Overview

overview

10

Static

static

3

5eb6f7118d...18.exe

windows7-x64

10

5eb6f7118d...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    20/07/2024, 02:38

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    5eb6f7118d3a0ce4ef0232609f910d18_JaffaCakes118.exe

  • Size

    952KB

  • MD5

    5eb6f7118d3a0ce4ef0232609f910d18

  • SHA1

    404adb26ba92478c26e3adfdc581ffc0d34deee8

  • SHA256

    17b941330650aceeab1a40a3c8140ef645d9a9ee40cd64bfbad433e251811efa

  • SHA512

    eabf88c11984b2a74a98367aa67dc0494608818340b760bdcd75bce1feb0a262f5c3c7f915c27c9088465fdf35ecfda35fc6f7004eb23b76534aa17fecda6a3c

  • SSDEEP

    6144:k8XXRUw9Oz5+iUU03pej1YpTYzOb0kLXhlJFTaLTGu0yvHcr+JB8aUcp:HnRy+ZyYpaCDJFuPyAHcqrU

Score
10/10
defense_evasionevasionpersistencetrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • UAC bypass 3 TTPs 13 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 26 IoCs
    persistence
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
    defense_evasion
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    evasiontrojan
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 60 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 39 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • System policy modification 1 TTPs 41 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\5eb6f7118d3a0ce4ef0232609f910d18_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5eb6f7118d3a0ce4ef0232609f910d18_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2780
    • C:\Users\Admin\AppData\Local\Temp\jgqnkehutqa.exe
      "C:\Users\Admin\AppData\Local\Temp\jgqnkehutqa.exe" "c:\users\admin\appdata\local\temp\5eb6f7118d3a0ce4ef0232609f910d18_jaffacakes118.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2732
      • C:\Users\Admin\AppData\Local\Temp\whkxwkj.exe
        "C:\Users\Admin\AppData\Local\Temp\whkxwkj.exe" "-c:\users\admin\appdata\local\temp\5eb6f7118d3a0ce4ef0232609f910d18_jaffacakes118.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Impair Defenses: Safe Mode Boot
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:596
      • C:\Users\Admin\AppData\Local\Temp\whkxwkj.exe
        "C:\Users\Admin\AppData\Local\Temp\whkxwkj.exe" "-c:\users\admin\appdata\local\temp\5eb6f7118d3a0ce4ef0232609f910d18_jaffacakes118.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:1480
    • C:\Users\Admin\AppData\Local\Temp\jgqnkehutqa.exe
      "C:\Users\Admin\AppData\Local\Temp\jgqnkehutqa.exe" "c:\users\admin\appdata\local\temp\5eb6f7118d3a0ce4ef0232609f910d18_jaffacakes118.exe"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System policy modification
      PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Safe Mode Boot

1
T1562.009

Modify Registry

5
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\yhitqczenqpgkbsgdkktufcolqz.bsw
    Filesize

    120B

    MD5

    6355c9d63befd14eaad317a2bc327d34

    SHA1

    a92e57ec7a500fe13491bbab5d93dfa0db77900e

    SHA256

    d4eb4bd5d689f236a4ea94be25143c418671d592512bcf47d4ffb92ab7e690ca

    SHA512

    e48d1afa43e314d1ea6d5bff21ed3165801deb6c57ab2c67fb028c54e9ad8ab2b81ec4df0e682c98a5ea24db22973476428dcb25117b79f9c68adeac83afad3a

    Download Submit

  • C:\Program Files (x86)\yhitqczenqpgkbsgdkktufcolqz.bsw
    Filesize

    120B

    MD5

    9ea4f62f795527f843e8cbfecbf667f0

    SHA1

    ef1e61c718fc0fcaa497c01ac42166ab0bab73ea

    SHA256

    6298301925e4770b96d7d32af97c131f56a46e9cd679eb992e1b2961cc3a91f8

    SHA512

    abb606c66fa2d8235f295c7d8ba52d1d2e76c0ca278c6f65d3a901d7ead54c4cf2b41eb0ffc741c5e225b0ed278e56d41fe38a8475eb1f7441ae74f1b005b267

