Overview

overview

10

Static

static

3

36659bafc1...18.exe

windows7-x64

10

36659bafc1...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    42s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    10-07-2024 21:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe

  • Size

    323KB

  • MD5

    36659bafc1f622de686564d9de426d2a

  • SHA1

    d21dede6834d6cf489b9271da92bc98d9e3e7212

  • SHA256

    140dd714a75b80950a61d473241b407aa71bebb408377be179d0fd775d60de76

  • SHA512

    020bc4047d99925fb7624e4c1857be610df577e63443b905befe9a6badf70f597da1925d64cdee7a136d59342ace17d59ad022b566c6048149ae8e3aaf159fd8

  • SSDEEP

    6144:1BxeN/Tdx8YzL+4eBDgelLBL9C53TV5n+yNXavM:1Bxe9dx8Yz6nhtL9C53TV5n+4av

Score
10/10
evasionpersistenceransomwaretrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
    evasion
  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 12 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Disables cmd.exe use via registry modification 12 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
    persistence
  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 20 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 44 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 47 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 45 IoCs
    evasion
  • Modifies registry class 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 4 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • System policy modification 1 TTPs 48 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Event Triggered Execution: Image File Execution Options Injection
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3032
    • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
      C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2024
      • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2388
      • C:\Windows\SysWOW64\Kantuk.exe
        C:\Windows\system32\Kantuk.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Enumerates connected drives
        • Drops autorun.inf file
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:964
      • C:\Windows\SysWOW64\4K51K4.exe
        C:\Windows\system32\4K51K4.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:268
      • C:\Windows\SysWOW64\K0L4B0R451.exe
        C:\Windows\system32\K0L4B0R451.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Enumerates connected drives
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:1756
      • C:\Windows\SysWOW64\GoldenGhost.exe
        C:\Windows\system32\GoldenGhost.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:1744
    • C:\Windows\SysWOW64\Kantuk.exe
      C:\Windows\system32\Kantuk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2496
    • C:\Windows\SysWOW64\4K51K4.exe
      C:\Windows\system32\4K51K4.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1900
    • C:\Windows\SysWOW64\K0L4B0R451.exe
      C:\Windows\system32\K0L4B0R451.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2488
    • C:\Windows\SysWOW64\GoldenGhost.exe
      C:\Windows\system32\GoldenGhost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Image File Execution Options Injection

1
T1546.012

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Image File Execution Options Injection

1
T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

7
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Aut0exec.bat
    Filesize

    323KB

    MD5

    cbea825e3b81e95f12a0687a61390df8

    SHA1

    d2976ab1289c540b176d5871098b34c041bf32cb

    SHA256

    c20f9e595569f57d774e5d3f5cec39228c2524e5ceeb38f880ed6adc132a4e5a

    SHA512

    78af85b91059e02357d73beffdea0d6a998b60671f4ee683ce4aa6433d4ad7ea2ad73819ca337911d8d9c32835c33eeb61404dac970ad1158ddeb97150843610

    Download Submit

  • C:\Aut0exec.bat.tmp
    Filesize

    323KB

    MD5

    2bcdc47786b8061516a374d91229e021

    SHA1

    b792df88e8e32205600c81780aefddb57fdd067e

    SHA256

    264051b1df356a0597576cbe635b5543235cf9d860759c79834ddf2c4abd51e8

    SHA512

    7b33fe3b8cd13db3ae05a38e16592b45cfa85d86f51b277744c7116f88b156efa59e61fe2e7093623039ff8feb8760b192c1b9f06d93823bf96340ab93fdfce5

    Download Submit

  • C:\Aut0exec.bat.tmp
    Filesize

    323KB

    MD5

    4506bf4b190605821996b5d8705ccabb

    SHA1

    7cba66227890af2de17c03114368c44d0b4ad0f3

    SHA256

    c486a2261089c793b3dd624a701cdc81ca4bf845a074b0d764146e7733ed5007

    SHA512

    6f5d2d89956123f80791a103a3259b321a07ed7be8845d93f3c31826f5cdcf77b1365510d806a5282d3dc997935a235e34f5a819a116f7c6699841450f525bbf

