Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    12/07/2024, 00:28

General

  • Target

    3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe

  • Size

    158KB

  • MD5

    3b51fab717e281580abca9c62aaa9685

  • SHA1

    74cd77630ace2fa629405f0665f34f1bb86419c1

  • SHA256

    3a309f51d3e4be8f3581b3e83534e19bfbdb1c002f57356ff84fbe4779a3504e

  • SHA512

    41502d14ccb5c65aa72aaea0f91b4f7defe4f1293fed54d1ce9193d77884cb068943560c07f0118fbe0b92de09fab6cf0b2d1e7059ddf2ad9349d41dcee33d3f

  • SSDEEP

    3072:/23lko29IApHuGPdsNjMb5LjZpTSNLjXTp2zEVZNNSdAXb:/do+FuGPds1cLjLSBjDpUEzNNS+L

Malware Config

Signatures

  • Disables service(s) 3 TTPs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Launches sc.exe 8 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe"
    1⤵
    • Adds policy Run key to start application
    • Loads dropped DLL
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1900
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "Security Center"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2968
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "Security Center"
        3⤵
          PID:484
      • C:\Windows\SysWOW64\sc.exe
        sc config wscsvc start= DISABLED
        2⤵
        • Launches sc.exe
        PID:2388
      • C:\Windows\SysWOW64\net.exe
        net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2800
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
          3⤵
            PID:2808
        • C:\Windows\SysWOW64\sc.exe
          sc config SharedAccess start= DISABLED
          2⤵
          • Launches sc.exe
          PID:1904
        • C:\Users\Admin\AppData\Local\Temp\rt04lto.exe
          C:\Users\Admin\AppData\Local\Temp\rt04lto.exe
          2⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2972
          • C:\Windows\SysWOW64\net.exe
            net.exe stop "Security Center"
            3⤵
              PID:1732
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Security Center"
                4⤵
                  PID:1472
              • C:\Windows\SysWOW64\sc.exe
                sc config wscsvc start= DISABLED
                3⤵
                • Launches sc.exe
                PID:2764
              • C:\Windows\SysWOW64\net.exe
                net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
                3⤵
                  PID:1668
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
                    4⤵
                      PID:2004
                  • C:\Windows\SysWOW64\sc.exe
                    sc config SharedAccess start= DISABLED
                    3⤵
                    • Launches sc.exe
                    PID:2024
                  • C:\Users\Admin\AppData\Local\Temp\rt04lto.exe
                    C:\Users\Admin\AppData\Local\Temp\rt04lto.exe -dCBD824CE7ABD459AAE5F83A489CDDBDEE97C2353F694E52C107C166023F592FAAFD38D90077B4B1596E2E34C241ADBF374B7DD35B912D38FA891304C38472D5F531A43ECFAF22FC3B2F3377032C99298AB9C24682091E4E4A517A6CE87732BAD9DCA998B607ECB7B76B02077D013AAFF912CECDF580391A69EBCBBF54B35D564B2A41EB786C438FF99A880D35B9F0A9B6D806464CE3493AE67FCEEB104E5B663F693A5D8F89ECEE00E59772D70EEDC71C3A8FD4E2F0AE45E161B018E6D2994730F703E2C84C927DD0C7C66FCEC7D89CD58E66A2F6927BC2CFF1CF56583457AADE15D393537851CAD0607EF7EEC26BAF9310499B0A8DB9420B8080B83847FB0DB927C29835ED6C571B255F2CECD84589E9333BE875A7525BE1522C38BED40C0FA87CBDE2985CE7C41053B90EF2C328C6004D247FD2AA8685A2B18E0977A03720F642469D07AA6DA7134EE2B08E628BF634764E88A07C697BF50B261C62827D0540F8C1B5C4A18B76FB35A630719189A0963AE90C31E94294B185288DE359922C6AD998659421B2ECD395F1A97202005A29C7D7044DAE9D9A658D6D6B11E11F2E3A2F379C5EE7595CD
                    3⤵
                    • Executes dropped EXE
                    • Modifies Internet Explorer settings
                    • Suspicious use of SetWindowsHookEx
                    PID:1628
                    • C:\Windows\SysWOW64\net.exe
                      net.exe stop "Security Center"
                      4⤵
                        PID:1148
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 stop "Security Center"
                          5⤵
                            PID:2664
                        • C:\Windows\SysWOW64\sc.exe
                          sc config wscsvc start= DISABLED
                          4⤵
                          • Launches sc.exe
                          PID:588
                        • C:\Windows\SysWOW64\net.exe
                          net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