    Download Submit

  • C:\Program Files (x86)\yhitqczenqpgkbsgdkktufcolqz.bsw
    Filesize

    120B

    MD5

    65c46e7c24635d2777ab419139dfdd7a

    SHA1

    cf67577a25e980e9256cb07e9e6e547089247f5b

    SHA256

    ee8dd41f2d5ed4c073c11a2b090bedb98259387e2de76915b54fe8f33200b47d

    SHA512

    519c606558223d368e211a8d140c12f4710b2d724e07450c45d45cbe3513964ebe835cd1adf6733cba04ea673800152c40cd7bd826188f219a097707358935d3

    Download Submit

  • C:\Users\Admin\AppData\Local\vpbxfckauisujlnmumxrdzhemcwkuwlnpowozt.bjg
    Filesize

    3KB

    MD5

    a2f4c1f92d4686c45073ee44741d02a9

    SHA1

    2359941d4b4936febdf09a1a1bf003632228854c

    SHA256

    52bb4e31f7d7b2735cb8244998684373d0e3368e8171100458922adc70eff6e7

    SHA512

    b3bb5f4230e85be4b79ab906a361950fb3100e430db233e1366b7cabbb642193d24ba7286247acebcb88c5cc53c9f022992ffe6287f02479c723cf58bc0dec54

    Download Submit

  • C:\Users\Admin\AppData\Local\yhitqczenqpgkbsgdkktufcolqz.bsw
    Filesize

    120B

    MD5

    9e411763aefbe8751c50935f68dab61f

    SHA1

    05b687be2cdd15d2b8a83756a3c73ce056c1bf84

    SHA256

    f6ec32c7bb16e924eb1a63c8ca7f2aab68c8afbeb6a397d9bcf40b58865f1d2a

    SHA512

    ed9fce639ae1e3b7944633426693761302478366525ff71be1921a4fa5bf63bd20b124898330e59bdc606b07f95d6ed65051302a6c043360e9d6b42615dbb3ab

    Download Submit

  • C:\Users\Admin\AppData\Local\yhitqczenqpgkbsgdkktufcolqz.bsw
    Filesize

    120B

    MD5

    5c835932495eec44801f588489c7609f

    SHA1

    119458b94ceaa9e7784e361603d7d36bb323b24b

    SHA256

    211174e3cff6fe2b3500785f4a50408d1b1175423cc5dd61a460b479373d249e

    SHA512

    cc06051f8eb9f496d018b38b45bdb3120e0c0bfdf2222c1f977704e5ca0f2202c7f700e2df37880d114f3e34d16a7991be7926d119901f09bf82c82d03b4e740

    Download Submit

  • C:\Users\Admin\AppData\Local\yhitqczenqpgkbsgdkktufcolqz.bsw
    Filesize

    120B

    MD5

    fe781e815a932e2c29db1489985f9921

    SHA1

    337ba5918be9a695617b989517baeec3ffa51704

    SHA256

    e9bdda46de532b171561e027b5e83f34e13f5432c9ee61083254d98b7f6379de

    SHA512

    450e6de7475289ebec1e08a382f28d780928eb669b47507bd020fc24ae2eebe3001b15674a25167e41fda40f5b8633f036cea4fcf0d25c7d909a4e16301edef7

    Download Submit

  • C:\Users\Admin\AppData\Local\yhitqczenqpgkbsgdkktufcolqz.bsw
    Filesize

    120B

    MD5

    207a4fe3dc6888f51f093cc1733645dc

    SHA1

    5474f0631fb8e2a46cbd39a55069523322453143

    SHA256

    9a2c782ae2623716e73422772a03a026792464dc73262819057051040fa05ff3

    SHA512

    060bdbb8cd85ccc1008b13d08752f04d323b690a681c1bc51b7137e2ccdaa14d695e8067eb6799cbe8d4415cb6b7749fe54e76c1326a8646409cc489d8429ee6

