Overview

overview

10

Static

static

3

464a580bf2...18.exe

windows7-x64

10

464a580bf2...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-07-2024 14:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    464a580bf2b88bc6819d5fa9beb46905_JaffaCakes118.exe

  • Size

    3.3MB

  • MD5

    464a580bf2b88bc6819d5fa9beb46905

  • SHA1

    67351b06fc8ac4f27befe54a901a99f2998992d7

  • SHA256

    2b2a877502daf97477ae6ec73a0fcfde4e3ac3c7080a285de6decaf5910b472e

  • SHA512

    d28a90ff4b2a4a719095f1bb8a8acfc6a55c5778fe22f476abf987a9b9aa2022e0a9fa87d1e62c18f50d42bce3c3ffdd70744ab20d042eec9e6e057774a0f0ab

  • SSDEEP

    98304:8viz/27qWGq/TzuqCDl2Ptao7jlGSKNZ:8viq75/TzufC8NZ

Score
8/10
evasionpersistenceprivilege_escalation

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops autorun.inf file 1 TTPs 5 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\464a580bf2b88bc6819d5fa9beb46905_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\464a580bf2b88bc6819d5fa9beb46905_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2980
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3276
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
        "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3036
        • C:\Users\Admin\AppData\Roaming\svchost.exe
          "C:\Users\Admin\AppData\Roaming\svchost.exe"
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops autorun.inf file
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2028
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE
            5⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            PID:2076
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x3fc 0x3b8
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:5092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.png
    Filesize

    2KB

    MD5

    340b294efc691d1b20c64175d565ebc7

    SHA1

    81cb9649bd1c9a62ae79e781818fc24d15c29ce7

    SHA256

    72566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9

    SHA512

    1395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cdd
    Filesize

    13KB

    MD5

    3e7ecaeb51c2812d13b07ec852d74aaf

    SHA1

    e9bdab93596ffb0f7f8c65243c579180939acb26

    SHA256

    e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96

    SHA512

    635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
    Filesize

    6.1MB

    MD5

    424bf196deaeb4ddcafb78e137fa560a

    SHA1

    007738e9486c904a3115daa6e8ba2ee692af58c8

    SHA256

    0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

    SHA512

    a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.dat
    Filesize

    185KB

    MD5

    2bc17e2409502adf9cec819d1f75b135

    SHA1

    4d2a17864109405b51993b86e4d2b894eb8be615

    SHA256

    a574340b96938bb68dfcd02aed27c39fbe46530dd3a8ad07f09c42201300c34c

    SHA512

    2c44ba715de3cf0c9959233f86946949aa61c8847b6a3d02dc8fbeb2a7319ad49c3eff60fe51678a04a7b7ba43203f3d043ba1be691f53e7c8e84605ba4bf589

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
    Filesize

    185KB

    MD5

    5b9be72eb7830db39ddd6bfc8d033134

    SHA1

    8b316570d2fba92882cc538ba05eab56941cb6fd

    SHA256

    375ff9989b203a48b5682877ab2f7bd0ff2eed382fc3f9906eedd61bf5711782

    SHA512

    8887b6cc85ac1884ea98adf3500ff6339be43788454008ff23b1d3eeb680a5d69f46ff7352da4ce627c5e265979b3cee1fad792e2875d0f9be6b1cac46864e0c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settings
    Filesize

    5B

    MD5

    68934a3e9455fa72420237eb05902327

    SHA1

    7cb6efb98ba5972a9b5090dc2e517fe14d12cb04

    SHA256

    fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa

    SHA512

    719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll
    Filesize

    322KB

    MD5

    c3256800dce47c14acc83ccca4c3e2ac

    SHA1

    9d126818c66991dbc3813a65eddb88bbcf77f30a

    SHA256

    f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866

    SHA512

    6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

    Download Submit