00007FF95C9B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3168-92-0x00007FF95C9A0000-0x00007FF95C9B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3432-71-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3980-45-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4484-34-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4920-0-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4920-85-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download