Overview

overview

8

Static

static

3

61b235bab7...18.exe

windows7-x64

8

61b235bab7...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    147s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/07/2024, 22:40

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    61b235bab776701070e80c94e7ac2ee7_JaffaCakes118.exe

  • Size

    110KB

  • MD5

    61b235bab776701070e80c94e7ac2ee7

  • SHA1

    3629163512aa769fae01b73df5347d27aa36292a

  • SHA256

    81c24667c1db55cb1c7a31e8329fec0793568c5daf335b7b978ca3a281c704c5

  • SHA512

    332d1bb54c792c7d65b5c84acd394ff20867a9883a29ec8e51738560866cf6259b7678b1649166ef20ae4773a01f6c1fdd334175cd4bba1e5b35190f982cc346

  • SSDEEP

    3072:mfM/TolHqZeRR0FeaA66sh1vKtnIOHTw0/C:mf8MHqgj3h6K28bC

Score
8/10
persistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\61b235bab776701070e80c94e7ac2ee7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\61b235bab776701070e80c94e7ac2ee7_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4788
    • C:\Windows\SysWOW64\inf\svchostc.exe
      "C:\Windows\system32\inf\svchostc.exe" C:\Windows\twftadfia16_080617.dll tanlt88
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:4948
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "c:\mylstecj.bat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1364
        • C:\Windows\system\sgcxcxxaspf080617.exe
          "C:\Windows\system\sgcxcxxaspf080617.exe" i
          4⤵
          • Adds policy Run key to start application
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Windows directory
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2368
          • C:\Program Files\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3452
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3452 CREDAT:17410 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:632

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\I0E3LJN0\suggestions[1].en-US
          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          Download Submit

        • C:\Windows\SysWOW64\inf\svchostc.exe
          Filesize

          60KB

          MD5

          889b99c52a60dd49227c5e485a016679

          SHA1

          8fa889e456aa646a4d0a4349977430ce5fa5e2d7

          SHA256

          6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

          SHA512

          08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

          Download Submit

        • C:\Windows\System\sgcxcxxaspf080617.exe
          Filesize

          110KB

          MD5

          61b235bab776701070e80c94e7ac2ee7

          SHA1

          3629163512aa769fae01b73df5347d27aa36292a

          SHA256

          81c24667c1db55cb1c7a31e8329fec0793568c5daf335b7b978ca3a281c704c5

          SHA512

          332d1bb54c792c7d65b5c84acd394ff20867a9883a29ec8e51738560866cf6259b7678b1649166ef20ae4773a01f6c1fdd334175cd4bba1e5b35190f982cc346

          Download Submit

        • C:\Windows\tdcbdcasys32_080617.dll
          Filesize

          220KB

          MD5

          d4839ed4246e6ad0f6b2306dfd2a370e

          SHA1

          b117a3c28d5a5e666b9ba8d69e32e9ccf2b2fd31

          SHA256

          0fac16f27e119867db9e6c35280813003f558c087150a683e1dd03c834dd6cc9

          SHA512

          a8bc58859c7a1ccfd37fca0db344a2435434d61e008dfb6758449cc3bc0989740283b2e3a214f6fd48905cb46708f57c6f0ba00c14fa2de96e483da2933f9561

          Download Submit

        • C:\Windows\twftadfia16_080617.dll
          Filesize

          31KB

          MD5

          07a1a55ca8a577d402fa964a48e9baef

          SHA1

          240cbf4d7039e9cdd0ff1aeee1008e4e15cc57ea

          SHA256

          db0ed8d83f571f506efdc7d7b0db8a312b78c32d224b30a6bbb326e6ed4d2554

          SHA512

          9eb7b2312a4d74a901d379c5fb6746f41f51efc8a49b086e0fec634fff5b56abef2c1ac05fad6e31c895357484e6623504591b586c0282514bff73b008ff9d01

          Download Submit

        • C:\Windows\twisys.ini
          Filesize

          97B

          MD5

          d101f3757ea09889f09d7567a137ff80

          SHA1

          d7ba0df94e3c4ec7dd03f5df4429ae0eb624ce2a

          SHA256

          69a57dee4e7ebcd1352cd9dc39249259cf1e70e302f7764841e9a8ad4b4db369

          SHA512

          01a01e36e1b4a85646e9f859b09649c2fb4e794c7fc52a16c667a5480a9a8cec5c0b20dee17632a93dd5fc71fcacbbd0b57191d87fe623f3149dc42c70bf5fd8

