Overview

overview

10

Static

static

7

27553ffd74...18.exe

windows7-x64

10

27553ffd74...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/07/2024, 03:57 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    27553ffd7483441113a8846c1d412cfb_JaffaCakes118.exe

  • Size

    830KB

  • MD5

    27553ffd7483441113a8846c1d412cfb

  • SHA1

    80217e6c2519e79f159815afca3abc45157de162

  • SHA256

    7845baea0ad22217e025fbe279cfba5ec9457407167b5106aaf6c46cab8dd5b1

  • SHA512

    595987f3ea505eab071f0ab5515a3fe7d728efaa58b1992b8fc60c46de3d90327702bc52cf7329219efea2492d60b896d17c7e2a331684393d5bf1f5bba52528

  • SSDEEP

    24576:ZxgrMRWjiOPEJYLUfZe/6z1QvbxNCjdmL3ctj:ZxqUAiULUf8/6z1EYjdmIt

Score
10/10
evasionpersistencetrojanvmprotect

Malware Config

Signatures

  • UAC bypass 3 TTPs 4 IoCs
    evasiontrojan
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Drops file in System32 directory 5 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\27553ffd7483441113a8846c1d412cfb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\27553ffd7483441113a8846c1d412cfb_JaffaCakes118.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3220
    • C:\Windows\SysWOW64\WerFaultSec.exe
      C:\Windows\System32\WerFaultSec.exe -i
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:3376
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
      2⤵
        PID:4100
    • C:\Windows\SysWOW64\WerFaultSec.exe
      C:\Windows\SysWOW64\WerFaultSec.exe
      1⤵
      • UAC bypass
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • System policy modification
      PID:1536

    Network

      No results found
    • 103.1.250.236:8080
      WerFaultSec.exe
      260 B
       5
    • 103.1.250.236:8080
      WerFaultSec.exe
      260 B
       5
    No results found

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\_uninsep.bat
      Filesize

      305B

      MD5

      add878125bb72c55c7dbb357394789fc

      SHA1

      eb23082a2b3dad2a68e670e8a41a3aae71de2847

      SHA256

      de77adeac71f6efbf52cbca4f83bda1fef0e9b5dc650d6bc32f5214030149538

      SHA512

      bef479d19784103a21352b4077c2f006acc926ae66b86959331a3d250dc7dbc4e6f48802518004c3e75d19c4bbf45299c3eec19ec066fc5cea09a4643de4da15

      Download Submit

    • C:\Windows\SysWOW64\WerFaultSec.exe
      Filesize

      689KB

      MD5

      a90a0d930d55b075559ee03cd90e0ddf

      SHA1

      e394d77239fbc7aa54f365348968770609c2c1bf

      SHA256

      2e6d10dffcc5ab3019eab3a30dde526bb2b72dee5e9463d7f592d696b93e41b8

      SHA512

      5dab61992d9fb677a6ef76b1c5ce7d8f855a0490919305fe25d99bc3f1d56bb177893dd94dadee1a2ee1a2c456de08fdcab0827f20d76c0dfc30ecc2d29887d2

      Download Submit

    • memory/1536-7-0x00000000002F0000-0x0000000000437000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1536-14-0x0000000075730000-0x0000000075731000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1536-15-0x00000000002F0000-0x0000000000437000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3220-2-0x0000000000D90000-0x0000000000F19000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/3220-11-0x0000000000D90000-0x0000000000F19000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/3376-5-0x00000000002F0000-0x0000000000437000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3376-13-0x00000000002F0000-0x0000000000437000-memory.dmp

      Filesize

      1.3MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.