Overview

overview

8

Static

static

3

3ed2f2b13b...18.exe

windows7-x64

8

3ed2f2b13b...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    141s
  • max time network
    82s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    12/07/2024, 20:47

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    3ed2f2b13b855cf6e6909d09bcdfb930_JaffaCakes118.exe

  • Size

    175KB

  • MD5

    3ed2f2b13b855cf6e6909d09bcdfb930

  • SHA1

    7a89eb6be366fa15bc94ef7e43d1dc41d01a3b47

  • SHA256

    e706a27c8befbc22029aa2f33c5f8c51be52a42c05cdf414d06633e6ae153c6a

  • SHA512

    3a50266edb850f264a05d4dcd1b65839e3f9ff4c4948a519081765f67f9c25959405226fb3d6236b5f5cce464078ef1a5b9aa0fbd3cc3e505c505bca85a23364

  • SSDEEP

    3072:LXpnGI9NAlzZsAKEJgf4U3r9Ui9NuOVCSEAOlfPTsrcbEv2NmDxylGdkS50B4:LZ99NAltsAKEjUJUiLuOVPOlfPwhvym2

Score
8/10
evasionpersistenceprivilege_escalation

Malware Config

Signatures

  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ed2f2b13b855cf6e6909d09bcdfb930_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3ed2f2b13b855cf6e6909d09bcdfb930_JaffaCakes118.exe"
    1⤵
    • Looks for VMWare Tools registry key
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2124
    • C:\Windows\SysWOW64\wbem\WMIC.exe
      "C:\Windows\System32\wbem\WMIC.exe" path win32_terminalservicesetting where (__Class!="") call setallowtsconnections 1
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2832

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \Windows\SysWOW64\nmklo.dll
          Filesize

          164KB

          MD5

          a9b0b073a2c66b115af1dd1fc26b60a5

          SHA1

          9e2d667967db9041d364328304fd2bd45bf34d65

          SHA256

          f690f1b7ec48eebfb1f56a810abb33ccb92b3bae07ecd1f82bdf462df5a8d424

          SHA512

          6ef365118312b21e1067bfc99078b900068be6a6217a3d5dc6b750e87e0d0efcf324723a17c11816e6e15ec77b855d491278de72bef4fee180fe599649eaec04

          Download Submit

        • memory/2124-3-0x000000000045C000-0x0000000000460000-memory.dmp

          Filesize

          16KB

          Download

        • memory/2124-5-0x0000000000400000-0x0000000000461000-memory.dmp

          Filesize

          388KB

          Download

        • memory/2124-17-0x00000000003E0000-0x00000000003F5000-memory.dmp

          Filesize

          84KB

          Download

        • memory/2124-23-0x0000000000350000-0x0000000000359000-memory.dmp

          Filesize

          36KB

          Download

        • memory/2124-29-0x0000000000600000-0x000000000060A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2124-34-0x0000000000600000-0x000000000060A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2124-35-0x0000000000600000-0x000000000060A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2124-36-0x00000000003E0000-0x00000000003F5000-memory.dmp

          Filesize

          84KB

          Download

        • memory/2124-37-0x0000000000400000-0x0000000000461000-memory.dmp

          Filesize

          388KB

          Download

        • memory/2124-38-0x0000000010000000-0x0000000010029000-memory.dmp

          Filesize

          164KB

          Download