Overview

overview

10

Static

static

3

3eeeb65b06...18.exe

windows7-x64

10

3eeeb65b06...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-07-2024 21:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3eeeb65b062df1da211ed99eb77d250e_JaffaCakes118.exe

  • Size

    580KB

  • MD5

    3eeeb65b062df1da211ed99eb77d250e

  • SHA1

    420f12ecc6df8a60a1bdb1b57d6accc64e9c7530

  • SHA256

    a807e09ad90c627e6e8d22424b5205656f6951a4e2729eb72b18c428ff8ad6f0

  • SHA512

    770510298d120dddfed28fbc34ab7267e479858f6b3af4c832cafb480c56e83340ddacf4fcb96739f0c21fe062b7ef719c941abdad8a9df988bf1579369a6b33

  • SSDEEP

    6144:iKEGlVcJboOtGY8q75yKC2qJDrNRlpwPBYgZ9fVU93eJwN6QFbSpO4XcA2n4aA8X:iKr3QboC9qLGKgZKe4HYpHvcbTq+

Score
10/10
defense_evasionevasionpersistencetrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • UAC bypass 3 TTPs 13 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 29 IoCs
    persistence
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
    defense_evasion
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    evasiontrojan
  • Looks up external IP address via web service 6 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 32 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 32 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 41 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\3eeeb65b062df1da211ed99eb77d250e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3eeeb65b062df1da211ed99eb77d250e_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Users\Admin\AppData\Local\Temp\fmwlklmppwg.exe
      "C:\Users\Admin\AppData\Local\Temp\fmwlklmppwg.exe" "c:\users\admin\appdata\local\temp\3eeeb65b062df1da211ed99eb77d250e_jaffacakes118.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4544
      • C:\Users\Admin\AppData\Local\Temp\yhfkx.exe
        "C:\Users\Admin\AppData\Local\Temp\yhfkx.exe" "-C:\Users\Admin\AppData\Local\Temp\vpyomdoavjoapjnt.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Impair Defenses: Safe Mode Boot
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:5016
      • C:\Users\Admin\AppData\Local\Temp\yhfkx.exe
        "C:\Users\Admin\AppData\Local\Temp\yhfkx.exe" "-C:\Users\Admin\AppData\Local\Temp\vpyomdoavjoapjnt.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:2284
    • C:\Users\Admin\AppData\Local\Temp\fmwlklmppwg.exe
      "C:\Users\Admin\AppData\Local\Temp\fmwlklmppwg.exe" "c:\users\admin\appdata\local\temp\3eeeb65b062df1da211ed99eb77d250e_jaffacakes118.exe"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System policy modification
      PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Safe Mode Boot

1
T1562.009

Modify Registry

5
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\iplozdbaijbacjatmhkrnqbfd.kld
    Filesize

    280B

    MD5

    c8723a060db45c00105e484fa97c956b

    SHA1

    166caa5d7428a403d23519cae4d68fca4a5b7119

    SHA256

    16cd9375b7d7f31a2cac3845c7c2b3a7cf8aa08415c39895a58cddecf41f6c7e

    SHA512

    9696f0e663678bb859ab1f56c39c3e8ed2ebd27cb405d5e28ea428289db8d18892d6434c9dbe116609830ff7e6a4f8bee8026681ce661cff45e4c1326e69ad1f

    Download Submit

  • C:\Program Files (x86)\iplozdbaijbacjatmhkrnqbfd.kld
    Filesize

    280B

    MD5

    1bbe538e43063e5794fa916a2962f6c1

    SHA1

    98f83ba22a367063a68547a8db76371494758371

    SHA256

    c01d6c23af1e6a6d551f836b0f69e3dffdb2867a83d316dd3d95a4915ace982e

    SHA512

    a172cc2a871087ef777c7a78a3e872808fde17500e5b22aef1463a60748d7e5f13415a08ed8034950fb663650f273e537db96023aad7cd6fe49a64a0b429c8da

    Download Submit

  • C:\Program Files (x86)\iplozdbaijbacjatmhkrnqbfd.kld
    Filesize

    280B

    MD5

    b0eacc8ade565e9c620f1cfcb4f5ffe4

    SHA1

    8ee517e6b622472489477558a9acd3c79e6162a8

    SHA256

    719ec829b0df43572e0e1cd356e4bb5256f6fc62bafec66ce1d799e96a62b5c1

    SHA512

    d43e1d0ac0819267903314e06e0ce50aa93b3d7c1239b4020efec20e1a709e6ec0ad7113250ba679d6ad8cb3bcc8c629d87b4e000f430d3251dcd6c7b787f371

