Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    11/07/2024, 17:12

General

  • Target

    3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe

  • Size

    397KB

  • MD5

    3a07dd3c3102cae3b66a616691b39ca0

  • SHA1

    f5352fe5a8ab47f0dff31bd89c295b63ee5bfd51

  • SHA256

    d018bb082d0d768a09a8259bac61bea1f356476ecc3242107ab8241e7cb5fea0

  • SHA512

    194770ebe7633a53ad0cfbd7f8e76f6a5e2d3519891e877a407d7902e8a5f4581fea3869642efb5646bb90665116ea216d04aefb3a90a81eea6ecb96fb772b0b

  • SSDEEP

    12288:yk1Z/NVy6ixxrno8nDzu8MOH8qLsAQsnY:3NVixtDzIOHLTnY

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Disables Task Manager via registry modification
  • Drops file in Drivers directory 52 IoCs
  • Manipulates Digital Signatures 1 IoCs

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2244
    • C:\ProgramData\mlencXAGoFP.exe
      C:\ProgramData\mlencXAGoFP.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Maps connected drives based on registry
      • Modifies Control Panel
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3044
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Users\Admin\*.*" /s /d
        3⤵
        • Views/modifies file attributes
        PID:552
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\ProgramData\Microsoft\Windows\Start Menu\*.*" /s /d
        3⤵
        • Views/modifies file attributes
        PID:2064
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\*.*" /s /d
        3⤵
        • Drops file in Drivers directory
        • Manipulates Digital Signatures
        • Drops desktop.ini file(s)
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Views/modifies file attributes
        PID:2056

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Program Files\Google\Chrome\Application\chrome.exe

    Filesize

    2.8MB

    MD5

    095092f4e746810c5829038d48afd55a

    SHA1

    246eb3d41194dddc826049bbafeb6fc522ec044a

    SHA256

    2f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588

    SHA512

    7f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400

  • \ProgramData\mlencXAGoFP.exe

    Filesize

    397KB

    MD5

    3a07dd3c3102cae3b66a616691b39ca0

    SHA1

    f5352fe5a8ab47f0dff31bd89c295b63ee5bfd51

    SHA256

    d018bb082d0d768a09a8259bac61bea1f356476ecc3242107ab8241e7cb5fea0

    SHA512

    194770ebe7633a53ad0cfbd7f8e76f6a5e2d3519891e877a407d7902e8a5f4581fea3869642efb5646bb90665116ea216d04aefb3a90a81eea6ecb96fb772b0b

  • memory/2244-0-0x00000000001E0000-0x00000000001E1000-memory.dmp

    Filesize

    4KB

  • memory/2244-1-0x0000000000400000-0x000000000046F000-memory.dmp

    Filesize

    444KB

  • memory/2244-9-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/2244-12-0x0000000000400000-0x000000000046F000-memory.dmp

    Filesize

    444KB

  • memory/2244-11-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/3044-8-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/3044-7-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/3044-23-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/3044-29-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/3044-30-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB