Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
23-07-2024 00:21
General
-
Target
656725f09aa6a07f41fef88b362ad8b9_JaffaCakes118.exe
-
Size
9.9MB
-
MD5
656725f09aa6a07f41fef88b362ad8b9
-
SHA1
9b4949a9d2d7ddbbefb5bb553bed4a39d2b392c9
-
SHA256
531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f
-
SHA512
27eec396079486535a8a870ed2c8d1c4fa97cca0cdf72a5331516c0d7f41d43b84e68844a61f0b9722c1a1da96300e7e29303c3edade635df67807a42003038b
-
SSDEEP
6144:YJl5cP2e8F3cUAojUmFvMKpiC+afJRda3RIkvNIyI/VEpAl/JgIj0oTYibGRrgUW:MiTTeLe0D4
Malware Config
Extracted
asyncrat
0.5.7B
Katayumi
normal-knife.auto.playit.gg:54950
normal-knife.auto.playit.gg:7707
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
ZxKKE4oK8.exe
-
install_folder
%Temp%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Windows security bypass 2 TTPs 2 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 9 IoCs
-
Windows security modification 2 TTPs 10 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 49 IoCs
-
Suspicious use of SetThreadContext 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 5 IoCs
-
Delays execution with timeout.exe 5 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 40 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\656725f09aa6a07f41fef88b362ad8b9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\656725f09aa6a07f41fef88b362ad8b9_JaffaCakes118.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Windows security modification
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\656725f09aa6a07f41fef88b362ad8b9_JaffaCakes118.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\656725f09aa6a07f41fef88b362ad8b9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\656725f09aa6a07f41fef88b362ad8b9_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DD8989123MD.exe"C:\Users\Admin\AppData\Local\Temp\DD8989123MD.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 14⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 15⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\DD8989123MD.exe"C:\Users\Admin\AppData\Local\Temp\DD8989123MD.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\DD8989123MD.exe"C:\Users\Admin\AppData\Local\Temp\DD8989123MD.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\DD8989123MD.exe"C:\Users\Admin\AppData\Local\Temp\DD8989123MD.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 19086⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 14884⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\K8MN9DA.exe"C:\Users\Admin\AppData\Local\Temp\K8MN9DA.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 14⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 15⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\K8MN9DA.exe"C:\Users\Admin\AppData\Local\Temp\K8MN9DA.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ZxKKE4oK8" /tr '"C:\Users\Admin\AppData\Local\Temp\ZxKKE4oK8.exe"' & exit5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "ZxKKE4oK8" /tr '"C:\Users\Admin\AppData\Local\Temp\ZxKKE4oK8.exe"'6⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB277.tmp.bat""5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 36⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Local\Temp\ZxKKE4oK8.exe"C:\Users\Admin\AppData\Local\Temp\ZxKKE4oK8.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 17⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 18⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\ZxKKE4oK8.exe"C:\Users\Admin\AppData\Local\Temp\ZxKKE4oK8.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 14647⤵
- Program crash
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 14244⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Roaming\LunaInjector.exe"C:\Users\Admin\AppData\Roaming\LunaInjector.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9DC6.tmp\9DC7.tmp\9DC8.bat C:\Users\Admin\AppData\Roaming\LunaInjector.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650015⤵
-
-
C:\Windows\system32\mode.commode 82,245⤵
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 22362⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1100 -ip 11001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3188 -ip 31881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3748 -ip 37481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1892 -ip 18921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4876 -ip 48761⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
4Disable or Modify Tools
4Modify Registry
4Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b5291f3dcf2c13784e09a057f2e43d13
SHA1fbb72f4b04269e0d35b1d9c29d02d63dbc7ad07e
SHA256ad995b51344d71019f96fc3a424de00256065daad8595ff599f6849c87ae75ce
SHA51211c89caac425bccaa24e2bb24c6f2b4e6d6863278bf8a5304a42bb44475b08ca586e09143e7d5b14db7f1cd9adacd5358769e0d999dc348073431031067bd4d4
-
Filesize
438B
MD5ad81fd823266aabb73a229b8d842720e
SHA109c851304e0626bbf5fd15aa4212e14c9a8294a2
SHA256ad3ce6e067e2210681ffca11d32d91c6be6cc13fca5f9fb7ab7a73e4daa31f00
SHA512201bc9e51c00bbb38e949c06b59adcb32f9a07caeba38fc92db7ec8f9c54e43932fed045982cd4fa56d605f082f44828de7f9ad732777fc7ca86a4ff7f91989e
-
Filesize
545KB
MD59c8b5486b38230c7c1f934c01a895d95
SHA185626e89ca6a0a3838786698ec670d909c5eec5b
SHA256fd8eb30f8c98d4e97459b051f6e14a52e6194e4b431ae1243c8638f08701f5a5
SHA5125555b9c7ccef651f03787f7531eea69023fc7c4aaa2315aba878d490f1a655afbd6347da0721d5e88cad3a956e399d21dfda2f2d2a83afc1c7277f1468a17450
-
Filesize
660KB
MD5cc62fe37de863f616d672eaf6b22b0c3
SHA12aca0fd587e4a998e749162a2a12f40bc49d50e7
SHA256edefa1d69e62fd464ffd2599c369b147edcff115e1f7a0454d9d9b567ce15d1b
SHA5127923d36d4651062684058c817cf2dd19295864e7bc82d33b8120ca3695390d5610cf37731f92f8acbb936df6f72e13c9cb1d64d4b3b13aafd82374bce1a0ac4d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
156B
MD56ec89dd14be6ffa33b0239f465d5d5b5
SHA160e3a771d6af334b5100fe312ae8c87f971e2028
SHA25664281e709d1f0ccc7fd0da364a61d5f2730df297f059dcb72010cb2ec7652c10
SHA5124b8c372f4da244e1b8c739397eb991bc640ee9968b702b8ae14346cff57edd8d90284988a53eb9e7bf2a98cab7455dd704fe9a254fb2aab3cac8ae3cbdb02214
-
Filesize
89KB
MD538bece8d537dea0d0bf7603c073aa90c
SHA1fc70b8b4d22b323fe9e886f36620269d6c791eac
SHA256261b67c10cca406ce934032f7e6da36b8408db3fce6df7d7a37dca69703c59cb
SHA512224d70c8f2b8c98456177cd087faa77436c86fbcd4fe36ae410c6d184181b30cbd50718fbfa347b85a0d2d303f273197fd9fea5addb28538eab43d84f527185d
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
9.9MB
-
Filesize
7.7MB
-
Filesize
624KB
-
Filesize
1.4MB
-
Filesize
5.6MB
-
Filesize
408KB
-
Filesize
48KB
-
Filesize
120KB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
472KB
-
Filesize
40KB
-
Filesize
680KB
-
Filesize
120KB
-
Filesize
1.3MB
-
Filesize
32KB
-
Filesize
568KB
-
Filesize
104KB
-
Filesize
136KB
-
Filesize
104KB
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
652KB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
304KB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
120KB
-
Filesize
32KB
-
Filesize
216KB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
7.7MB
-
Filesize
72KB
-
Filesize
32KB