Overview

overview

7

Static

static

3

4c30f92017...18.exe

windows7-x64

7

4c30f92017...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    16/07/2024, 01:10

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    4c30f920177a7879446a1572de62af47_JaffaCakes118.exe

  • Size

    1.2MB

  • MD5

    4c30f920177a7879446a1572de62af47

  • SHA1

    9ec99517701915af05c4b158da1acfb9ac4defdb

  • SHA256

    7dd2a31204e2260194dd12862fb663a641436af85177d0e7b547a13e9e34ef45

  • SHA512

    e7b8b2fc47263614cbfa710c15e7d559cb9295e48c840781a63652fbb762f82998db9b1a21449bdc6a20d656c5431d369f5b9e38a6fa466a9cb5e25f2e31bf88

  • SSDEEP

    24576:G2r4/sxU9RzIUFUlmWLmYbPvHTLukjKNMgL9Z5:Gy40pDDHHKNMU

Score
7/10
evasionexecutionpersistencetrojan

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Program Files directory 12 IoCs
  • Drops file in Windows directory 2 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4c30f920177a7879446a1572de62af47_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4c30f920177a7879446a1572de62af47_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\Users\Admin\AppData\Local\Temp\FJPCCI.exe
      C:\Users\Admin\AppData\Local\Temp\FJPCCI.exe
      2⤵
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2112
      • C:\2.exe
        "C:\2.exe" MNQEVQUKIHRUEC
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:2852
      • \??\c:\2.exe
        c:\2.exe MNQEVQUKIHRUEC
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:2068
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c c:\2.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2824
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe /u /s vbscript.dll
          4⤵
            PID:2708
          • C:\Windows\SysWOW64\regsvr32.exe
            regsvr32.exe /u /s msvidctl.dll
            4⤵
              PID:2916
            • C:\Windows\SysWOW64\regsvr32.exe
              regsvr32.exe /u /s scrrun.dll
              4⤵
              • Modifies registry class
              PID:2776
            • C:\Windows\SysWOW64\reg.exe
              reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Videos" /t REG_SZ /d no /F
              4⤵
              • Modifies Internet Explorer settings
              PID:2652
            • C:\Windows\SysWOW64\reg.exe
              reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Background_Sounds /t REG_SZ /d no /F
              4⤵
              • Modifies Internet Explorer settings
              PID:2724
            • C:\Windows\SysWOW64\regsvr32.exe
              regsvr32.exe /s jscript.dll
              4⤵
              • Modifies registry class
              PID:2660
            • C:\Windows\SysWOW64\regsvr32.exe
              regsvr32.exe /u /s itss.dll
              4⤵
                PID:2608
              • C:\Windows\SysWOW64\reg.exe
                reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Images" /t REG_SZ /d yes /F
                4⤵
                • Modifies Internet Explorer settings
                PID:2616
              • C:\Windows\SysWOW64\reg.exe
                reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Animations /t REG_SZ /d no /F
                4⤵
                • Modifies Internet Explorer settings
                PID:2636
              • C:\Windows\SysWOW64\reg.exe
                reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Disable Script Debugger" /t REG_SZ /d yes /F
                4⤵
                • Modifies Internet Explorer settings
                PID:2656
              • C:\Windows\SysWOW64\reg.exe
                reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v DisableScriptDebuggerIE /t REG_SZ /d yes /F
                4⤵
                • Modifies Internet Explorer settings
                PID:2680
              • C:\Windows\SysWOW64\reg.exe
                reg.exe delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /F
                4⤵
                • Adds Run key to start application
                • Modifies registry key
                PID:2732
              • C:\Windows\SysWOW64\reg.exe
                reg.exe delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /F
                4⤵
                • Modifies registry key
                PID:2144

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\2.bat
                Filesize

                1KB

                MD5

                76765c71877142243edf9766fd5fcc8f

                SHA1

                4e01a90382e6ef63a2902db0d888ae1cb7e8f78c

                SHA256

                3cc9cbf30920f5e277e406e5c981b60fcf8161c5186d868f89186d8f73b80e24

                SHA512

                d671cc850c058c60cd34980820f33b67dbde2e5b93683660f67d2eef277435b14c81d9e7343bd36d2a574b14f761598aa0c62d229b110598d9830b8087a1b811

                Download Submit

              • C:\2.exe
                Filesize

                21KB

                MD5

                0cc2230a06f3636977984747abee72b8

                SHA1

                87cacf337c098af57b9aa096637fe8d1fddebf09

                SHA256

                6f64b30f199d05ec81e7f963c4f09942a875206cdb605dd571edfeb447240948

                SHA512

                0595afd55130adf494bac89c00d4cde91c7c82b4e05279dd0eb885e7a343b8fc42b022b42652f7ef98f4775f701eb6378a52f186279dd745cf567bb71dfdc754

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\FJPCCI.exe
                Filesize

                40KB

                MD5

                b44be3df239bb8d68a462fcf4225b6c4

                SHA1

                cd23d649218d6c0ac866f3d7ae2fa46a033134f8

                SHA256

                99b67c7ebe44ecc215ad1d313229315f797c976abab96e4948ea1862217dc51e

                SHA512

                a37857bb13bd2e6af44e0227222f879af55cb89f264038fc236ee0979424c9c08c296d6e3f44539703e33ee337a7011e87c54e6ef59591f4f968cbff76139333

                Download Submit

              • C:\Windows\MNQEVQUKIHRUEC.txt
                Filesize

                28KB

                MD5

                4cce1de3cd30abd69936b4ae2a163d24

                SHA1

                d83275917d5e896fc1fe8e24845fc14914038a02

                SHA256

                10b1d161d76292b35eddc793049aa1dd4b5d61754edbbeaabcc04e5413ec5ffc

                SHA512

                76da4304183f01358a3bcbebba47bf0998edb87584bae5c910104bf58adb75285387572c78ea14bf40fa9ec86be6189b2bbf2579bf63284fcb7beb539adbd05c

                Download Submit