Overview

overview

8

Static

static

3

5ac4326136...18.exe

windows7-x64

8

5ac4326136...18.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    19/07/2024, 06:13

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    5ac4326136d44df2e164aaefb5f80f52_JaffaCakes118.exe

  • Size

    1.4MB

  • MD5

    5ac4326136d44df2e164aaefb5f80f52

  • SHA1

    60eb1637d50e48bcdb4939fc7cfcbb02fffcfd89

  • SHA256

    58a31d33c7c3da2fa881ee25ac1eb8fb1b0827404d854dd6eddff6c9104b87aa

  • SHA512

    bc3dc111729048999e8da22c4810e305e3490d6742446a4f86ece9dd9da63abab9668c91ad631b1b55ad80d9174370b8d0f77477c68dfee73629d809416967b4

  • SSDEEP

    24576:gQsAVmhBwWsRBB/PbYiNNPSflQMm39kI+DLWR7EbaiF0mUP5K:PsAVmhGWsR//PbYinPEaMo9kIqS7oa0

Score
8/10
adwareevasionpersistenceprivilege_escalationstealer

Malware Config

Signatures

  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation
  • Modifies Windows Firewall 2 TTPs 3 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 10 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 47 IoCs
  • Modifies registry class 16 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5ac4326136d44df2e164aaefb5f80f52_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5ac4326136d44df2e164aaefb5f80f52_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • Modifies Internet Explorer settings
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:288
    • C:\Windows\SysWOW64\EhStorShell32.exe
      "C:\Windows\system32\EhStorShell32.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2760
      • C:\Users\Admin\AppData\Roaming\SysWin\lsass.exe
        "C:\Users\Admin\AppData\Roaming\SysWin\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        PID:828
    • C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Windows Update Service" dir=in action=allow program="c:\windows\syswow64\kbdda32.exe" enable=yes profile=domain
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      PID:2824
    • C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Windows Update Service" dir=in action=allow program="c:\windows\syswow64\kbdda32.exe" enable=yes profile=private
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      PID:2736
    • C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Windows Update Service" dir=in action=allow program="c:\windows\syswow64\kbdda32.exe" enable=yes profile=public
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      PID:2764
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 288 -s 560
      2⤵
      • Program crash
      PID:1508
  • C:\Windows\SysWOW64\kbdda32.exe
    C:\Windows\SysWOW64\kbdda32.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:2908
    • C:\ProgramData\EhStorShell32.exe
      schutz
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:1004

Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Browser Extensions

        1
        T1176

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Event Triggered Execution

        2
        T1546

        AppInit DLLs

        1
        T1546.010

        Netsh Helper DLL

        1
        T1546.007

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Event Triggered Execution

        2
        T1546

        AppInit DLLs

        1
        T1546.010

        Netsh Helper DLL

        1
        T1546.007

        Defense Evasion

        Impair Defenses

        1
        T1562

        Disable or Modify System Firewall

        1
        T1562.004

        Modify Registry

        3
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\472590126
          Filesize

          32B

          MD5

          ab289c749652bb47169c6899c4179a57

          SHA1

          a3f11eca3ad7e00cb59c3473c5ead96b0417a762

          SHA256

          f941bd7fb2f71c70b35de6867774639fcbe4cdb5182c70bf316fbee83e90e138

          SHA512

          3054e1b344751977a72e67fd89f4a034bc5ab81cdbce3c94785d5af559fa199bc4b36b79ba9118c9918195df9e930114c992cba98ec8704cded1c9eb43b7387d

          Download Submit

        • C:\Windows\SysWOW64\472590126
          Filesize

          120B

          MD5

          1b09584482fa3b1d7dc69486c0770b33

          SHA1

          85aacff4fbc878cf0ad38f86d1a65121f9ef7aba

          SHA256

          7b27de2ac17b147ff12205e13b9e48db7f509fa2cc2bd2ce9d5a88078b47f746

          SHA512

          674bd29647b519e4d236dc174050faa2414d1e8c82c4429408884c22abb59b63857a1cdee23754b51a8c7beed717153a2dcdfcd5c352415b9cb29e8094a0b874

