Overview

overview

9

Static

static

3

3d8277eae2...18.exe

windows7-x64

3d8277eae2...18.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    63s
  • max time network
    64s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    29-07-2024 08:36

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    3d8277eae29afe5fa91180fc938f4b3c_JaffaCakes118.exe

  • Size

    758KB

  • MD5

    3d8277eae29afe5fa91180fc938f4b3c

  • SHA1

    02770a9b83cd8c82c70814d5b72041e240d3bed1

  • SHA256

    f2f03b4d660d6c9ea2aa67e9be35f6ab4c4e5daf9673622b645e29fb85c7faf4

  • SHA512

    bbd37e220d0d6c350e9fc3c38c33dce4aa8af4c5be7708a375b80f821ca0eb9c8248335b964f734793bbd10a0cf32462f955d531920cc747f7816fbb93333c0f

  • SSDEEP

    12288:5dtnqYk9TmLe+TBshw02+xodZ2iSjD5cdrLbVrBpFpQcBJBgqZDE0OF:5d1qYESNTBI1xoPrPVrBpFpDXgqZi

Score
9/10
defense_evasiondiscoveryevasionpersistenceransomware

Malware Config

Signatures

  • Modifies boot configuration data using bcdedit 1 TTPs 10 IoCs
    ransomwareevasion
  • Drops file in Drivers directory 1 IoCs
  • Enables test signing to bypass driver trust controls 1 TTPs 10 IoCs

    Allows any signed driver to load without validation against a trusted certificate authority.

    defense_evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1208
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1328
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1356
          • C:\Users\Admin\AppData\Local\Temp\3d8277eae29afe5fa91180fc938f4b3c_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\3d8277eae29afe5fa91180fc938f4b3c_JaffaCakes118.exe"
            2⤵
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2448
            • C:\Users\Admin\AppData\Local\Temp\Edhe\mayzoz.exe
              "C:\Users\Admin\AppData\Local\Temp\Edhe\mayzoz.exe"
              3⤵
              • Drops file in Drivers directory
              • Executes dropped EXE
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2520
              • C:\Windows\system32\bcdedit.exe
                bcdedit.exe -set TESTSIGNING ON
                4⤵
                • Modifies boot configuration data using bcdedit
                • Enables test signing to bypass driver trust controls
                PID:2296
              • C:\Windows\system32\bcdedit.exe
                bcdedit.exe -set TESTSIGNING ON
                4⤵
                • Modifies boot configuration data using bcdedit
                • Enables test signing to bypass driver trust controls
                PID:2372
              • C:\Windows\system32\bcdedit.exe
                bcdedit.exe -set TESTSIGNING ON
                4⤵
                • Modifies boot configuration data using bcdedit
                • Enables test signing to bypass driver trust controls
                PID:3028
              • C:\Windows\system32\bcdedit.exe
                bcdedit.exe -set TESTSIGNING ON
                4⤵
                • Modifies boot configuration data using bcdedit
                • Enables test signing to bypass driver trust controls
                PID:2240
              • C:\Windows\system32\bcdedit.exe
                bcdedit.exe -set TESTSIGNING ON
                4⤵
                • Modifies boot configuration data using bcdedit
                • Enables test signing to bypass driver trust controls
                PID:2684
              • C:\Windows\system32\bcdedit.exe
                bcdedit.exe -set TESTSIGNING ON
                4⤵
                • Modifies boot configuration data using bcdedit
                • Enables test signing to bypass driver trust controls
                PID:2436
              • C:\Windows\system32\bcdedit.exe
                bcdedit.exe -set TESTSIGNING ON
                4⤵
                • Modifies boot configuration data using bcdedit
                • Enables test signing to bypass driver trust controls
                PID:2228
              • C:\Windows\system32\bcdedit.exe
                bcdedit.exe -set TESTSIGNING ON
                4⤵
                • Modifies boot configuration data using bcdedit
                • Enables test signing to bypass driver trust controls
                PID:2556
              • C:\Windows\system32\bcdedit.exe
                bcdedit.exe -set TESTSIGNING ON
                4⤵
                • Modifies boot configuration data using bcdedit
                • Enables test signing to bypass driver trust controls
                PID:2700
              • C:\Windows\system32\bcdedit.exe
                bcdedit.exe -set TESTSIGNING ON
                4⤵
                • Modifies boot configuration data using bcdedit
                • Enables test signing to bypass driver trust controls
                PID:2736
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PQO6442.bat"
              3⤵
              • Deletes itself
              • System Location Discovery: System Language Discovery
              PID:1724
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:1408
          • C:\Windows\system32\LogonUI.exe
            "LogonUI.exe" /flags:0x0
            1⤵
              PID:2408
            • C:\Windows\system32\LogonUI.exe
              "LogonUI.exe" /flags:0x1
              1⤵
                PID:2944

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\Edhe\mayzoz.exe
                Filesize

                758KB

                MD5

                db8707942639999ca6aeeca722282e0e

                SHA1

                e8b3fbf2520c532ada94d211d53d5772bba20c9f

                SHA256

                50e073a5d23fd1b733554c121ec41bc8189a44075eb53848f6a255856d0bf849

                SHA512

                455c6a1219a8861cb65b15e231660b004f102de44c8ab8dff6e7f675202a396d0ebd8e43c903b2967d937a73e5f4ebfa4f73a189dbe5641b857fb9139e6361ab

