Overview

overview

10

Static

static

3

3eeeb65b06...18.exe

windows7-x64

10

3eeeb65b06...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    12-07-2024 21:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3eeeb65b062df1da211ed99eb77d250e_JaffaCakes118.exe

  • Size

    580KB

  • MD5

    3eeeb65b062df1da211ed99eb77d250e

  • SHA1

    420f12ecc6df8a60a1bdb1b57d6accc64e9c7530

  • SHA256

    a807e09ad90c627e6e8d22424b5205656f6951a4e2729eb72b18c428ff8ad6f0

  • SHA512

    770510298d120dddfed28fbc34ab7267e479858f6b3af4c832cafb480c56e83340ddacf4fcb96739f0c21fe062b7ef719c941abdad8a9df988bf1579369a6b33

  • SSDEEP

    6144:iKEGlVcJboOtGY8q75yKC2qJDrNRlpwPBYgZ9fVU93eJwN6QFbSpO4XcA2n4aA8X:iKr3QboC9qLGKgZKe4HYpHvcbTq+

Score
10/10
defense_evasionevasionpersistencetrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • UAC bypass 3 TTPs 13 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 27 IoCs
    persistence
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
    defense_evasion
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    evasiontrojan
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 32 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 32 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • System policy modification 1 TTPs 41 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\3eeeb65b062df1da211ed99eb77d250e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3eeeb65b062df1da211ed99eb77d250e_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1696
    • C:\Users\Admin\AppData\Local\Temp\zutaugdhjed.exe
      "C:\Users\Admin\AppData\Local\Temp\zutaugdhjed.exe" "c:\users\admin\appdata\local\temp\3eeeb65b062df1da211ed99eb77d250e_jaffacakes118.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2992
      • C:\Users\Admin\AppData\Local\Temp\xcosr.exe
        "C:\Users\Admin\AppData\Local\Temp\xcosr.exe" "-C:\Users\Admin\AppData\Local\Temp\ukhwgwmiskiimyxo.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Impair Defenses: Safe Mode Boot
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:2592
      • C:\Users\Admin\AppData\Local\Temp\xcosr.exe
        "C:\Users\Admin\AppData\Local\Temp\xcosr.exe" "-C:\Users\Admin\AppData\Local\Temp\ukhwgwmiskiimyxo.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:1948
    • C:\Users\Admin\AppData\Local\Temp\zutaugdhjed.exe
      "C:\Users\Admin\AppData\Local\Temp\zutaugdhjed.exe" "c:\users\admin\appdata\local\temp\3eeeb65b062df1da211ed99eb77d250e_jaffacakes118.exe"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System policy modification
      PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Safe Mode Boot

1
T1562.009

Modify Registry

5
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\yyfeyyyeyaisgclmyryyfe.yye
    Filesize

    280B

    MD5

    3bcc0d28ec57624258d6cd15f58ea20e

    SHA1

    67d5bd1905c701624d9b30347fb95d7db6b24c33

    SHA256

    e7ec94aa8608a71de389198b3bba04b1dbf68f83566f86698a3090b09643643b

    SHA512

    66311f16c59f9ccb99e245e7a8d153f8ff171a2ee712a7cbb90283b3d7f9cd3c14497098d2c3baa319a0aa8914276d3cef59883fc709e49aee77d434e9a02c7c

    Download Submit

  • C:\Program Files (x86)\yyfeyyyeyaisgclmyryyfe.yye
    Filesize

    280B

    MD5

    db9e7aedcb2e1fb51929ad85f626f2d0

    SHA1

    3dea83d8c846cdb66d0769b2ff4431f0b81bf066

    SHA256

    6b11da27736a8c0f42ededdcce47d5fa0296611cca834c05369655f3ffee4196

    SHA512

    62f82ffadee6a2944a9b00989b8d3efd62e1411b73778f7bc949112dec6299627ed2d35c03838357ccf8ba854276e06b5f47b9562d35bce3475ac510eb424e0c

    Download Submit

  • C:\Program Files (x86)\yyfeyyyeyaisgclmyryyfe.yye
    Filesize

    280B

    MD5

    b5e48529c05b23dcc2dd875eb2d13a16

    SHA1

    864ddec15e77fe6ea8e0223f6ae2b45e60262759

    SHA256

    845f2dd424548c9e1cafe08a9787188f80420cb5da629f52ca5e637e5a96b45a

    SHA512

    050f15a38ed5431627297905bf4d8d886118d6d570f7363bee41063398a4215a29d208b45304cc3efc4fab59f2a98e670a879d37948b6215e01ba1073bbdbdbb