          Download Submit

        • C:\Windows\SysWOW64\KBDDA32.exe
          Filesize

          1.4MB

          MD5

          5ac4326136d44df2e164aaefb5f80f52

          SHA1

          60eb1637d50e48bcdb4939fc7cfcbb02fffcfd89

          SHA256

          58a31d33c7c3da2fa881ee25ac1eb8fb1b0827404d854dd6eddff6c9104b87aa

          SHA512

          bc3dc111729048999e8da22c4810e305e3490d6742446a4f86ece9dd9da63abab9668c91ad631b1b55ad80d9174370b8d0f77477c68dfee73629d809416967b4

          Download Submit

        • \ProgramData\api-ms-win-core-localization-l1-2-032.dll
          Filesize

          249KB

          MD5

          af329f753611110cd6249e4800f114cd

          SHA1

          c7d40e12de5746ba7e08cb277af417a2aae8a326

          SHA256

          79598b7db4f653ba34feaf4a94e1eeecd469b6ef5ab59b6ad0cde4a1235cee12

          SHA512

          b7985e590828bd1fc051fb952ebeb88bb497a3ac87d59d9c930f42cd2cdf918261198cfa115fda7d862697f53212bbce166262817e44d729db1a679326b22f4f

          Download Submit

        • \Windows\SysWOW64\EhStorShell32.exe
          Filesize

          187KB

          MD5

          a5d1fc3cb67687ef7a865fc600825151

          SHA1

          adfad1d81ac24e485b4654ff839d2141ae1e3e45

          SHA256

          ae423c66501c2830b90c88b1fdb30655800ba6812dafd7d98f03422441f796da

          SHA512

          4dc9d84770e67e0739836d2f563a475031f1cb00105ad354e6a281965cacc08fe15f8f16fb6620f438020ee5a424e92e2962be968e8aae9d08d85c65de4907a6

          Download Submit

        • \Windows\SysWOW64\api-ms-win-core-localization-l1-2-032.dll
          Filesize

          429KB

          MD5

          213d946c7944f5c221279248389df42c

          SHA1

          7db977c802da1afeeda718424486bc237c8614b2

          SHA256

          84bc00fc0406fcccd2313ca71dd9dc1a75780bda9d77eb6433145fba43978ac3

          SHA512

          8388c9d277554bd84d45feaf98b012d968b3c5b6deca50e1d2a33d2511b0bf36138c8206b4204e37162c3e13422bd4a516f4f9123a3dba51d4da93090353d57e

          Download Submit

        • memory/288-6-0x0000000010000000-0x0000000010083000-memory.dmp

          Filesize

          524KB

          Download

        • memory/288-89-0x0000000001E90000-0x0000000001F8E000-memory.dmp

          Filesize

          1016KB

          Download

        • memory/288-0-0x0000000001E90000-0x0000000001F8E000-memory.dmp

          Filesize

          1016KB

          Download

        • memory/288-5-0x0000000000570000-0x000000000060A000-memory.dmp

          Filesize

          616KB

          Download

        • memory/288-84-0x0000000000400000-0x0000000000562000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/288-1-0x0000000000400000-0x0000000000562000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/828-88-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/828-82-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1004-87-0x0000000000400000-0x0000000000562000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2760-78-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/2760-34-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/2760-32-0x00000000002C0000-0x00000000002EA000-memory.dmp

          Filesize

          168KB

          Download

        • memory/2908-41-0x0000000010000000-0x0000000010043000-memory.dmp

          Filesize

          268KB

          Download

        • memory/2908-86-0x0000000010000000-0x0000000010043000-memory.dmp

          Filesize

          268KB

          Download

        • memory/2908-85-0x0000000000400000-0x0000000000562000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2908-95-0x0000000000B10000-0x0000000000C0E000-memory.dmp

          Filesize

          1016KB

          Download

        • memory/2908-108-0x0000000010000000-0x0000000010043000-memory.dmp

          Filesize

          268KB

          Download