Overview

overview

8

Static

static

3

31092a371a...18.exe

windows7-x64

8

31092a371a...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    23s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09/07/2024, 16:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    31092a371a630466d62b52c18f4e074e_JaffaCakes118.exe

  • Size

    3.3MB

  • MD5

    31092a371a630466d62b52c18f4e074e

  • SHA1

    d2a2929c9e1860291bf912aaa2d88d5e15761c06

  • SHA256

    7d909295d274b959148f457d191b1fccd435716205863a68767fca4992475294

  • SHA512

    4543dff57f73fa022db61e385212be3002926bdce43d25f03396ea5250a572553f5695a3707e6dabb9a4d9c0dac9c3b68d351815ee7d5bfaa29805b69663a128

  • SSDEEP

    49152:DXPopeICUoUpYXN595m2nuwJ9/I4kmLlq6EPKwmhxMyfOsu49v4WGBkjPAQN7L5e:fmgP/

Score
8/10
evasionpersistenceprivilege_escalationspywarestealer

Malware Config

Signatures

  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\31092a371a630466d62b52c18f4e074e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\31092a371a630466d62b52c18f4e074e_JaffaCakes118.exe"
    1⤵
    • Disables RegEdit via registry modification
    • Drops file in Drivers directory
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2052
    • C:\Windows\SysWOW64\REG.exe
      REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      2⤵
      • Modifies registry key
      PID:2360
    • C:\Windows\SysWOW64\netsh.exe
      "netsh.exe" firewall set opmode disable
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      PID:2920
    • C:\Users\Admin\AppData\Roaming\rPE.exe
      "C:\Users\Admin\AppData\Roaming\rPE.exe"
      2⤵
      • Executes dropped EXE
      PID:2688
    • C:\WINDOWS\NOTEPAD.EXE
      C:\WINDOWS\NOTEPAD.EXE
      2⤵
        PID:2716

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Defense Evasion

    Impair Defenses

    1
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Modify Registry

    2
    T1112

    Credential Access

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Roaming\rPE.exe
      Filesize

      2.1MB

      MD5

      97bdef637c1365cc4335361dfc39c135

      SHA1

      cd3e3f3c3bb01d471e58dbc1f648fbcb6502c00b

      SHA256

      c8e9fc6bc73dd2650afa7ff60228139a3e5341e0649aeab015904116c43eb812

      SHA512

      e2d58538e63c2f1247f8d873c911af1976015d073c807dce258a7e79410f5a057bce5059eb8f9dbc1808f1cd6143d21f80725181a48df5612daa5c26d76b40b5

      Download Submit

    • memory/2052-0-0x0000000074AD1000-0x0000000074AD2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2052-1-0x0000000074AD0000-0x000000007507B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2052-2-0x0000000074AD0000-0x000000007507B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2052-15-0x0000000074AD0000-0x000000007507B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2688-14-0x0000000000400000-0x000000000064B000-memory.dmp

      Filesize

      2.3MB

      Download