Overview

overview

9

Static

static

3

66c96f2681...18.exe

windows7-x64

9

66c96f2681...18.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    23-07-2024 08:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    66c96f2681a0979f28995f9eb864f715_JaffaCakes118.exe

  • Size

    175KB

  • MD5

    66c96f2681a0979f28995f9eb864f715

  • SHA1

    e227cf15087bf98c588de3ee1b38c450b7b259b1

  • SHA256

    ca951f7c540941ee4be8a9284d30150ecef411107a0e62249a5f9954c1297ca5

  • SHA512

    664a667f51d7699f1b66091d5674b495b7c7bb6913b821d7c8d642ef2b2403611b27abf6c49fa3527347964512d61793901d8dbd1ed859eba9fb2e8834a9e161

  • SSDEEP

    3072:mMkcPTF6QV8HNBBYiTpXEq7ndNiDDdwcwqKSncs4lzBAJ2BP+z1Sa2:5kcRwHNBBYsrnLiDDKTs4lmJ2BP+hSa2

Score
9/10
persistenceransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (175) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops file in Drivers directory 2 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1424
      • C:\Users\Admin\AppData\Local\Temp\66c96f2681a0979f28995f9eb864f715_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\66c96f2681a0979f28995f9eb864f715_JaffaCakes118.exe"
        2⤵
        • Drops file in Drivers directory
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2692
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2760
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2736
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a51B8.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2892
            • C:\Users\Admin\AppData\Local\Temp\66c96f2681a0979f28995f9eb864f715_JaffaCakes118.exe
              "C:\Users\Admin\AppData\Local\Temp\66c96f2681a0979f28995f9eb864f715_JaffaCakes118.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2504
              • C:\Windows\SysWOW64\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Tencent\QQ\run.vbs"
                5⤵
                  PID:2040
            • C:\Windows\Logo1_.exe
              C:\Windows\Logo1_.exe
              3⤵
              • Drops file in Drivers directory
              • Executes dropped EXE
              • Adds Run key to start application
              • Enumerates connected drives
              • Drops file in Program Files directory
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:1832
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2464
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2848
                • C:\Windows\SysWOW64\net.exe
                  net stop "Kingsoft AntiVirus Service"
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1612
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                    5⤵
                      PID:816

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Tencent\QQ\run.vbs
              Filesize

              160B

              MD5

              53d942f5744323de892bd5de39e99743

              SHA1

              8aa68e4e1fdf38ca3a64d13c0981628d1e3c9f12

              SHA256

              a40cdb9173ec67a90f7464dc1b306f9796fa8526577f65c7f7c12cb4a1cc94b0

              SHA512

              ae917cf0b1dbbd8c261cbb4ad14edac61260257cb385256e0773e22ebfae2357162ccbdda5ef54e60d7de9db62799d7450c1268b1aa27abdcd886b5b7773dd5a

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\$$a51B8.bat
              Filesize

              614B

              MD5

              d46a8141e82d2b7467d94e08f8893316

              SHA1

              ccc952dcf1db4f6f34ce90872e9a9727880cd970

              SHA256

              41364cac5b9af02fa46d85eb569ff0feeb4f5d506acc65b12af7ac7444d3b372

              SHA512

              ad1dfeb6fb5ecaaf4ee78d5a1ff61d0332d90e2ebba04a3894f80e47c0d07cbea7ee4dcb7763c07cf954825072c3f8a3563e9e4fb19762b087d071530030d8de

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\66c96f2681a0979f28995f9eb864f715_JaffaCakes118.exe.exe
              Filesize

              117KB

              MD5

              fc89a590ced260129e180233dba8c6f4

              SHA1

              3715f8d0d08722ac9807c57c2cb4f9040a7ac075

              SHA256

              3916f17224ed64c3dc745be2b4d686079a30bfc00ff81ce0be602ccd39f377a9

              SHA512

              b5d4690325757cc66475babbc37b68a3b039df3c7904dd89f97af768834c99c9f8d1a354d7dca716349d92932c271e5c453b9cad6502d81fbe12afc70c42a942

              Download Submit

            • C:\Windows\Logo1_.exe
              Filesize

              58KB

              MD5

              ad6d481e21d8f81beeac72f95ab2b36f

              SHA1

              3d06f66d0c501ec607c626bba1667c6a42af8d42

              SHA256

              291e014b7d8870b9821c65c86438e03e464fed0d7131b5c97987cf0e8d3f2881

              SHA512

              207b782d9ffb58394ae00ad4862c959e1a42b645bb25e827612fe9a06006b95b9a4edf2d99046792396b69a699e21f16520f5122e9c2cbbeb77ba26fc8f929eb

              Download Submit

            • C:\Windows\system32\drivers\etc\hosts
              Filesize

              832B

              MD5

              7e3a0edd0c6cd8316f4b6c159d5167a1

              SHA1

              753428b4736ffb2c9e3eb50f89255b212768c55a

              SHA256

              1965854dfa54c72529c88c7d9f41fa31b4140cad04cf03d3f0f2e7601fcbdc6c

              SHA512

              9c68f7f72dfa109fcfba6472a1cced85bc6c2a5481232c6d1d039c88b2f65fb86070aeb26ac23e420c6255daca02ea6e698892f7670298d2c4f741b9e9415c7f

              Download Submit

            • memory/1424-41-0x00000000029D0000-0x00000000029D1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1832-22-0x0000000000400000-0x000000000043F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/1832-35-0x0000000000020000-0x0000000000040000-memory.dmp

              Filesize

              128KB

              Download

            • memory/1832-44-0x0000000000400000-0x000000000043F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/1832-45-0x0000000000020000-0x0000000000040000-memory.dmp

              Filesize

              128KB

              Download

            • memory/2504-27-0x0000000000400000-0x0000000000420000-memory.dmp

              Filesize

              128KB

              Download

            • memory/2692-18-0x0000000000230000-0x000000000026F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/2692-17-0x0000000000230000-0x000000000026F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/2692-20-0x0000000000400000-0x000000000043F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/2692-1-0x0000000000020000-0x0000000000040000-memory.dmp

              Filesize

              128KB

              Download

            • memory/2692-0-0x0000000000400000-0x000000000043F000-memory.dmp

              Filesize

              252KB

              Download