                          4⤵
                            PID:1772
                            • C:\Windows\SysWOW64\net1.exe
                              C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
                              5⤵
                                PID:608
                            • C:\Windows\SysWOW64\sc.exe
                              sc config SharedAccess start= DISABLED
                              4⤵
                              • Launches sc.exe
                              PID:2200
                          • C:\Users\Admin\AppData\Local\Temp\rt04lto.exe
                            C:\Users\Admin\AppData\Local\Temp\rt04lto.exe -dA9BA856F0CCB8F507382775089CD686D3BAE5F2F4E2CDE17C2AE4C3A4395127A374B011C2B5782DCAADE9B34C1FFD2FAC300749C07ACCC90B48D4834DBA4A5D76C259639CBC3826E0D4C490E2AD13A30A19698D463D25E5E08BA2B468E7A770335607F5F416A8E2C9A5C8BD7A96AF29BE15AA490D997350DDDF89EDF611778BAC0D934812362E82C8EC8A9C862B38908D231B0A41CE3327D8F0689EC9A78D902792A6EE54524110F65052D73BB15D173FF9A16A4223A77CCBBB91797BCFC0DD50E622621BCF5CA2DDDB1DF4859D4DC9935856F28206B641F3EEBB03B8E38C3196AA59569DE1B14A2F203C94620E3F9BC83B4938A8BFA9B59348EFD7614ECECB9BC5335893FB82F8BE208330A367ABB6F349D9CAB183EFC61FCB8E7A09334BA83703ABE4BB5F89EA1296EA7C9FFE3F20BD71CE329BCD3A88E320796EA90E79EEF337329905488208B855FEDCE21EFAE7236150163AB6A0028B35175D2D1DE48CCF370AFE87123B76FF21B0E6A818042D161ACCE9D5CD6A6C49CD62C7A59F5AA4EDCE8CA15A2FBA447AEC854D944443E99A4B9645B82827A024AC3A3C66FB2F4F35B0A318DBC27673F
                            3⤵
                            • Executes dropped EXE
                            • Modifies Internet Explorer settings
                            • Suspicious use of SetWindowsHookEx
                            PID:2872
                            • C:\Windows\SysWOW64\net.exe
                              net.exe stop "Security Center"
                              4⤵
                                PID:2984
                                • C:\Windows\SysWOW64\net1.exe
                                  C:\Windows\system32\net1 stop "Security Center"
                                  5⤵
                                    PID:2232
                                • C:\Windows\SysWOW64\sc.exe
                                  sc config wscsvc start= DISABLED
                                  4⤵
                                  • Launches sc.exe
                                  PID:2948
                                • C:\Windows\SysWOW64\net.exe
                                  net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
                                  4⤵
                                    PID:2936
                                    • C:\Windows\SysWOW64\net1.exe
                                      C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
                                      5⤵
                                        PID:2292
                                    • C:\Windows\SysWOW64\sc.exe
                                      sc config SharedAccess start= DISABLED
                                      4⤵
                                      • Launches sc.exe
                                      PID:3036
                                • C:\Windows\SysWOW64\Rundll32.exe
                                  Rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Users\Admin\AppData\Local\Temp\mdinstall.inf
                                  2⤵
                                  • Adds Run key to start application
                                  • Drops file in Windows directory
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  PID:2760
                                  • C:\Windows\SysWOW64\runonce.exe
                                    "C:\Windows\system32\runonce.exe" -r
                                    3⤵
                                    • Checks processor information in registry
                                    • Suspicious use of WriteProcessMemory
                                    PID:2284
                                    • C:\Windows\SysWOW64\grpconv.exe
                                      "C:\Windows\System32\grpconv.exe" -o
                                      4⤵
                                        PID:3060
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /c C:\Users\Admin\AppData\Local\Temp\a2ga3dk8.bat
                                    2⤵
                                    • Deletes itself
                                    PID:2680