    Download Submit

  • C:\Users\Admin\AppData\Local\yhitqczenqpgkbsgdkktufcolqz.bsw
    Filesize

    120B

    MD5

    40abb0e240895bf13890144cb60f094e

    SHA1

    de162a4cb8287a5157f5fdb573bc659e3a4734e7

    SHA256

    533ce052564b9dd2a2eaa7616a3da3664ac2e10ccf4c70a4189544d588977438

    SHA512

    3d2864e98a680e91d87cb5cf504e2e220f74f9b54278c7155063571bf46c7f0a0705f6feffc2440702ea917f4118d728ca28c32fbda871275a064b94f8d2be5c

    Download Submit

  • C:\Windows\SysWOW64\lhvtdcmeaqcgxbfgqk.exe
    Filesize

    952KB

    MD5

    5eb6f7118d3a0ce4ef0232609f910d18

    SHA1

    404adb26ba92478c26e3adfdc581ffc0d34deee8

    SHA256

    17b941330650aceeab1a40a3c8140ef645d9a9ee40cd64bfbad433e251811efa

    SHA512

    eabf88c11984b2a74a98367aa67dc0494608818340b760bdcd75bce1feb0a262f5c3c7f915c27c9088465fdf35ecfda35fc6f7004eb23b76534aa17fecda6a3c

    Download Submit

  • C:\Windows\vpbxfckauisujlnm.exe
    Filesize

    320KB

    MD5

    43f4276593ca4aaad970451e90eb59cc

    SHA1

    4a612a15e4abd846c22300ff4da661bbcc811e9a

    SHA256

    ab73da5599ba39c0c478bc5c57c83b851b80ada9bb1610bdf3f142a59fefe9b8

    SHA512

    6c7042c68446ff14647ec891555a3d663d8527b5d9339f7ace2d40b8f7b94ae6213f0d7966a1a55955dfc6776b0a35a647df8fea94cb316715f9ae1d67574d81

    Download Submit

  • C:\qfmdgybmbkp.bat
    Filesize

    480KB

    MD5

    945dc57689e203a42020f8544fb5507c

    SHA1

    e689196b53cfa82be8acf8a4d30c84b26a0a5449

    SHA256

    49b98c3cd155bfd0a89a0cdeb25ce5fe44b675538d2f51456b04c1927ddf8454

    SHA512

    818a881473fd8c5a7024d953bc63799b275a6cce570426529164e2d488d2e730a20431f04f6eb759dc784bc12905b5f6a266e1f63f30922beac19805d0d21916

    Download Submit

  • \Users\Admin\AppData\Local\Temp\jgqnkehutqa.exe
    Filesize

    308KB

    MD5

    85cb856b920e7b0b7b75115336fc2af2

    SHA1

    1d1a207efec2f5187583b652c35aef74ee4c473f

    SHA256

    6fff20aabe8265b6e811c9dbcb987f9c15cf07d1d8b80ced7b287d96900f5c62

    SHA512

    120ff9c77c19216e5691b6ba812f09f7db7b46685a391027fff56e5b73200f4211b6bac2c2d28cdfe461d1fbf10f1a3204adeedbd0a34a034a862c6278d901e8

    Download Submit

  • \Users\Admin\AppData\Local\Temp\whkxwkj.exe
    Filesize

    692KB

    MD5

    d2246042e6e6874680c0d221fcdb9ca0

    SHA1

    bf5e5daec9ba99828e1d535b7fea0f09fec4252c

    SHA256

    719394cf4fe8ef83f4af47e8a2d94f47a1ffdd5644588cdba0d801db3224349f

    SHA512

    3fc4fe2b4abafdc5e87318e8ccdefbd2f262fe17a7a3552fddfa4f05a9aefefbc7f482db7049ac565a3b4871ba575507f04e78124dd858c31f45ed359c3e55bc

    Download Submit