Overview

overview

10

Static

static

3

5eb6f7118d...18.exe

windows7-x64

10

5eb6f7118d...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-07-2024 02:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5eb6f7118d3a0ce4ef0232609f910d18_JaffaCakes118.exe

  • Size

    952KB

  • MD5

    5eb6f7118d3a0ce4ef0232609f910d18

  • SHA1

    404adb26ba92478c26e3adfdc581ffc0d34deee8

  • SHA256

    17b941330650aceeab1a40a3c8140ef645d9a9ee40cd64bfbad433e251811efa

  • SHA512

    eabf88c11984b2a74a98367aa67dc0494608818340b760bdcd75bce1feb0a262f5c3c7f915c27c9088465fdf35ecfda35fc6f7004eb23b76534aa17fecda6a3c

  • SSDEEP

    6144:k8XXRUw9Oz5+iUU03pej1YpTYzOb0kLXhlJFTaLTGu0yvHcr+JB8aUcp:HnRy+ZyYpaCDJFuPyAHcqrU

Score
10/10
defense_evasionevasionpersistencetrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • UAC bypass 3 TTPs 13 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 30 IoCs
    persistence
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
    defense_evasion
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    evasiontrojan
  • Looks up external IP address via web service 8 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 60 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 39 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 39 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\5eb6f7118d3a0ce4ef0232609f910d18_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5eb6f7118d3a0ce4ef0232609f910d18_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4740
    • C:\Users\Admin\AppData\Local\Temp\avmxujgykfw.exe
      "C:\Users\Admin\AppData\Local\Temp\avmxujgykfw.exe" "c:\users\admin\appdata\local\temp\5eb6f7118d3a0ce4ef0232609f910d18_jaffacakes118.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1608
      • C:\Users\Admin\AppData\Local\Temp\omwzmn.exe
        "C:\Users\Admin\AppData\Local\Temp\omwzmn.exe" "-c:\users\admin\appdata\local\temp\5eb6f7118d3a0ce4ef0232609f910d18_jaffacakes118.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Impair Defenses: Safe Mode Boot
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:852
      • C:\Users\Admin\AppData\Local\Temp\omwzmn.exe
        "C:\Users\Admin\AppData\Local\Temp\omwzmn.exe" "-c:\users\admin\appdata\local\temp\5eb6f7118d3a0ce4ef0232609f910d18_jaffacakes118.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:3196
    • C:\Users\Admin\AppData\Local\Temp\avmxujgykfw.exe
      "C:\Users\Admin\AppData\Local\Temp\avmxujgykfw.exe" "c:\users\admin\appdata\local\temp\5eb6f7118d3a0ce4ef0232609f910d18_jaffacakes118.exe"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System policy modification
      PID:4144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Safe Mode Boot

1
T1562.009

Modify Registry

5
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\dajlxxbmnqgvglclcopmvxjjnyz.shs
    Filesize

    120B

    MD5

    b4b7f1dfa94dd78c0a6b3ac21e36589b

    SHA1

    cd577dec325bd8287412b6aa39ffb096055db1fc

    SHA256

    3d0dabc7be14a9b801fd3d440dbcfac4ed3833b1b733de181319b058c28eb9e7

    SHA512

    b73c93bf53e5c1c48852881d8bf10d673a07685a64c52ea5127a93bcae22bc1d8f6000eaed4596ad72e82235cb75a257b9266452a49b71493dc5829ed03b3b9d

    Download Submit

  • C:\Program Files (x86)\dajlxxbmnqgvglclcopmvxjjnyz.shs
    Filesize

    120B

    MD5

    1e842eafa8a9dcf3b3faa3de7d3654ab

    SHA1

    70e34580dc2258f727f9a212da7fe6d678accd9d

    SHA256

    a6fbf86d4f171ac4e3935c0fb4168a2887e6cccc53c1ad61c7241c6d9e006e9d

    SHA512

    665642d2092de5961b3f8966ece1428f70731fbd393247004ed21948195be292b87c51426c91b0629005954924fee239f4f520a1b310461dfe32505842b1c8a8

    Download Submit

  • C:\Program Files (x86)\dajlxxbmnqgvglclcopmvxjjnyz.shs
    Filesize

    120B

    MD5

    d1497f8fd816c70c55874793f99c22ff

    SHA1

    aad3e04174362598d06225a12afd5963e4063f31

    SHA256

    ad542b6fc071026290a105b51471cab108ddd31ab0d9f28a1c87a1e5ccc91ef9

    SHA512

    16e7dfd666220e8d6548efd3e5bc068f711d50c0facd6bb5fbb90374fe69b58a57e0e910a98c7ff462fd5a672b3e406bb10c0882ffe63cbda42870ae002d5c93

    Download Submit

  • C:\Program Files (x86)\dajlxxbmnqgvglclcopmvxjjnyz.shs
    Filesize

    120B

    MD5

    c2932ab845ebffc966e9d964bed76e9a

    SHA1

    d60e9326f76d0ec6058d75c4bc709caf19f15bb8

    SHA256

    0b7c677a0176eb6d09a518faca08d1b2627ecc82c7f0440c495437bee60721b8

    SHA512

    02ea0624af7a16e181910b4d9de751e3cec32e5fed8f1f9243e12925490f67a438c0e59d7d00c7d809eee497544a8cac68c28cdfe8b8085682c78d7500bf30ab