    Download Submit

  • C:\Program Files (x86)\yyfeyyyeyaisgclmyryyfe.yye
    Filesize

    280B

    MD5

    fe806001fdba28eaf3bf693ae9c93b03

    SHA1

    d5da6d4de5b1e4881fa5b8b262025995a8498dde

    SHA256

    2d9a9afe33eadb82645d381d5a250f415b112952f93b6d321ba86d0f72665a83

    SHA512

    23ec694320dec4d16c501b4ef56e6145629a12b5fb72b41a9ff683dcea56437a93f74ceb0e4f7e264fb95912c45251843607f2cc5c614fcdcf6f3030c25b72ce

    Download Submit

  • C:\Program Files (x86)\yyfeyyyeyaisgclmyryyfe.yye
    Filesize

    280B

    MD5

    501d45aad5b9c0006fbbe926efdb12fe

    SHA1

    f2fc46c117e9c266dda4f8b4d86dade36c5680f9

    SHA256

    e1a408746cbb54a2b2aea885bac44aef227be9ad4ed6dac21dbdbd3df7e2edcb

    SHA512

    21b8733dd2735b95e686059cd555ca926204a57226565e9326a0cef14eeb02fcc7d0a7a61a6bb699d70b1cbd7368d72b1b200c01751ee5bb57187a9a86676221

    Download Submit

  • C:\Users\Admin\AppData\Local\paschsduzmfazgamjnfqisxitkpcvqpwq.zdv
    Filesize

    4KB

    MD5

    6c7379dd95f65d2a96f5f22ef9b53704

    SHA1

    7fe4b4b5736dd598259cbdfbafe01a9557de7824

    SHA256

    f9d6bb243495fbffa3c6c4bf966ba9a4e998e0a8ed8b104f8cbc1f3541808075

    SHA512

    3ae5683e28a8cd53d0f6f94cfca5e92c1539db4c98ab6428ac9349062b2287fe26e79ce905e8536348dfa18b563dc5b0004d0edaa1523388c86073dc714da90f

    Download Submit

  • C:\Users\Admin\AppData\Local\yyfeyyyeyaisgclmyryyfe.yye
    Filesize

    280B

    MD5

    a66c99f24d268d7bbc602e70b47597e4

    SHA1

    08c85556261e16a5cfb262f7c6987ab35b66c126

    SHA256

    d2a3eb3884a822add38fc93e6e75178fe5ba8d5c98c28e7b098e3dadcc927b33

    SHA512

    7ac19d34a0e90c6c29c65a50e53982b8eb0d6b215775b75fdca98182c73ade4d62c13ca8645478c583365055687812d29cd95df66d1bfed98bca33169cc3cd88

    Download Submit

  • C:\Users\Admin\AppData\Local\yyfeyyyeyaisgclmyryyfe.yye
    Filesize

    280B

    MD5

    937df69ba7600c5d5b79e66ae8b157ef

    SHA1

    86764025a07f019ec41f3a86906633aff8210c4d

    SHA256

    07e52cccb94c9bd26cf321a1f4762b48eb344bd58e6d37f3d0c5dd94362b4016

    SHA512

    6760383993d12b29b05613ad7976e08a519153db42ee383bfd6aeea1d4529849e3332bba606726aad08320afb2c9f7bc746045e15664328a7a11caa4301eadc3

    Download Submit

  • C:\Windows\SysWOW64\kcbsewomyssuaopimx.exe
    Filesize

    580KB

    MD5

    3eeeb65b062df1da211ed99eb77d250e

    SHA1

    420f12ecc6df8a60a1bdb1b57d6accc64e9c7530

    SHA256

    a807e09ad90c627e6e8d22424b5205656f6951a4e2729eb72b18c428ff8ad6f0

    SHA512

    770510298d120dddfed28fbc34ab7267e479858f6b3af4c832cafb480c56e83340ddacf4fcb96739f0c21fe062b7ef719c941abdad8a9df988bf1579369a6b33

    Download Submit

  • \Users\Admin\AppData\Local\Temp\xcosr.exe
    Filesize

    696KB

    MD5

    e04b83c89b214d91a6069c122bd8a4be

    SHA1

    4a82948deb558f94102a62a89d92a0d809c59de9

    SHA256

    03d2ecb13cc076fc9653f6ca6a42ffa22345f65dda617ee72074bfba61092244

    SHA512

    93294eb1418d976bca8a2217e944e93b125bebd57e51220b5263420389f050663f8b8c49446d3ac8dedfe1fada843675eb2029addaa828c30cfa60b5870cfc56

    Download Submit

  • \Users\Admin\AppData\Local\Temp\zutaugdhjed.exe
    Filesize

    320KB

    MD5

    fd22bbf4a3dd4ec0acb412af0e75669b

    SHA1

    7d54f3b725ceba34107102148669a7d5e74d2d65

    SHA256

    1edafd865db2bbd03200b7f9ccc322ec724f6d7b7299c49862baf6a4f99b5044

    SHA512

    4d9c61f06100346cf03bcc68763615d60dfd3d6899766da4979a4747657083c734e5222a258fb85d8f54d9df749d4f5809cecf9052a003170b49b179ae0c5d66

    Download Submit