Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
19-07-2024 07:53
General
-
Target
5b0ea51e95974f2df1524a19d798c422_JaffaCakes118.exe
-
Size
172KB
-
MD5
5b0ea51e95974f2df1524a19d798c422
-
SHA1
21e2ffb6e2d230736847548795cbc7fb6e59c136
-
SHA256
7c1c73ab42696e39505979ff9238b35a3c4bd60dda2576ba8770cd7a297c37d7
-
SHA512
bf02f4e9b3e4a65dd3f3272168ab88b7ab894a5ecbe72c92f68362953c40f7fb3c116fbd59c41095602ff796084cf0ab313e8a7eb855ee54410ec3e11cb38da0
-
SSDEEP
3072:H2YOj+Rd/HB7oV7HV3ffDoStyMhV5HRHULEZ3+1/9qOFzk:hOj+rWJffMWhV5HRHUgItFz
Malware Config
Signatures
-
Creates new service(s) 2 TTPs
-
Drops file in Drivers directory 1 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Drops file in System32 directory 1 IoCs
-
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b0ea51e95974f2df1524a19d798c422_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5b0ea51e95974f2df1524a19d798c422_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c "%temp%\npi.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram name="npi" program="C:\Windows\system32\svchost.exe" mode=enable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add portopening tcp 8085 npi enable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\sc.exesc create "npii" type= share start= auto binpath= "C:\Windows\system32\svchost.exe -k npii"3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\reg.exereg add "hklm\system\currentcontrolset\services\npii\parameters" /v servicedll /t reg_expand_sz /d "C:\Windows\system32\npi.dll" /f3⤵
- Server Software Component: Terminal Services DLL
-
-
C:\Windows\SysWOW64\reg.exereg add "hklm\system\currentcontrolset\services\npii" /v failureactions /t reg_binary /d 00000000000000000000000003000000140000000100000060ea00000100000060ea00000100000060ea0000 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "hklm\software\microsoft\windows nt\currentversion\svchost" /v npii /t reg_multi_sz /d "npii\0" /f3⤵
-
-
C:\Windows\SysWOW64\sc.exesc start npii3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k npii -s npii1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
676B
MD58a8f907dad97578ff215aa154b8ea057
SHA123bf74b5fb95bc4a5d4a12d7b09f5a5f090567e1
SHA256d839647d36425306ef0c961580d1b978ce72bf0956c1ff7bebc8bcc81b4849a5
SHA51243aeaf2b9ca0888e513c318a05f30cc516b0d70e96d09429180e7c58772e58a1117b95d6ace80a121fdc8d1fdc8114c3d5a21d447fca7e512181226ffc4e181b
-
Filesize
49KB
MD54e56104661bb20c34e9c9516ccd9f79c
SHA1aa9d95a438a019304d03bf097060ce719f883442
SHA256bf8b85e9f6667ddec0675c354d21080d535f460bc2e1f742e11374ec6609e2a4
SHA512cb5d392dbf4f55aab04d2bd91a4c55cde3e3d094506b607b78b5fcb4ccca216d2f1560f9afe465f04da4f9a594cfb19c26b354273bc75c98c5c229a3cfae9003