Overview

overview

10

Static

static

3

3a92862004...18.exe

windows7-x64

10

3a92862004...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/07/2024, 20:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3a928620042b1942038b908d4f6c726f_JaffaCakes118.exe

  • Size

    2.8MB

  • MD5

    3a928620042b1942038b908d4f6c726f

  • SHA1

    1f1eb7277af02ea097ec2cbba8c57831fa2f7bd5

  • SHA256

    42b15a5a5819856fd92540d8d199808268bb344ee233f2d7d5a7bb1b4dee5810

  • SHA512

    022e587a286863275a409772584b2bd353d1c654771e8be99a15f9cc0706cd8c1934655446bdf6924adca43803939d973227967944c3c3db60c4b7abdd728456

  • SSDEEP

    49152:SoG9YCLdDZO3nHMAINGRb2M3skZqYXujIrSbfq7L9mLieCzgnGCaU:SpSCpZO3nsVoRbaYXujIeqmL3/nf

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a928620042b1942038b908d4f6c726f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3a928620042b1942038b908d4f6c726f_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2892
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bt24808.bat "C:\Users\Admin\AppData\Local\Temp\3a928620042b1942038b908d4f6c726f_JaffaCakes118.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2652
      • \??\c:\windows\SysWOW64\Nelgyar.exe
        c:\windows\system32\Nelgyar.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:264
        • \??\c:\windows\SysWOW64\cmd.exe
          cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t reg_dword /d 00000001
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3044
          • C:\Windows\SysWOW64\reg.exe
            reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t reg_dword /d 00000001
            5⤵
              PID:2516
          • \??\c:\windows\SysWOW64\cmd.exe
            cmd.exe /c REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v sysin /t REG_SZ /d "c:\windows\system32\Nelgyar.exe" /f
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2536
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v sysin /t REG_SZ /d "c:\windows\system32\Nelgyar.exe" /f
              5⤵
              • Adds Run key to start application
              • Modifies registry key
              PID:2304
          • \??\c:\windows\SysWOW64\cmd.exe
            cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v Hidden t reg_dword /d 00000000 /F
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4640
            • C:\Windows\SysWOW64\reg.exe
              reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v Hidden t reg_dword /d 00000000 /F
              5⤵
                PID:3312
            • \??\c:\windows\SysWOW64\cmd.exe
              cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /t reg_dword /d 00000001 /F
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4244
              • C:\Windows\SysWOW64\reg.exe
                reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /t reg_dword /d 00000001 /F
                5⤵
                • Modifies visibility of file extensions in Explorer
                PID:3436
            • \??\c:\windows\SysWOW64\cmd.exe
              cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v SuperHidden /t reg_dword /d 00000001 /F
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2148
              • C:\Windows\SysWOW64\reg.exe
                reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v SuperHidden /t reg_dword /d 00000001 /F
                5⤵
                  PID:4832
              • \??\c:\windows\SysWOW64\cmd.exe
                cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSuperHidden /t reg_dword /d 00000000 /F
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4020
                • C:\Windows\SysWOW64\reg.exe
                  reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSuperHidden /t reg_dword /d 00000000 /F
                  5⤵
                  • Modifies visiblity of hidden/system files in Explorer
                  PID:2680

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
          Filesize

          9KB

          MD5

          7050d5ae8acfbe560fa11073fef8185d

          SHA1

          5bc38e77ff06785fe0aec5a345c4ccd15752560e

          SHA256

          cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

          SHA512

          a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

          Download Submit

        • C:\Users\Admin\AppData\Local\Nelgyar.exe
          Filesize

          264KB

          MD5

          00a40c808fc6f1bd6435cd27cac2a60c

          SHA1

          266d557ab6df4adb9c2175986a2b3f0b5ab88e66

          SHA256

          e3c303be55da02c13e0c90090ff13b8fd8a8c08a0b2146123da76a0d61fc9a37

          SHA512

          9e5b2aa293a70ea4002c0d3b5a26d2c92ef3ec1205d7232e35a2db2d9c7ee0bc2e8e4e02952d915577571d34f490cd7f722a13e6ce74b98f7a46649f6babf329

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\bt24808.bat
          Filesize

          183B

          MD5

          ff853b60408d5010d17591eca7c1e38f

          SHA1

          ffa1c4ee4d7bf5da2418716d61b0e8d26beac8c2

          SHA256

          33892921cdd34e78e3f089107b0766be3ce764d6bdd674d6778560baaeb70780

          SHA512

          a71c5efa534c9bdab36f569929c34a750b9aee29db09bbb4ee5bcac2364b86721143fdbcb9753d032b9ae32d66a6ab982f28f9645d2888118c965e55a8d655b8

          Download Submit

        • C:\Users\Admin\AppData\Local\ra.mp3
          Filesize

          2.7MB

          MD5

          227e2e865aaaab7d2b9fbda7522bb416

          SHA1

          ebf006ff440241d11390d98d1c3027130c649bb5

          SHA256

          ce46f2b02e4f2774ef7fcd25c48bb70b894e53e4dd7b0b9e8113db90279494bd

          SHA512

          6104dbcd8418aa32399bc9ffd60514f4b5385bd957c9fb8062f01f741587140062b323cd14f192574e9b3e3a99cbcf2f8224833904783c08c055375baedb4d21

          Download Submit

        • memory/2892-29-0x0000000000400000-0x00000000006DD000-memory.dmp

          Filesize

          2.9MB

          Download