Overview

overview

8

Static

static

3

38f151b516...18.exe

windows7-x64

8

38f151b516...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    94s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-07-2024 11:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    38f151b5164d18158be1d6e3493a897d_JaffaCakes118.exe

  • Size

    259KB

  • MD5

    38f151b5164d18158be1d6e3493a897d

  • SHA1

    b3dd8da39983db5e8f582e1715e36b80eb51aaba

  • SHA256

    516935769ce832ae4e31e38ae0764009f90b55208710b29987f9289bd4fafc3d

  • SHA512

    94b73294bb46c4ecfd2ca32a27885c9f5ac99cfc7bce758e89d1dc7719c7dccaeef9558f96c94bfa734d603266397fa202e6f5a56401e1c497f9ce4a59fe3131

  • SSDEEP

    6144:S16bnUWDUqJDdfMixNz9z+LS0X8W3Yp/UTxNbt0O4xy4qjqYq4lH:S16bULqFdEixN0j6/Oh0nxBgqYPH

Score
8/10
persistenceprivilege_escalation

Malware Config

Signatures

  • Event Triggered Execution: AppCert DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes.

    persistenceprivilege_escalation
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\38f151b5164d18158be1d6e3493a897d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\38f151b5164d18158be1d6e3493a897d_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3924
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" "C:\Windows\system32\findpugc64.dll",CreateProcessNotify
      2⤵
      • Loads dropped DLL
      PID:2528
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240636390.bat" "C:\Users\Admin\AppData\Local\Temp\38f151b5164d18158be1d6e3493a897d_JaffaCakes118.exe""
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:4124
      • C:\Windows\SysWOW64\attrib.exe
        attrib -s -r -h"C:\Users\Admin\AppData\Local\Temp\38f151b5164d18158be1d6e3493a897d_JaffaCakes118.exe"
        3⤵
        • Views/modifies file attributes
        PID:3056
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 424
        3⤵
        • Program crash
        PID:1536
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3924 -ip 3924
    1⤵
      PID:2960
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 4124 -ip 4124
      1⤵
        PID:4740

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\240636390.bat
        Filesize

        97B

        MD5

        d226a657b279c5fc0a892748230a56ff

        SHA1

        fa7e4fb6d6de3c4769001cbfce0a00ba02ef28a5

        SHA256

        9dae2767b8e3499d37418a75ddd04d457c7ec8d6c8f312ee109c95a8a97e7761

        SHA512

        07d55ccf3b511c3be64f6dcd05cea3feaafb286196e5d7ba30016ab6d9c0d656fb7cde8eb1ce0ef28a41f1f3f00f0e29020c92479619fd43e4ed47b829f8bf2a

        Download Submit

      • C:\Windows\SysWOW64\findpugc.dll
        Filesize

        88KB

        MD5

        bbf62c6be49d997b450c940afb342de4

        SHA1

        368d62826a0c24c60df60f4fa2a8ee29f5bce85b

        SHA256

        f16332e20ace5a4610cb9ee1ca0fcea41bcbf6136224ba7fafc6d1d7d4fffd6d

        SHA512

        745e718abfe25469436a30f12de77c65cec5f79d6552d98409d40f097130d1c3818f435200c6d34e46191e8fc687f42240d11b29bffbaf38a11cb5468d51f2f3

        Download Submit

      • C:\Windows\System32\findpugc64.dll
        Filesize

        97KB

        MD5

        d3794ac0ee31e37e43a0f603051fe600

        SHA1

        e4967d81ee19f2b947e7808031cb356a80248534

        SHA256

        d183d2922fce4964f86c352f276241d2b4be1330c12b25491b6c668ff0c10989

        SHA512

        c34725feb906ad23f96f1e12499df8c119707509d17b745f8f9ba6755c9caab82f1aee47048987dfd1b35c3337ddb63acb02cfe551797069b28ac3ccc9870551

        Download Submit

      • memory/2528-14-0x000001CD53540000-0x000001CD53541000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3924-1-0x00000000008B0000-0x0000000000930000-memory.dmp

        Filesize

        512KB

        Download

      • memory/3924-2-0x0000000001000000-0x0000000001042000-memory.dmp

        Filesize

        264KB

        Download

      • memory/3924-3-0x0000000001000000-0x0000000001042000-memory.dmp

        Filesize

        264KB

        Download

      • memory/3924-9-0x0000000001000000-0x0000000001042000-memory.dmp

        Filesize

        264KB

        Download

      • memory/3924-10-0x00000000008B0000-0x0000000000930000-memory.dmp

        Filesize

        512KB

        Download

      • memory/3924-17-0x0000000001000000-0x0000000001042000-memory.dmp

        Filesize

        264KB

        Download