Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/07/2024, 12:18

General

  • Target

    6f8a6d2e951e4c28a64cbcd912bfb6a7_JaffaCakes118.exe

  • Size

    944KB

  • MD5

    6f8a6d2e951e4c28a64cbcd912bfb6a7

  • SHA1

    24e803bd053d309a1d9e64fed0e4e499bd701cd2

  • SHA256

    be1310dff496b3e1b20b30080ae7eef090ac95a17e3cc10320f73ab1950a7040

  • SHA512

    40adbd7b31325ce567da79c79dbb177291a854d28655a10a3b1fc7e8875bec87f7fe77632c3a9e0bf84741a53adb903ffb7acecf6479a364c267bbaf80374ae3

  • SSDEEP

    24576:vCvdzE03FHfPydFEnoIyvEBmXKt6UpH3VCE/NN/5w+yV/ACwhwMCOKbaNS3M:avdzf1HfPy4SvEBmNa3kCNN/5wjNACer

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 29 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\6f8a6d2e951e4c28a64cbcd912bfb6a7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6f8a6d2e951e4c28a64cbcd912bfb6a7_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2864
    • C:\ProgramData\defender.exe
      C:\ProgramData\defender.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:4852
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:3872
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:1928
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4792
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4040
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:2732
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1608
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1104
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
      PID:3404
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3044
      • C:\Windows\explorer.exe
        explorer.exe /LOADSAVEDWINDOWS
        2⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SendNotifyMessage
        PID:1532
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4176
      • C:\Windows\explorer.exe
        explorer.exe /LOADSAVEDWINDOWS
        2⤵
        • Modifies registry class
        PID:4216
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:3688
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
      1⤵
        PID:2960
      • C:\Windows\system32\sihost.exe
        sihost.exe
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:4740
        • C:\Windows\explorer.exe
          explorer.exe /LOADSAVEDWINDOWS
          2⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Enumerates connected drives
          • Checks SCSI registry key(s)
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:3572

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\defender.exe

        Filesize

        861KB

        MD5

        40258e43c3c28f4d5905ab69f56db6f7

        SHA1

        8433b28760312fc2bd61afdd13bf5bca8e854068

        SHA256

        c607dce4796c320e5f575d9a6c3ce33079324f4203561b19317d9b9e4d588c27

        SHA512

        713f94306abb467c7fc35bf67f83addc2b00cde7a2711fe36c5145579031c4f6aa94f94eecda3f3adaa14d1049014725c71e8b3d7638966521f1e956f4fa9b1e

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

        Filesize

        471B

        MD5

        4eb8bd2bc530eb9109ff66a5726bf5ad

        SHA1

        e42dbc51ca9c30da7d905090a72b671427598b3c

        SHA256

        1e8c0410131c5a732c88c64b21e530b5dd17683f07b6e80bb0bd2339b6b1a0f8

        SHA512

        dbfdeddf8791878d371f7ad9e8b715326c120a8ec141ab87f6bc4386176d477b76c4c36604644ccea0e6b781014ed9b63113d385e0b5c6adf6e0808ad4f86765

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

        Filesize

        420B

        MD5

        87cc50b42c3c4899beea764dd64b2faf

        SHA1

        8306bfb1e8e4f1fe0834277470024dda37e54874

        SHA256

        a0cb25dc24b03182f52c345c7ad5e4fe0b527fd54a4e7ba6fcf52c540005c034

        SHA512

        b2fe820651e0ea2a5b01533e4b7ff2250415a140fdd79c86eed6bbef00705070af4dd5b8f94dc99adc301038c0011b9271d7bf6677520170bbf9c60c08058598

      • C:\Users\Admin\AppData\Local\IconCache.db

        Filesize

        15KB

        MD5

        ee5938499c21ece92d46ec2cab1b0d12

        SHA1

        c9516471ffcc58ba11f5fb96cd85fd37bd67a6a9

        SHA256

        c53423f9eeeacd61cb8e11c345798740a30a8b1ab55ed88265d19971f396106b

        SHA512

        4b298f609601a5f36c2afbfbd23d147c0a654aa134a280d052925c01f5cbd764c7b56891f5c3575cc34e5de49369a4dd3323cd41dfca93d4e8661a6bcfdd0876

      • C:\Users\Admin\AppData\Local\IconCache.db

        Filesize

        16KB

        MD5

        ce37ba6a0ced61501fad5c8b9f7e498a

        SHA1

        f868ac353512402522190e4988d9821925d897ba

        SHA256

        54346d9fb4912db80b2730debcfe6d411501dcf1a9e097ba5acae04113e324da

        SHA512

        f5ec8ae44099bebe00f77474301d7119f589c2fb33ca534787f05fea8159e4485a55ee504076947b37f0c3c8c6fd73f2b6376c37205b28280db027bdc7a1dc4e

      • C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

        Filesize

        1022B

        MD5

        5c434bf5609ee7006b3a3c85390243de

        SHA1

        b52b0a89a93afccb71c9faa17c384c583112448e

        SHA256

        2452281a15f5b32c7cd25dffa05a04ad5ee79c2bdf3c259a7afde227325b3c8f

        SHA512

        3a2cd8d20e110df0a4215a66bd0349c9d6ba29cbb41f78e18bd28d9d4d1e574ee8c138237e989bf8630192f4b8a908fe7086c4ac2995ffa74bab7551fc0c8dea

