Overview

overview

10

Static

static

3

37a9b5fd14...18.exe

windows7-x64

10

37a9b5fd14...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    11-07-2024 04:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    37a9b5fd14527a3196808a24e8a2fdf2_JaffaCakes118.exe

  • Size

    1.5MB

  • MD5

    37a9b5fd14527a3196808a24e8a2fdf2

  • SHA1

    3ba472394a4e4e28e4315eb9872f818719f5a2ce

  • SHA256

    1e1d0f9ff69ba216664d92dc14ca9268ec63c35ade4727b2769448f21a7586fa

  • SHA512

    250bcd888edd769ad71bb02682456a2f3547fde417f093aaade50cc430c2a0a053d95732defa9ec7bb8f8c16ad45a2355aaf51df1ac1969172a6c2291a99bf80

  • SSDEEP

    24576:GHt2e7h2mZN11vQ0bzmPhRgtN0zrzTUEURrVuH8NjWu/tGTfY2Q6w+Pq:qt242mPvQNplPPKRJuclWu/6A9S

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Drops file in Drivers directory 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 15 IoCs
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\37a9b5fd14527a3196808a24e8a2fdf2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\37a9b5fd14527a3196808a24e8a2fdf2_JaffaCakes118.exe"
    1⤵
    • Drops file in Drivers directory
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1772
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im teatimer.exe /f
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2992
    • C:\Windows\SysWOW64\drivers\svchost.exe
      C:\Windows\system32\drivers\svchost.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:3044
    • C:\Windows\SysWOW64\drivers\full_yahoomonitor.exe
      C:\Windows\system32\drivers\full_yahoomonitor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2772
      • C:\Users\Admin\AppData\Local\Temp\is-J3NB4.tmp\is-805KK.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-J3NB4.tmp\is-805KK.tmp" /SL4 $30190 "C:\Windows\SysWOW64\drivers\full_yahoomonitor.exe" 1089166 52736
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: GetForegroundWindowSpam
        PID:2700
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im teatimer.exe /f
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\is-1E3EN.tmp\_isetup\_shfoldr.dll
    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-J3NB4.tmp\is-805KK.tmp
    Filesize

    657KB

    MD5

    3dafb498bb15d5260cb2c12b391a0d48

    SHA1

    c775ae9fdf18ab0ce38a8adffabe378f461e79a1

    SHA256

    c5d5f5f814c5bc4989d691442051e5e78cf1971eb9b773a7a26b438e58a73d7a

    SHA512

    a42f39a73bd4615490c6e33c017fa09f9992e3327d244b050b6634ad696d421170fd63ec5d5e66e92d112dc804eabd0bcd56494c9499d78fad8b46fe2ef32a31

    Download Submit

  • \Windows\SysWOW64\MSINET.OCX
    Filesize

    112KB

    MD5

    7bec181a21753498b6bd001c42a42722

    SHA1

    3249f233657dc66632c0539c47895bfcee5770cc

    SHA256

    73da54b69911bdd08ea8bbbd508f815ef7cfa59c4684d75c1c602252ec88ee31

    SHA512

    d671e25ae5e02a55f444d253f0e4a42af6a5362d9759fb243ad6d2c333976ab3e98669621ec0850ad915ee06acbe8e70d77b084128fc275462223f4f5ab401bc

    Download Submit

  • \Windows\SysWOW64\drivers\full_yahoomonitor.exe
    Filesize

    1.3MB

    MD5

    eff9cab8eb7db3515d2796acb306e40b

    SHA1

    6f659a971839c31a9a52e07c8f55d374654984c4

    SHA256

    d26112695ce353142054fa6ba27f4272b5ccd82387d4c2beb72598e64f7a3863

    SHA512

    a0123ea77ea92f4f1541db0ebbd4df73fe289b47c2e5f86e5e71ceaf49ddd5066e3df33a0a2980a1938c2124da3d5dfea56ec0e57862c8e20ad4a7ed9cfc7ae2

    Download Submit

  • \Windows\SysWOW64\drivers\svchost.exe
    Filesize

    104KB

    MD5

    608f573df32693a6e4bf8a9a55d9ab17

    SHA1

    d86617363bfb817030610de98504e9c02961c975

    SHA256

    0fb60eac264359ac248e0c9633bb2d199912375e620b17e977969ec1b2de728b

    SHA512

    e2d70cac13c3c041a94e983081aa28ad06427abbbdc0e7b6477e08215ddf424d759891818adaed0210f8a666664d5efa5914560a53b5f9318a8c302b69e8d2b2

    Download Submit

  • memory/2700-71-0x0000000000400000-0x00000000004B3000-memory.dmp

    Filesize

    716KB

    Download

  • memory/2772-30-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2772-70-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download