Overview

overview

7

Static

static

3

36644e0e2f...18.exe

windows7-x64

7

36644e0e2f...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    84s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    10-07-2024 21:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    36644e0e2f9978ca12f1ac5e713d2889_JaffaCakes118.exe

  • Size

    187KB

  • MD5

    36644e0e2f9978ca12f1ac5e713d2889

  • SHA1

    29d2b9d97ce41bb68df1121cd54a2170fc2c782a

  • SHA256

    0a9be1d4052365bb249cd68e98dae1207885ea1db731248adc26ee551cbaa488

  • SHA512

    2f00d8c046cf607b581624c944362c09e55f1fe4b4ca1683cdc6da6febb1617434c6a2c373009a43b91a4d6174d10462817f3d8630e72e12f20aea5dee6415cf

  • SSDEEP

    3072:JXKgEUQ000kvZk3mT+Q3snJ/wDTPfPMoph9cI1kKy0Otgvjo4Tk0lU2GXxE9g337:5KgY0M4mTn3sJw33hF1Po4HlMxE9gHQ4

Score
7/10
persistenceprivilege_escalation

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Unexpected DNS network traffic destination 8 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:476
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1200
      • C:\Users\Admin\AppData\Local\Temp\36644e0e2f9978ca12f1ac5e713d2889_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\36644e0e2f9978ca12f1ac5e713d2889_JaffaCakes118.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1652
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe"
          3⤵
          • Deletes itself
          PID:3008

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \systemroot\Installer\{c5b0555c-f9e5-c299-24bf-1a4ff565c69a}\@
      Filesize

      2KB

      MD5

      17e7b6d68a827c577c81df0190842d1c

      SHA1

      2799b5dc157c755b5eeb6c8e4672558e4cfa6fc9

      SHA256

      eb30bb38983eb36d5b007cbd0d764e43e28e2081ab7ee925e94869a26668395e

      SHA512

      16243426c848d4e004416b0ea78df0f23c466b92886a06275000000bfdcd085f4d7295f1db2b1830e573743fe82c82951fe6b55e71b55cb3b8d89b5b448e464d

      Download Submit

    • memory/476-21-0x0000000000200000-0x0000000000208000-memory.dmp

      Filesize

      32KB

      Download

    • memory/476-42-0x0000000000220000-0x000000000022C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/476-32-0x0000000000220000-0x000000000022C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/476-31-0x0000000000220000-0x000000000022C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/476-26-0x0000000000210000-0x000000000021C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/476-30-0x0000000000210000-0x000000000021C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1200-10-0x0000000002520000-0x000000000252C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1200-36-0x0000000002500000-0x0000000002501000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1200-17-0x0000000002530000-0x000000000253C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1200-6-0x0000000002520000-0x000000000252C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1200-37-0x0000000002500000-0x0000000002508000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1200-14-0x0000000002520000-0x000000000252C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1200-15-0x0000000002530000-0x000000000253C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1200-3-0x0000000002500000-0x0000000002501000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1200-16-0x0000000002500000-0x0000000002508000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1652-35-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/1652-34-0x0000000000400000-0x0000000000431000-memory.dmp

      Filesize

      196KB

      Download

    • memory/1652-2-0x0000000000400000-0x0000000000431000-memory.dmp

      Filesize

      196KB

      Download

    • memory/1652-38-0x0000000000400000-0x0000000000431000-memory.dmp

      Filesize

      196KB

      Download

    • memory/1652-41-0x0000000000400000-0x0000000000431000-memory.dmp

      Filesize

      196KB

      Download

    • memory/1652-40-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/1652-1-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download