      • C:\Users\Admin\AppData\Local\Temp\{3E0B522D-77E4-4B80-B0CE-99C9C0D0A8A6}.png

        Filesize

        6KB

        MD5

        099ba37f81c044f6b2609537fdb7d872

        SHA1

        470ef859afbce52c017874d77c1695b7b0f9cb87

        SHA256

        8c98c856e4d43f705ff9a5c9a55f92e1885765654912b4c75385c3ea2fdef4a7

        SHA512

        837e1ad7fe4f5cbc0a87f3703ba211c18f32b20df93b23f681cbd0390d8077adba64cf6454a1bb28df1f7df4cb2cdc021d826b6ef8db890e40f21d618d5eb07a

      • C:\Users\Public\Desktop\Malware Protection.lnk

        Filesize

        679B

        MD5

        b4f126482f8f1281612cae6af776d42f

        SHA1

        4e3d5841009c445e5a632d3c8760b03b08420168

        SHA256

        f78b851b911e6c0bb1b7e525fab137fd8eac30dd8fcd49035e56c0dae1d0944c

        SHA512

        f982d487a89b30c4a48107a5f2a85d0742c9dbcc47aba12c2d423e037fefbea995d36800c983fe48742ce9c8bb75969fed76d733ee39b9dba908937aed713818

      • memory/1104-35-0x0000000004090000-0x0000000004091000-memory.dmp

        Filesize

        4KB

      • memory/2864-8-0x0000000000404000-0x0000000000405000-memory.dmp

        Filesize

        4KB

      • memory/2864-0-0x0000000000400000-0x00000000006DF000-memory.dmp

        Filesize

        2.9MB

      • memory/2864-23-0x0000000000400000-0x00000000006DF000-memory.dmp

        Filesize

        2.9MB

      • memory/2864-3-0x0000000000400000-0x00000000006DF000-memory.dmp

        Filesize

        2.9MB

      • memory/2864-2-0x00000000009E0000-0x0000000000AE0000-memory.dmp

        Filesize

        1024KB

      • memory/3572-50-0x0000000004290000-0x0000000004291000-memory.dmp

        Filesize

        4KB

      • memory/4040-30-0x00000000031E0000-0x00000000031E1000-memory.dmp

        Filesize

        4KB

      • memory/4852-21-0x0000000000400000-0x0000000000A0E000-memory.dmp

        Filesize

        6.1MB

      • memory/4852-63-0x0000000000400000-0x0000000000A0E000-memory.dmp

        Filesize

        6.1MB

      • memory/4852-20-0x0000000000400000-0x0000000000A0E000-memory.dmp

        Filesize

        6.1MB

      • memory/4852-17-0x0000000000400000-0x0000000000A0E000-memory.dmp

        Filesize

        6.1MB

      • memory/4852-18-0x0000000000400000-0x0000000000A0E000-memory.dmp

        Filesize

        6.1MB

      • memory/4852-52-0x0000000000400000-0x0000000000A0E000-memory.dmp

        Filesize

        6.1MB

      • memory/4852-15-0x0000000000400000-0x0000000000A0E000-memory.dmp

        Filesize

        6.1MB

      • memory/4852-59-0x0000000000400000-0x0000000000A0E000-memory.dmp

        Filesize

        6.1MB

      • memory/4852-60-0x0000000000400000-0x0000000000A0E000-memory.dmp

        Filesize

        6.1MB

      • memory/4852-61-0x0000000000400000-0x0000000000A0E000-memory.dmp

        Filesize

        6.1MB

      • memory/4852-62-0x0000000000400000-0x0000000000A0E000-memory.dmp

        Filesize

        6.1MB

      • memory/4852-40-0x0000000000400000-0x0000000000A0E000-memory.dmp

        Filesize

        6.1MB

      • memory/4852-70-0x0000000000400000-0x0000000000A0E000-memory.dmp

        Filesize

        6.1MB

      • memory/4852-71-0x0000000000400000-0x0000000000A0E000-memory.dmp

        Filesize

        6.1MB

      • memory/4852-72-0x0000000000400000-0x0000000000A0E000-memory.dmp

        Filesize

        6.1MB

      • memory/4852-73-0x0000000000400000-0x0000000000A0E000-memory.dmp

        Filesize

        6.1MB

      • memory/4852-78-0x0000000000400000-0x0000000000A0E000-memory.dmp

        Filesize

        6.1MB

      • memory/4852-79-0x0000000000400000-0x0000000000A0E000-memory.dmp

        Filesize

        6.1MB

      • memory/4852-80-0x0000000000400000-0x0000000000A0E000-memory.dmp

        Filesize

        6.1MB

      • memory/4852-83-0x0000000000400000-0x0000000000A0E000-memory.dmp

        Filesize

        6.1MB

      • memory/4852-84-0x0000000000400000-0x0000000000A0E000-memory.dmp

        Filesize

        6.1MB

      • memory/4852-85-0x0000000000400000-0x0000000000A0E000-memory.dmp

        Filesize

        6.1MB

      • memory/4852-86-0x0000000000400000-0x0000000000A0E000-memory.dmp

        Filesize

        6.1MB