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Temp\a2ga3dk8.bat

                                  Filesize

                                  218B

                                  MD5

                                  bc686b5b5dfc9fe33f1b9298988ffea4

                                  SHA1

                                  0f4aa7406da22b81e1e8c0413ede8f4d6077e063

                                  SHA256

                                  134c6b80d275afa3ab4e52fd85b5cfe4e202fd2b52416c64b6b6a435712d9816

                                  SHA512

                                  6b425aad3c7d98083f2e0d0e817939a8617f2a6c89c50a5de942b22945b88a5e80f5fe43425ff2dbdfb83de83b9eb32714070f6abd9d1cdbd5e10f5e97ba6335

                                • C:\Users\Admin\AppData\Local\Temp\mdinstall.inf

                                  Filesize

                                  413B

                                  MD5

                                  ce1f2d7c8e36f3c085a5d281b9ebeb2f

                                  SHA1

                                  bbbfae948d625afe50f66f34282bda3974cfdce5

                                  SHA256

                                  312239a5c6333e6d1e8ba9f0e81856c37347be0f21d194741ae1d25538cd130c

                                  SHA512

                                  89f69b88bdfb391f58abaefbbae7e393571709c0ea6a268794c035200674ad3a8615a65944373559aead87e8d5ab09f334e2b1563c1bde912aa26a485b76357e

                                • C:\Users\Admin\AppData\Local\Temp\rt04lto.exe

                                  Filesize

                                  158KB

                                  MD5

                                  3b51fab717e281580abca9c62aaa9685

                                  SHA1

                                  74cd77630ace2fa629405f0665f34f1bb86419c1

                                  SHA256

                                  3a309f51d3e4be8f3581b3e83534e19bfbdb1c002f57356ff84fbe4779a3504e

                                  SHA512

                                  41502d14ccb5c65aa72aaea0f91b4f7defe4f1293fed54d1ce9193d77884cb068943560c07f0118fbe0b92de09fab6cf0b2d1e7059ddf2ad9349d41dcee33d3f

                                • memory/1628-37-0x00000000045D0000-0x000000000461F000-memory.dmp

                                  Filesize

                                  316KB

                                • memory/1628-39-0x0000000003C60000-0x0000000003C6D000-memory.dmp

                                  Filesize

                                  52KB

                                • memory/1628-43-0x0000000000400000-0x000000000042A000-memory.dmp

                                  Filesize

                                  168KB

                                • memory/1628-42-0x0000000000400000-0x000000000042A000-memory.dmp

                                  Filesize

                                  168KB

                                • memory/1628-40-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

                                  Filesize

                                  72KB

                                • memory/1628-34-0x0000000000400000-0x000000000042A000-memory.dmp

                                  Filesize

                                  168KB

                                • memory/1628-38-0x0000000004960000-0x00000000049BA000-memory.dmp

                                  Filesize

                                  360KB

                                • memory/1900-0-0x0000000000400000-0x000000000042A000-memory.dmp

                                  Filesize

                                  168KB

                                • memory/1900-13-0x00000000047D0000-0x00000000047FA000-memory.dmp

                                  Filesize

                                  168KB

                                • memory/1900-29-0x0000000000400000-0x000000000042A000-memory.dmp

                                  Filesize

                                  168KB

                                • memory/1900-3-0x0000000003A50000-0x0000000003C39000-memory.dmp

                                  Filesize

                                  1.9MB

                                • memory/1900-12-0x00000000047D0000-0x00000000047FA000-memory.dmp

                                  Filesize

                                  168KB

                                • memory/2872-52-0x0000000004770000-0x00000000047BF000-memory.dmp

                                  Filesize

                                  316KB

                                • memory/2872-53-0x0000000004760000-0x000000000479C000-memory.dmp

                                  Filesize

                                  240KB

                                • memory/2872-51-0x0000000004710000-0x0000000004768000-memory.dmp

                                  Filesize

                                  352KB

                                • memory/2872-55-0x00000000047E0000-0x000000000483A000-memory.dmp

                                  Filesize

                                  360KB

                                • memory/2872-56-0x0000000000400000-0x000000000042A000-memory.dmp

                                  Filesize

                                  168KB

                                • memory/2972-33-0x00000000045D0000-0x00000000045FA000-memory.dmp

                                  Filesize

                                  168KB

                                • memory/2972-41-0x0000000000400000-0x000000000042A000-memory.dmp

                                  Filesize

                                  168KB