    Download Submit

  • C:\JPG.ico
    Filesize

    2KB

    MD5

    62b7610403ea3ac4776df9eb93bf4ba4

    SHA1

    b4a6cd17516f8fba679f15eda654928dc44dc502

    SHA256

    b0fd7ffb4c8f0e4566658a7284ca0652961648aaab44a53c5b9713664b122c29

    SHA512

    fa1995a21ffe073a15fa00a3a8717492b0a67f3615abe4c7e6bce054bb23cf545e10e21cfe3625b665c8bb199577815dbeccc7c6107cdb49f673b8d53f23888d

    Download Submit

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif.tmp
    Filesize

    323KB

    MD5

    41410939d6d23749c1ea047f11ecf40d

    SHA1

    e3ff716c7d05445fb9bb9f41873901baad067d33

    SHA256

    547cdfa23cf1814581053c7bb85d14319b16b534ee41d7503eb3e6f511bb0440

    SHA512

    e0a2fcb39358db8fcbcd6da20882370272cf5cd95c1edc34c8375ab8c7a8f264e144546e790a12df526d29b423023bc784ab510cd0174d192ac5557658b8ae51

    Download Submit

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif.tmp
    Filesize

    323KB

    MD5

    1e3986c7affc2ad8da1f36d2c6129fce

    SHA1

    8fbc0d1c6f4a825803f994fc837fe8542f2c3d57

    SHA256

    367a1cdf306ba98a7f0b79525f082ddde4cfff183c37a781fe0b909a7ef43f12

    SHA512

    41acb894d2f81da66a97650d279c45864815ab8b8291386933fb6ecbb75f7a987d65f9f36694cb07e2de48c1127debb06c1cef7436e0aac9792db752deea5441

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr.tmp
    Filesize

    323KB

    MD5

    1b9192c67035c0d99e7d5e5045e1ba19

    SHA1

    a223cd0860ee682e4da0d2907be9a6df006f3bef

    SHA256

    5892c5a9e1032162965df9793c14ef052278835902074417efe33eb383fafce2

    SHA512

    cc9298393de36710c859a49ac1edfff4e9bcf84327c102a2720de009c2e79f0a3650e157e8bda6a60c36f02a273347b535b7a0c640358361e323dd24f73a6e50

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr.tmp
    Filesize

    323KB

    MD5

    f39aac33f91f5472b923c6b15a6ca366

    SHA1

    2335c0c187309cba7091f4fba7753308a5aca92f

    SHA256

    698e37cd706077566b3eb8dbe3596e6b6b3c7d90a73510779a64287c7ca05a6f

    SHA512

    b2b3d67923915553a73f16c5a1107006d39856fab574623852e5ec4cc6da25a295214ea93dcb7e05bb1b01817ffd901a5e8ef686160c52acfccc9e76f729cdfc

    Download Submit

  • C:\Windows\SysWOW64\4K51K4.exe
    Filesize

    323KB

    MD5

    433c57baa608728a1d4c418d3e8bc977

    SHA1

    f91ad67a74b2fe3c27d030a2b773698b01573777

    SHA256

    284ddde4f008eb92cb39ebb5af9baaa159bf4b989619b4b2bb465cd569c33d0b

    SHA512

    c305f032e85e6b829a19766cb78aef57570be49be0182e530c3db8a9e615a723d4b60ed6125a46b2eea1cf9cd04d10cf065465c052b582862f835be908c44b5b

