Overview

overview

10

Static

static

3

4cb8659dee...18.exe

windows7-x64

10

4cb8659dee...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/07/2024, 03:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4cb8659dee8edbbc8746da74f645f864_JaffaCakes118.exe

  • Size

    488KB

  • MD5

    4cb8659dee8edbbc8746da74f645f864

  • SHA1

    a09e0638020af396a9ae753a0601ac430d70a738

  • SHA256

    89ba53ebc07fcd8ba0fe785ee93a8d6a71e40079152cdb9ab0d1298bf08de6c2

  • SHA512

    6f637901ac5068e573f909abc749364944bc45cd2027e63ae885d55a7c650739b3b7a64d3bf0de8d9b23fe88129c75180bc1b6b50e2ee640a0e58e9edff6285b

  • SSDEEP

    6144:cj6/wndfF/gl0LQIk8DR3dEuAI7pEfxsZozAm9TMdGQLUg1nYmefPImdrion:G6onxOp8FySpE5zvIdtU+Ymef

Score
10/10
defense_evasionevasionpersistencetrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • UAC bypass 3 TTPs 13 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 29 IoCs
    persistence
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
    defense_evasion
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    evasiontrojan
  • Looks up external IP address via web service 7 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 32 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 32 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 41 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\4cb8659dee8edbbc8746da74f645f864_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4cb8659dee8edbbc8746da74f645f864_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4220
    • C:\Users\Admin\AppData\Local\Temp\zifautlsjsp.exe
      "C:\Users\Admin\AppData\Local\Temp\zifautlsjsp.exe" "c:\users\admin\appdata\local\temp\4cb8659dee8edbbc8746da74f645f864_jaffacakes118.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2224
      • C:\Users\Admin\AppData\Local\Temp\udluwfo.exe
        "C:\Users\Admin\AppData\Local\Temp\udluwfo.exe" "-C:\Users\Admin\AppData\Local\Temp\tlcufxpjzsgiihli.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Impair Defenses: Safe Mode Boot
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:4724
      • C:\Users\Admin\AppData\Local\Temp\udluwfo.exe
        "C:\Users\Admin\AppData\Local\Temp\udluwfo.exe" "-C:\Users\Admin\AppData\Local\Temp\tlcufxpjzsgiihli.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:4128
    • C:\Users\Admin\AppData\Local\Temp\zifautlsjsp.exe
      "C:\Users\Admin\AppData\Local\Temp\zifautlsjsp.exe" "c:\users\admin\appdata\local\temp\4cb8659dee8edbbc8746da74f645f864_jaffacakes118.exe"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System policy modification
      PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Safe Mode Boot

1
T1562.009

Modify Registry

5
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\glpusxcjmstivhyihfkotrwbi.rsh
    Filesize

    272B

    MD5

    665307aa62cb8b9b52bfb673bfac6cfa

    SHA1

    6a968a0df5627bfe4207b7e0c7452aa56ea0183d

    SHA256

    bb36edc27d3af393e9c80b4004e97076d3992132333a7682f1e4d65be5473b1f

    SHA512

    e3f5131ec2593c2dfc92ff44333800db79a4ea7a242588346cd64d2bcbd1e8da4421ce7b4dc8517b28808328de2794fb04324fc7ad2aa6cfe0c0355cf16bf1ae

    Download Submit

  • C:\Program Files (x86)\glpusxcjmstivhyihfkotrwbi.rsh
    Filesize

    272B

    MD5

    ca971b2d7deaca2cfac2b93bd52801c0

    SHA1

    ce64008762bb4b9820ccc1a5ba3cab3e21fe7945

    SHA256

    18fe20c75882b57adaa506cb57902b2cc974fe1cdd10cdb062ce1dff7d1b4356

    SHA512

    7a25c65b4cb6f833b2fbc3f9beeedf20dfd070cdb6f2af9338538e5a33fa04f6b8e8fdddbff0ae29b61279581093d56d57452c1364a8ac616a400d689298f8e2

    Download Submit

  • C:\Program Files (x86)\glpusxcjmstivhyihfkotrwbi.rsh
    Filesize

    272B

    MD5

    fcf25bd556377d503fb3f7f45b849820

    SHA1

    b3b31a0b2e838061fc50602f7c4989e6b903e92d

    SHA256

    7036dbb94675e8a01a24976761e5d33e8d6b3814062794623af52f79a674ebc1

    SHA512

    92a3fd26a4e08b30d940a639bf46c4587d032a096c0ae0e24e71505ba8753d897ee947abb2e9842aa797d0d5e23620a992e78fb18a065e90b75ba0d708a92ed4

    Download Submit

  • C:\Program Files (x86)\glpusxcjmstivhyihfkotrwbi.rsh
    Filesize

    272B

    MD5

    3c23dc66a7d85f3fa286ced09e1763f3

    SHA1

    805517201ee01cb78f5bb56e5c7e9439ac276b63

    SHA256

    2ca4a8b4023ab9cfd1bb90183992217f4dea54ac5161d2bc4467dfdbdd96d56b

    SHA512

    0dbb427c7a6215196ef9a6c746f45b4e357f2baa092dcabadd3dcdd753af3d2d7ae00867f681822900b27a3aaab7e80589b1896756829c1c44f9496009036bf1