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\PQO6442.bat
                Filesize

                238B

                MD5

                4ac4ccd365aa33d43b96bef6176d7ccd

                SHA1

                61a9ba74bc3b7fa6a635b80ea1d0e09d131c12ce

                SHA256

                d4777f624665123938fbe25a80b7e1e5cf918902efb63dd4836e1b6f08449564

                SHA512

                2d8dc98847011f7fdb8209a26bf6c449eb997f81b82bf7df130119f06c457e177b3f4c454ce83745c95379f06888e67021a6fe5ffda0a26e5ddb1caea45ceab5

                Download Submit

              • memory/1208-20-0x0000000001FB0000-0x0000000002019000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1208-19-0x0000000001FB0000-0x0000000002019000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1208-18-0x0000000001FB0000-0x0000000002019000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1208-17-0x0000000001FB0000-0x0000000002019000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1208-15-0x0000000001FB0000-0x0000000002019000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1328-27-0x00000000001B0000-0x0000000000219000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1328-25-0x00000000001B0000-0x0000000000219000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1328-23-0x00000000001B0000-0x0000000000219000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1328-29-0x00000000001B0000-0x0000000000219000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1356-38-0x0000000002510000-0x0000000002579000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1356-33-0x0000000002510000-0x0000000002579000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1356-36-0x0000000002510000-0x0000000002579000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1356-39-0x0000000002510000-0x0000000002579000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1408-45-0x0000000001C30000-0x0000000001C99000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1408-42-0x0000000001C30000-0x0000000001C99000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1408-43-0x0000000001C30000-0x0000000001C99000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1408-44-0x0000000001C30000-0x0000000001C99000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1724-74-0x000000006FFF0000-0x0000000070000000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1724-66-0x0000000000050000-0x00000000000B9000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1724-64-0x0000000000050000-0x00000000000B9000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1724-78-0x0000000000050000-0x00000000000B9000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1724-81-0x0000000000050000-0x00000000000B9000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1724-77-0x000000006FFF0000-0x0000000070000000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1724-76-0x000000006FFF0000-0x0000000070000000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1724-75-0x000000006FFF0000-0x0000000070000000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1724-73-0x000000006FFF0000-0x0000000070000000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1724-72-0x000000006FFF0000-0x0000000070000000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1724-67-0x0000000000050000-0x00000000000B9000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1724-71-0x000000006FFF0000-0x0000000070000000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1724-68-0x0000000000050000-0x00000000000B9000-memory.dmp

                Filesize

                420KB

                Download

              • memory/2448-53-0x000000006FFF0000-0x0000000070000000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2448-59-0x0000000000400000-0x00000000004CE000-memory.dmp

                Filesize

                824KB

                Download

              • memory/2448-47-0x0000000002030000-0x0000000002099000-memory.dmp

                Filesize

                420KB

                Download

              • memory/2448-50-0x0000000002030000-0x0000000002099000-memory.dmp

                Filesize

                420KB

                Download

              • memory/2448-51-0x0000000002030000-0x0000000002099000-memory.dmp

                Filesize

                420KB

                Download

              • memory/2448-52-0x000000006FFF0000-0x0000000070000000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2448-54-0x000000006FFF0000-0x0000000070000000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2448-55-0x000000006FFF0000-0x0000000070000000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2448-0-0x000000000049C000-0x00000000004A0000-memory.dmp

                Filesize

                16KB

                Download

              • memory/2448-49-0x0000000002030000-0x0000000002099000-memory.dmp

                Filesize

                420KB

                Download

              • memory/2448-56-0x000000006FFF0000-0x0000000070000000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2448-57-0x000000006FFF0000-0x0000000070000000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2448-58-0x0000000002030000-0x0000000002099000-memory.dmp

                Filesize

                420KB

                Download

              • memory/2448-48-0x0000000002030000-0x0000000002099000-memory.dmp

                Filesize

                420KB

                Download

              • memory/2448-60-0x0000000002030000-0x0000000002099000-memory.dmp

                Filesize

                420KB

                Download

              • memory/2448-70-0x0000000000400000-0x00000000004CE000-memory.dmp

                Filesize

                824KB

                Download

              • memory/2448-1-0x0000000000400000-0x00000000004CE000-memory.dmp

                Filesize

                824KB

                Download

              • memory/2448-2-0x0000000000400000-0x00000000004CE000-memory.dmp

                Filesize

                824KB

                Download

              • memory/2520-11-0x0000000000400000-0x00000000004CE000-memory.dmp

                Filesize

                824KB

                Download

              • memory/2520-14-0x0000000000400000-0x00000000004CE000-memory.dmp

                Filesize

                824KB

                Download

              • memory/2520-10-0x0000000000400000-0x00000000004CE000-memory.dmp

                Filesize

                824KB

                Download

              • memory/2520-9-0x0000000000400000-0x00000000004CE000-memory.dmp

                Filesize

                824KB

                Download

              • memory/2520-84-0x0000000000400000-0x00000000004CE000-memory.dmp

                Filesize

                824KB

                Download

              • memory/2520-86-0x0000000000400000-0x00000000004CE000-memory.dmp

                Filesize

                824KB

                Download

              • memory/2520-92-0x0000000000400000-0x00000000004CE000-memory.dmp

                Filesize

                824KB

                Download