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\fmwlklmppwg.exe
    Filesize

    320KB

    MD5

    2e30d8c470fd8118ead7ab2e107d2fbb

    SHA1

    f600db1ca1e0b8426873092ad37b54e71c81d7b6

    SHA256

    5d7b42ed71ec6fd89c448647d18f407151ff0aa890b800c7afe673e57bed37fd

    SHA512

    1b01e159422136cd520fd3dde9f5630d6c50316b0b03e350d2ac09a8c8d0d5ae68bc914672a38584394f5afb1c698d1acee5f60a180689707fc0e24a21339ae7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\yhfkx.exe
    Filesize

    720KB

    MD5

    3be5a060c5e4d0ef17fdb17a17ecff10

    SHA1

    f1c73fb575bbe48387c6bc368571cb361b218efe

    SHA256

    4be1e860d018bf2e37c51e6b9d114e6b74330676956674b87170ece54cae7b79

    SHA512

    5f10acd2c06c48ddf25e1743b9a1c2fe124ec7178e4e0a2ca463ec1c18537b4cd283f2fd4b8ee8a9bf684741033bddcbe931c36b01faf380c774cd0c925db378

    Download Submit

  • C:\Users\Admin\AppData\Local\iplozdbaijbacjatmhkrnqbfd.kld
    Filesize

    280B

    MD5

    7c4bb5f6762b92037aa747bf1704ec78

    SHA1

    70447884bef82ca579f0b32d9e99cf9d13cb834a

    SHA256

    e06a5603aa08c65c0b5d3a27ab114c395f6c58d8a92ac743de5423af0c86a66a

    SHA512

    d7807f33db982fc5c361c8b63b67db4783dd74ffae5574acbcdff358e7c2ed3310d54172c16da5f70e6eaf73730821ff289f3730d6efe6ac18f99ca79439730e

    Download Submit

  • C:\Users\Admin\AppData\Local\iplozdbaijbacjatmhkrnqbfd.kld
    Filesize

    280B

    MD5

    481004c1a5dec0fbb5204f75106599e3

    SHA1

    0f3be2650a53778166a9f35730b9fc72cdb5ca40

    SHA256

    8cbf397aa37625119125c3a5979c46ece206d851f285cd56eb2b4a9365321546

    SHA512

    cee42af191156fb9d11c7219ce6641e6bf09779654756e72eebc614f1b9480f8d8818ff82f0cf288b0e45ee1be01415487a9e17cf9e7f461149bc8b2780e9d57

    Download Submit

  • C:\Users\Admin\AppData\Local\iplozdbaijbacjatmhkrnqbfd.kld
    Filesize

    280B

    MD5

    4d6be6475bd952a2c9e22302e8489b7b

    SHA1

    7c4f8f7703b0444696a74be48a80f5ca502fb77a

    SHA256

    659d9b20e8d6e952e9eb60324a835bdf274bb13246d9f7b531696e325783c0f7

    SHA512

    6d0cba7938596684707ae8b84ca4ae5a9f058e05d242d1da275e6b9c8e07902afeb032c6bd372b94558a7df187986191ccc6d5e792116a7ec62de243a6636674

    Download Submit

  • C:\Users\Admin\AppData\Local\nfmawluexjmwjbdhlrfxesodmwpbeobtvzdj.pwk
    Filesize

    4KB

    MD5

    e2d075d196783e403a6d978886eb6d94

    SHA1

    e480908d93139f97490facc2033d92558f9dde19

    SHA256

    45f025598a8b3351f900d807a46c99b23e18b0b62956bd067f5819f7b39fa068

    SHA512

    91290c5584bbca045762246aad410123311f06a4d1a6df69e9a839b66557e406cc716acb8b15c687e241c0e1fd6b8f8cf842ee876512ad67d167f30d01667eee

    Download Submit

  • C:\Windows\SysWOW64\lhskkdqebrymdzfnvf.exe
    Filesize

    580KB

    MD5

    3eeeb65b062df1da211ed99eb77d250e

    SHA1

    420f12ecc6df8a60a1bdb1b57d6accc64e9c7530

    SHA256

    a807e09ad90c627e6e8d22424b5205656f6951a4e2729eb72b18c428ff8ad6f0

    SHA512

    770510298d120dddfed28fbc34ab7267e479858f6b3af4c832cafb480c56e83340ddacf4fcb96739f0c21fe062b7ef719c941abdad8a9df988bf1579369a6b33

    Download Submit