          Download Submit

        • C:\Windows\twisys.ini
          Filesize

          448B

          MD5

          3e533dcabef3f963df15d0088f3e46c9

          SHA1

          d1ab060054c9776e6f218916577cb7c18eff806c

          SHA256

          75d5b3f67f3ebbf1e0750a74d46d7c272101ff054065f555fc675d4370464d68

          SHA512

          5499d63ceb169b352a38e8037786f36551126b3a0e95c80bcd20b8de88b0b7bf2fcdefd701468b7e884fa347e8403698427abf65781e71baa79b10739453175f

          Download Submit

        • C:\Windows\twisys.ini
          Filesize

          364B

          MD5

          a49d9c55f5820b26585582cf95967843

          SHA1

          1833474577575b328502ca0c5ad821a740788c99

          SHA256

          b9d601aa22e5a59bbadc9843dd5b0f6f8a002b2b208daaf9ff2dfc5be9bd1e35

          SHA512

          e5c7ed74f4c47e8565f5b2327ef8723841e7502b1b233c69f3a8e46e7bf8b47c5fdc5cdaee7df1586bc101ba0c05af758c0da767582fe6497abd3d24634e6ae1

          Download Submit

        • C:\Windows\twisys.ini
          Filesize

          392B

          MD5

          f15885fec150e3f5c491abb4be72a2f2

          SHA1

          45e3d3db85aa76e956170d3c73aa3fdd9480af9b

          SHA256

          b69995cef970782565d9d316fe0be984ba2dacbf0483224dd29a42b84e928df9

          SHA512

          63c92f2143c32ed371baaa4cafbdbef2c0569bcbd66c9f015b13607910350a3adba14d4dd5fdba7ab267dc4407df89b2951618f5956dc3258fb71cdc391791ce

          Download Submit

        • C:\Windows\twisys.ini
          Filesize

          398B

          MD5

          93774285b4a66594f0fae89950b712d3

          SHA1

          467de2cd0eaff553e948488500504881524823d0

          SHA256

          eb10c552de3c38f988d413769be0ef604b921b48d9d9b33cd6ce936a5cb67a15

          SHA512

          8983f1acaf828c69eef04b3c373c01e4ac87c79f22e96e1958587d2196bf7d4d9a216b43c394ca9b778ee9eae4b6ba72ff94cbe17b08256c7f28b6450b521fae

          Download Submit

        • C:\Windows\twisys.ini
          Filesize

          431B

          MD5

          5f98ec75478976e1368763a9a8cef6c5

          SHA1

          4fbc54a5f8ff9c2dd92c8ea43b313736113aa3b3

          SHA256

          93a9ccc94b71078f01965adaa05fd79a092ab3aef3256c9624bf50c86e3954e1

          SHA512

          6ee5d27085cb73cca9bfae0697b0dbb9f724ba761a0931d9c2cff673d4841f83ba95a154a923de3152496a4bb9945e8d01726a69002b6a6cfc5f5c1838f9b7f0

          Download Submit

        • C:\Windows\twisys.ini
          Filesize

          458B

          MD5

          60f1f158f8982c97cbc8581ab424e6bd

          SHA1

          4a5d823352caef35ea479f1c62d4d65dc13fe9c8

          SHA256

          064a9dc35a105728a94151c142c5aeaaf1552394ee8c74b0791665903a52a058

          SHA512

          ea57a78d42e6b54ef4b125bf7f6033c3f72e6e26ff6f9c50834639909947ea18838b03665131f267f7cb1131c3b0058bce48a029067ceb7c7d42790ada8e3243

          Download Submit

        • \??\c:\mylstecj.bat
          Filesize

          53B

          MD5

          c50cf9bac3124297dc0b4cd125d6abd1

          SHA1

          44f0c06a6f4d4e1424aebf86eae758831c1bfbb8

          SHA256

          ab47ab1cc32f6045ab3820e389092de802e2f9406e2646384479374c3e0949f2

          SHA512

          cf224527009a226c5c3b67934bff1d3cf0a3f229a5b971fe33e662edeb842605cc76dd97ef8f9ceeb39a24cd66f79167074134256d8878359e9ecc49d481b710

          Download Submit

        • memory/4948-66-0x0000000000880000-0x000000000088E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4948-74-0x0000000000880000-0x000000000088E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4948-88-0x0000000000880000-0x000000000088E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4948-56-0x0000000000880000-0x000000000088E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4948-110-0x0000000000880000-0x000000000088E000-memory.dmp

          Filesize

          56KB

          Download