    Download Submit

  • C:\Windows\SysWOW64\4K51K4.exe.tmp
    Filesize

    323KB

    MD5

    d37bfeff2f7cefd9fc9fdead07b5228c

    SHA1

    187ac30e1cfb264efce44479f1d1dcf28a85a352

    SHA256

    d55141464ddcc00ff06349c9120417731c36c96f88a05ec5a23d5541d05bb427

    SHA512

    96f0cc4d3084ec88fd110f91ea6f7f51d20cdfa137fee3536a1fd9910de28b712051760a1c23d5006700ea47b0e07715c5440c820517f527d675d36cf17b1929

    Download Submit

  • C:\Windows\SysWOW64\4K51K4.exe.tmp
    Filesize

    323KB

    MD5

    1b88ffcd90f03d9ece39704559823665

    SHA1

    7d648e63d6e38a691b04ad0945ba62f7585416e4

    SHA256

    413bd39a108d3003fcc1a19b6ad43b91a1b6f531acef75be753962d307a17045

    SHA512

    577c45764eedf52f343e3182e59094b020f23788669b0d24492d29dcaf397cae6700f62ab72edde87e545fcbb2aa94f3c6e99816f8a9c9c15e22c4c8cd7227ea

    Download Submit

  • C:\Windows\SysWOW64\GoldenGhost.exe
    Filesize

    323KB

    MD5

    33279cf64e0b53986748ef946540f7b4

    SHA1

    28108809487679e5df703c1421cba4a0ed1acf96

    SHA256

    1a0595fe43c409d2e94f7d2f19c8b83aeb76d388bd4d2aaa84b5bb169ebe7bcd

    SHA512

    14cc79a07903ac14119463771edb996308e180a4045779e88a8749aef9ef90308a698cb92b22edd12e096067c1fb95ae9f2a4d74e416ee55901eb09b7c2beaa7

    Download Submit

  • C:\Windows\SysWOW64\GoldenGhost.exe
    Filesize

    323KB

    MD5

    36659bafc1f622de686564d9de426d2a

    SHA1

    d21dede6834d6cf489b9271da92bc98d9e3e7212

    SHA256

    140dd714a75b80950a61d473241b407aa71bebb408377be179d0fd775d60de76

    SHA512

    020bc4047d99925fb7624e4c1857be610df577e63443b905befe9a6badf70f597da1925d64cdee7a136d59342ace17d59ad022b566c6048149ae8e3aaf159fd8

    Download Submit

  • C:\Windows\SysWOW64\GoldenGhost.exe.tmp
    Filesize

    323KB

    MD5

    7945c934647a8ab4bcfc7b7e5da52d5d

    SHA1

    dd4d05427034b4da1a04044a32e39d2571fc945e

    SHA256

    34d143b36af0cd8b39006c5aa558a396c0af14c7de6719a11fdd92b5e57ee134

    SHA512

    af98fae9299b897dd997ff6b8f51379db5c3d4f3710f9b1b9d9ab5a552d071adf57f86048031117656db8775e827e4a827ddcff988aa2cb8cda60eea165d7965

    Download Submit

  • C:\Windows\SysWOW64\GoldenGhost.exe.tmp
    Filesize

    323KB

    MD5

    cf3eb80b8d2cd1c0fa310fac82bc0ef4

    SHA1

    1f828d4e9b6cec1003df5ca2c298e4c30573a122

    SHA256

    e9aceed74eb0ab62dbff143044a2c85ee44c6085601d2428cf4928c2121fc113

    SHA512

    d6dec293b9800c60e5e1d6611e74123e7ef51bbcb5bfb054a0e91f1f6faba2cc48b5f0cdea70eaf60b8ef2e17b10303d95e01317ba5508081f9114221c160953

    Download Submit

  • C:\Windows\SysWOW64\K0L4B0R451.exe.tmp
    Filesize

    323KB

    MD5

    9ff1c483376cb914cd4841b7830006f0

    SHA1

    a485020b5dc5c8b8b09b3476c51d136ff88fa1ae

    SHA256

    2a464263cd08647804bcba8e64045a6f21264e87680ef189c84ff846645605d2

    SHA512

    d5b4206c829fee3ed80570652a9713a464fa7349d4b39890ebd2c39a3a0c7b91b8fe9f547035097549b97185da7309e90fde8bf143493d30405c894eb3c2901c

