Overview

overview

7

Static

static

3

4258ff9765...18.exe

windows7-x64

7

4258ff9765...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    126s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-07-2024 15:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe

  • Size

    19KB

  • MD5

    4258ff976538ddb6eba552017de1cc88

  • SHA1

    642c7c0641302e626b3896aaaa29154ef6e17e60

  • SHA256

    f24dd9c54ee30ce5ea624eb8b51f24adfef2b196cceda2064d721d8b723d24ab

  • SHA512

    72631e69e044395a3bc23118e388094a5555a081482845d5fb6cc1c591b6a1c5ca10a4ebafcb52f250114d66e245c39528b63d1fb4205a833ab896dbaacd60fa

  • SSDEEP

    384:QXWuX7KLLfrbrA2ZZJNAfE2J/aFTDuhXkrWHiOtDUvDHB181:QmuX7cNr0E2JmahXaWHiAYvD8

Score
7/10
persistence

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
    adwarespyware
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2680
    • C:\Windows\SysWOW64\Net.exe
      Net Stop Norton Antivirus Auto Protect Service
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1736
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 Stop Norton Antivirus Auto Protect Service
        3⤵
          PID:2672
      • C:\Windows\SysWOW64\Net.exe
        Net Stop mcshield
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3884
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 Stop mcshield
          3⤵
            PID:4024
        • C:\Windows\SysWOW64\net.exe
          net stop "Windows Firewall/Internet Connection Sharing (ICS)"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2612
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
            3⤵
              PID:2184
          • C:\Windows\SysWOW64\net.exe
            net stop System Restore Service
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3196
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop System Restore Service
              3⤵
                PID:3640
            • C:\Program Files\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
              2⤵
              • Checks processor information in registry
              • Enumerates system info in registry
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1944
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1944 CREDAT:17410 /prefetch:2
                3⤵
                • Loads dropped DLL
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:3840

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\Common Files\Services\svchost.exe
            Filesize

            19KB

            MD5

            4258ff976538ddb6eba552017de1cc88

            SHA1

            642c7c0641302e626b3896aaaa29154ef6e17e60

            SHA256

            f24dd9c54ee30ce5ea624eb8b51f24adfef2b196cceda2064d721d8b723d24ab

            SHA512

            72631e69e044395a3bc23118e388094a5555a081482845d5fb6cc1c591b6a1c5ca10a4ebafcb52f250114d66e245c39528b63d1fb4205a833ab896dbaacd60fa

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MDMHN06X\suggestions[1].en-US
            Filesize

            17KB

            MD5

            5a34cb996293fde2cb7a4ac89587393a

            SHA1

            3c96c993500690d1a77873cd62bc639b3a10653f

            SHA256

            c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

            SHA512

            e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

            Download Submit

          • C:\Windows\SysWOW64\DirectX10.dll
            Filesize

            1.6MB

            MD5

            e0e12856ca90be7f5ab8dfc0f0313078

            SHA1

            cc5accf48b8e6c2fd39d1f800229cdbb54305518

            SHA256

            81ec3e3c98e5f0af0dca21b9f08f2be445b46df2ca2354eaf3523bddcb125619

            SHA512

            162c56367dca2291117f2391951970273969518b0db2bbc5d51c458173a8028c88d9dfd93aef01ed05b369f953e2953cc6be252daeb17556dbc33e5383900fa6

            Download Submit

          • memory/2680-3-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2680-5-0x0000000000411000-0x0000000000412000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2680-10-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2680-0-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2680-13-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2680-18-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2680-27-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2680-1-0x0000000000411000-0x0000000000412000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2680-31-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2680-2-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download