    Download Submit

  • C:\Program Files (x86)\glpusxcjmstivhyihfkotrwbi.rsh
    Filesize

    272B

    MD5

    04b0b29a2385d9137ffbfbdecd16186e

    SHA1

    2e43a5e6bb8cf2a4a7ecc547016c7d9236c18fd2

    SHA256

    6021b51bc397a5dc4bf2339b084204cd2afe903b2ea3d970884f3857fffaa510

    SHA512

    9fa9db5c189799db15daf3c8901d18c80e343c3e78a742a3e49da05341a0584e6ad9d549555ff0c27b5def13a0f07164be8ed95a0838cf06e397b7ac23e32a16

    Download Submit

  • C:\Program Files (x86)\glpusxcjmstivhyihfkotrwbi.rsh
    Filesize

    272B

    MD5

    ffebcc69dfc7ae1bcbea686e007d9527

    SHA1

    13ffb3db5759a70b410f7f5ad2a2884ebef7e1c1

    SHA256

    42dccd43bdb7a56485bc70e768833c3ceb0157e0f810476e88785bcf1e8bac57

    SHA512

    92037cbac2d37d510538ad45e5fb89d7f0f6f7fbfac4579cb0a22c30be94499cd8cf102a5e38ddc7f00c2a60f048cfe6a011f02ca8091b46c888305af3b6d83a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\udluwfo.exe
    Filesize

    732KB

    MD5

    d5e5511a6462f44c804f1a48690f485f

    SHA1

    b9fd9ead5f090adf640ebee41fbe625b548f693f

    SHA256

    5a58ff39a903c923449bb1971ce53836dd906722ff6721e295f46e45adee6716

    SHA512

    891038feeb735c4b7fd77453277935ea641cd947dddeb0133a0068f739a2dcdb146c594e3d50446c76b3c877ef6d29c89a8cbfa038c0d89e71d441699cd436c9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zifautlsjsp.exe
    Filesize

    320KB

    MD5

    5203b6ea0901877fbf2d8d6f6d8d338e

    SHA1

    c803e92561921b38abe13239c1fd85605b570936

    SHA256

    0cc02d34d5fd4cf892fed282f98c1ad3e7dd6159a8877ae5c46d3f834ed36060

    SHA512

    d48a41b4fc4c38a6473f789c02918fb7353a4b4199768a3624f3b685d91d38519887a1ccd3616e0d2b079a346afaec5a0f2ef2c46d72d3097ef561cedb476471

    Download Submit

  • C:\Users\Admin\AppData\Local\glpusxcjmstivhyihfkotrwbi.rsh
    Filesize

    272B

    MD5

    4a0dcb304aafa06202703b612f2ac3f2

    SHA1

    a6765926b52617adacdf7bbbb137c6b85bbd5bad

    SHA256

    455a43ed2ed6bb2707a2f6a309ac186871ab24591d763d9ff5d4fd6811237406

    SHA512

    370edc34fd62012b251c95cb9e312d81f8d415d505152c04d000e8ecf4d12462bc2d58cb882a2fc646ef603ceb77a6083dcc6cd4f6cdc79bfd323dd10b8f2af4

    Download Submit

  • C:\Users\Admin\AppData\Local\lbqgpfvnbseeczbwgpfuktjzrfwiigdfaktj.oxn
    Filesize

    3KB

    MD5

    024affd9be721136c7a7ee9fbdf7bb79

    SHA1

    a1675212bf11ab10f02e95057b8398530acec0ef

    SHA256

    57f77c6d12225413088cc371f086e5b5d41267e2dd30f673db62b782c409dc32

    SHA512

    b44e3a585ff4d06d9f31679d17e4dae3c466c829256a38f741fa03a0bf3b69d77de248036047c95a28d631c5382dd432b7dfb807e5dd071fddf3c060d5680392

    Download Submit

  • C:\Windows\SysWOW64\jdwqdxrnfaquwxdcqd.exe
    Filesize

    488KB

    MD5

    4cb8659dee8edbbc8746da74f645f864

    SHA1

    a09e0638020af396a9ae753a0601ac430d70a738

    SHA256

    89ba53ebc07fcd8ba0fe785ee93a8d6a71e40079152cdb9ab0d1298bf08de6c2

    SHA512

    6f637901ac5068e573f909abc749364944bc45cd2027e63ae885d55a7c650739b3b7a64d3bf0de8d9b23fe88129c75180bc1b6b50e2ee640a0e58e9edff6285b

    Download Submit

  • C:\udluwfo.bat
    Filesize

    556KB

    MD5

    542c39f5479efc0ea68ad12b0ff2e56a

    SHA1

    f8759ad01031ea6920becf7e5f3cdfd8a3f52dfe

    SHA256

    69b9181e7b31bba70535f9a128af6b614af15ba00da9a9ad5194a52982c5536d

    SHA512

    db0bd8ac944154afd2134d7fe74c43bac71d91fc2193a8eab2355f00fea207b4aca712c2746b4be026a5bda4e7af8fce2c6b720e21a90427277e5532e11700fc

    Download Submit