    Download Submit

  • C:\Program Files (x86)\dajlxxbmnqgvglclcopmvxjjnyz.shs
    Filesize

    120B

    MD5

    5428c5f889f755b7f579ee217280134d

    SHA1

    3470a4669056a7f8365be48588d6764d7b4c5c62

    SHA256

    3a41aeebb8d82b72e73f632f8776f2fb80e2813f621aa853bebed5bd0408c699

    SHA512

    d253145646a4c2f8bb1491d95a995611df92278248f67ff611ce13e42e998e5772026fd3bad2db0801a59aaae3f451402f0da5d7a4b09e77b30936577e55e66d

    Download Submit

  • C:\Program Files (x86)\dajlxxbmnqgvglclcopmvxjjnyz.shs
    Filesize

    120B

    MD5

    67ea68831d56c36e0731870b2c85de1f

    SHA1

    468b2521cac0c056f680c6144e87399ece5f1ffe

    SHA256

    49fd9bb3b0b7d8bfc8de4a7139b17a37c9e055a7f5b65173ce64b806142910b1

    SHA512

    ae953055d1cb0f731fc61092700079bb02e5184c2bb9c931f4eebad0f593fee348632ad224eb4d368255de36f4ce1722a0fc13411e782583131a137e82b12f0e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\avmxujgykfw.exe
    Filesize

    308KB

    MD5

    85cb856b920e7b0b7b75115336fc2af2

    SHA1

    1d1a207efec2f5187583b652c35aef74ee4c473f

    SHA256

    6fff20aabe8265b6e811c9dbcb987f9c15cf07d1d8b80ced7b287d96900f5c62

    SHA512

    120ff9c77c19216e5691b6ba812f09f7db7b46685a391027fff56e5b73200f4211b6bac2c2d28cdfe461d1fbf10f1a3204adeedbd0a34a034a862c6278d901e8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\omwzmn.exe
    Filesize

    688KB

    MD5

    01ce5f309f4f830f001e11367e003f06

    SHA1

    0249680321774876cd85a35572973c7ddda8c2a2

    SHA256

    324128085a93981803899b75dc9f1dfdc562c47fc8973e8358982636c6bf6267

    SHA512

    689b3b1007cd751147519e93045f9b5e99005a6477e842b5bbad03724f6294a06476ac46d12da34e3da9e71599f1a42136c098a76f9d17c352a77833fe730581

    Download Submit

  • C:\Users\Admin\AppData\Local\aicpmxmiuijjfvxrtqckerozokwkllhxztvsem.tqb
    Filesize

    3KB

    MD5

    0033f1391697c0fa416cb545434800d3

    SHA1

    9d43ccd853880e44da481822674a6d661b57eda3

    SHA256

    ce9ca8e5ad1b4fae809d72dca9e330c9c5be6eb03c42f85a0a434c211bdffe79

    SHA512

    4640536679aaddf7d824c0b20a59abaf226c4e9f6676b4b99f7597c5da1d84dc8a93b61b4c00b8172274c94799aa8ce8423f8e380693133dbb0fb507ad9bf477

    Download Submit

  • C:\Users\Admin\AppData\Local\dajlxxbmnqgvglclcopmvxjjnyz.shs
    Filesize

    120B

    MD5

    e592af2a78e71fa39f5bad00f5f478bb

    SHA1

    4a7eb4124e1c775581cd98fd5e63631195394796

    SHA256

    185efbbe3c8b54674841d3531cc65967152724621e28f0818b2eb6b305a1f01b

    SHA512

    120ced3f9caf8a1782c77b994d9c03872d574624a9699d3771ea6171a213e633f0311076bb8c200ce9309894e8940b0dc217045a9ce469a40a063f6d502f4032

    Download Submit

  • C:\Users\Admin\AppData\Local\dajlxxbmnqgvglclcopmvxjjnyz.shs
    Filesize

    120B

    MD5

    9c75e11710de4a3f3c2cccc999877709

    SHA1

    135f334b6be4a8b411fae45425a7b2f9d2feb198

    SHA256

    9f686492be66f6e9ddde42536ed995e51d509ad5202afd034ab229385766f17b

    SHA512

    ddab3416aa2980363a4328596ae54a5aa6df84403e0ed19c40b0906f3470089996aa34297ee329de3b8940f6308f3d0fa4da483223e42203ec9d6890aabe9114

    Download Submit

  • C:\Windows\SysWOW64\qawlkxomaqtvtlplpo.exe
    Filesize

    952KB

    MD5

    5eb6f7118d3a0ce4ef0232609f910d18

    SHA1

    404adb26ba92478c26e3adfdc581ffc0d34deee8

    SHA256

    17b941330650aceeab1a40a3c8140ef645d9a9ee40cd64bfbad433e251811efa

    SHA512

    eabf88c11984b2a74a98367aa67dc0494608818340b760bdcd75bce1feb0a262f5c3c7f915c27c9088465fdf35ecfda35fc6f7004eb23b76534aa17fecda6a3c

    Download Submit