    Download Submit

  • C:\Windows\SysWOW64\Kantuk.exe
    Filesize

    323KB

    MD5

    22282a1b04a86adbac6020bf0d450427

    SHA1

    d43e6a9738ec3f0026276f2b57b68785d09a98ba

    SHA256

    977cc3d657da5a068b75243e0640d1a4db902d67f44a76055820e7c31dffc421

    SHA512

    2f6298d75792baf5792683983217510ee49b0abd7d71b11f60399661215dcb1daa65b42b68558d8f8fbcf9872e3d1425929907b9823de027b90371eb2fce0f8f

    Download Submit

  • C:\Windows\SysWOW64\Kantuk.exe.tmp
    Filesize

    323KB

    MD5

    4a16b057f7e401b7830fd5a1c3758e8b

    SHA1

    f0437544514dd7f396476635ebcd82760ef65138

    SHA256

    1584366645baacde9495ae1463687f817062417c12b47640c58f9feb8f088be5

    SHA512

    b79afcbd41c192a7315552f2feaaeb4738a9f3b520b27e95665500859d074c6eb618ad90f21c373a7b8fb4209b6bd06eacc0c11bb3766d13554c4e897f94a07b

    Download Submit

  • C:\Windows\SysWOW64\Kantuk.exe.tmp
    Filesize

    323KB

    MD5

    be3c90b32d7eaae783436c1973a0106d

    SHA1

    65304ef09eea62e3bc5f96887b975c49e4ed2d4b

    SHA256

    df986aeb53fd24280ca8be37d134f744958cb0b52051e66550a55e8cb106b799

    SHA512

    c0ad4c55e28eec0c69c5b16ab129701d5e96cc2c70dce8771bd89fff49be567b7ec3f8e068a6187016bfc879b510803739d9866e4f1b153c0fefc2aa2196a8af

    Download Submit

  • C:\Windows\SysWOW64\Shell32.com
    Filesize

    323KB

    MD5

    3d8a7ed27d95beb5ecd09d93799190d0

    SHA1

    49728516ef9545b64c9c82161dc4e027497a4748

    SHA256

    de4ac87a73a130d1e07ba1c1b72ccf08442e63f136a9ffcfa2e83f99de57a82b

    SHA512

    9abe830cde032e6f31241039519d1160af7c013bcc8602a5759eabf0fefc110292e1629b85a3f5dd5c5fd104c4a4d250179e64af87aebb300a516f1612943729

    Download Submit

  • C:\Windows\SysWOW64\Shell32.com.tmp
    Filesize

    323KB

    MD5

    cf614558e5fc1b074f964897f5590b34

    SHA1

    49379dfb847024e67d4a6e4e5ccff0e87c45bc41

    SHA256

    9bf677465bf01fc11300a71272441b7a47748c490c2bf690fca684995fea1cd2

    SHA512

    22a1928a9059362e89966a6b88a9fc96750d0758d081fc617dd4ca80a7c829316844ec733bbdc502d4ae90b3d7fd4f9dcac7f4c627be13d1a1b4759f4d94a0fd

    Download Submit

  • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp
    Filesize

    323KB

    MD5

    2a33431cc320a1f4439efcb05b2688f8

    SHA1

    ad9e921d7facd3cfa2c9caabe57f25701e11a5dd

    SHA256

    cfe501958aa0e02118c9384c582011e76754738a663cc4326e548296a7d58df4

    SHA512

    8ce1ce3d0e67b44059e7735ae86ebe294436a8bc53c5fa15fcb16d484a565ad81ad96a4480de08abc7721598dbcb484a6e7460e3e04c4aef9c5190c520c19deb

    Download Submit

  • memory/268-275-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/964-252-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/1744-291-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/1756-281-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/3032-0-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download