Overview

overview

10

Static

static

3

61ac2256a9...18.exe

windows7-x64

10

61ac2256a9...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    21/07/2024, 22:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    61ac2256a931e259e3978b8731519242_JaffaCakes118.exe

  • Size

    241KB

  • MD5

    61ac2256a931e259e3978b8731519242

  • SHA1

    342987b6d29af9849d6f2ccd6b349706d2da7b3d

  • SHA256

    f3f360afbe615cb0e21bbef7f14eb6d9806bd7bb2a2ee3c5f0e3634793034d7e

  • SHA512

    362f1be0b43e0ff37da337ef69b7c14dfc922987af2f016d3fa13b5a7ac1de2cef9130cbd16bc3c1f5def06111bed13b257f2c68d02e2f55ece07baafc48edfb

  • SSDEEP

    3072:lxUjEyceq3/M+DjQDA8DfKrFHasUzFEJWmFezJxs3QrTw81oJRwhHt:gjEyz0/MzJfkZWzmpUV1oL0

Score
10/10
evasionpersistenceprivilege_escalation

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\61ac2256a931e259e3978b8731519242_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\61ac2256a931e259e3978b8731519242_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Loads dropped DLL
    • Adds Run key to start application
    • Modifies system certificate store
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2960
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\csrss.exe" CityScape Enable
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      PID:2932
    • C:\Users\Admin\AppData\Roaming\csrss.exe
      /d C:\Users\Admin\AppData\Local\Temp\61ac2256a931e259e3978b8731519242_JaffaCakes118.exe
      2⤵
      • Modifies WinLogon for persistence
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetWindowsHookEx
      PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    22bbc48c91761e83f43f4f538f197fc4

    SHA1

    96bf39f0e3a0c26a677d7fdc72c37067176fd2d0

    SHA256

    62b1b33b87a64715277fffc7e0351a8c708fe3e2f6bac07a1fceadd3f796a242

    SHA512

    518acbfa2552db329b14a9d102b9baa772861b5e072b39a0abeb2eb8ae66b34955f4ae3e92ded924414c52d5e3c61fe59dc801ca70d9bf4d5d9628c3f55dd9d5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab41.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar12E.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • \Users\Admin\AppData\Roaming\csrss.exe
    Filesize

    241KB

    MD5

    e776928b6692598b7c4b55675eea15a1

    SHA1

    7a06182100023fb5e919c1b96a65b32859417041

    SHA256

    f8083564c6f2a8e4742fdeb68023436dc2bbd89a854c07860c009d67a06ee9b8

    SHA512

    90ccfa9066191e151d69e116fd70b08ea265d4c0f6bf559816ca39aa46ab4f5fe7aeb2e4b765eee57e7df89f47c286421e984eb638b1258738cf7875599f2597

    Download Submit

  • memory/2036-137-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2036-140-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2036-141-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2036-142-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2036-144-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2036-147-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2036-150-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2036-153-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2960-2-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2960-136-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2960-135-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2960-0-0x0000000000450000-0x0000000000491000-memory.dmp

    Filesize

    260KB

    Download