Overview

overview

8

Static

static

3

81c99e9f40...18.exe

windows7-x64

8

81c99e9f40...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    01-08-2024 21:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    81c99e9f40b36b9f8201bf47b974b087_JaffaCakes118.exe

  • Size

    79KB

  • MD5

    81c99e9f40b36b9f8201bf47b974b087

  • SHA1

    8454764e151bf8622541abd7f608e69dea701e30

  • SHA256

    29d9112141942b8d398e4a8013061e409af130412b3f886ae5a42d12d6526738

  • SHA512

    af1c1b61395f455b07d95bef1b308af9fc6e3266fc720fd0eea02220165b4304f81ade119badd3ff77e48710d0bb421fcd26801ec0090fc599e34c8c9432d1f8

  • SSDEEP

    1536:vbJUWIcJuPQWr5B/lAMG83RheVPGSFPT:jSWIpr5BnhIFF7

Score
8/10
discoveryevasionexecutionpersistence

Malware Config

Signatures

  • Stops running service(s) 4 TTPs
    evasionexecution
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Launches sc.exe 20 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\81c99e9f40b36b9f8201bf47b974b087_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\81c99e9f40b36b9f8201bf47b974b087_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:300
    • C:\Windows\SysWOW64\Rundll32.exe
      Rundll32 C:\Windows\system32\seat.dll Execute
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2580
      • C:\Windows\SysWOW64\sc.exe
        sc stop 360rp
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2040
      • C:\Windows\SysWOW64\sc.exe
        sc delete 360rp
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:1904
      • C:\Windows\SysWOW64\sc.exe
        sc stop RsRavMon
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:1908
      • C:\Windows\SysWOW64\sc.exe
        sc delete RsRavMon
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2292
      • C:\Windows\SysWOW64\sc.exe
        sc stop McNASvc
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2100
      • C:\Windows\SysWOW64\sc.exe
        sc delete McNASvc
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:1872
      • C:\Windows\SysWOW64\sc.exe
        sc stop MpfService
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2056
      • C:\Windows\SysWOW64\sc.exe
        sc delete MpfService
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2212
      • C:\Windows\SysWOW64\sc.exe
        sc stop McProxy
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2708
      • C:\Windows\SysWOW64\sc.exe
        sc delete McProxy
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:3032
      • C:\Windows\SysWOW64\sc.exe
        sc stop McShield
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:1920
      • C:\Windows\SysWOW64\sc.exe
        sc delete McShield
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2184
      • C:\Windows\SysWOW64\sc.exe
        sc stop McODS
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2248
      • C:\Windows\SysWOW64\sc.exe
        sc delete McODS
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2136
      • C:\Windows\SysWOW64\sc.exe
        sc stop mcmscsvc
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2628
      • C:\Windows\SysWOW64\sc.exe
        sc delete mcmscsvc
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2752
      • C:\Windows\SysWOW64\sc.exe
        sc stop McSysmon
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2896
      • C:\Windows\SysWOW64\sc.exe
        sc delete McSysmon
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2652
      • C:\Windows\SysWOW64\sc.exe
        sc stop ekrn
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2644
      • C:\Windows\SysWOW64\sc.exe
        sc delete ekrn
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2884
    • C:\Windows\SysWOW64\Rundll32.exe
      Rundll32 C:\Windows\system32\miat.dll Execute
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:436

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\pci.sys
    Filesize

    11KB

    MD5

    5c06d52d07a39f36e04a05e5b565dbc2

    SHA1

    33daaf8afc98426f22da0395eb3b4da7d60f383b

    SHA256

    8373917a90395c6f6d88480939cbf3e5875caab93750e2b4520665b90f305d26

    SHA512

    030eeb0b90f2cf099251a7bab6a3ede3cb577710a1580464c18f089021f82a16386d8eba20634fa1cfacb9424c9b1a228f1189b7b85bed08ffc1c52b22c04156

    Download Submit

  • \Users\Admin\AppData\Local\Temp\D3A4.tmp
    Filesize

    1.7MB

    MD5

    b5eb5bd3066959611e1f7a80fd6cc172

    SHA1

    6fb1532059212c840737b3f923a9c0b152c0887a

    SHA256

    1ffb68a66f28f604adcae9c135f8dcf301316ab7fda8ebd294583c56dd26f7cc

    SHA512

    6c0743e0ff4922e859ba66b68040ab994dbae33e80c63ce8c993ad31a0c7aad6c6467484da1550063214953cd641dbf597438dd0c02f24164505d88ca80ea1b6

    Download Submit

  • \Windows\SysWOW64\miat.dll
    Filesize

    8KB

    MD5

    5fd366e1f6dd7500fc0bfad1cd50c880

    SHA1

    faa0988a9c1a05145d9ab7325bdefb95e142b80c

    SHA256

    13be6c2e89c054911f42c8221dd85ee87f08b85588b55ae0879eb47a3d8664a4

    SHA512

    abf7f9db81c32d68ae4a6304f5992d9af7a4f0448b44d1f6fb90e9e08e41ba38ee7769f2125a21d1891a3c3e7ad57da96ebd00d727488b9f76758aa13559bd1b

    Download Submit

  • \Windows\SysWOW64\seat.dll
    Filesize

    14KB

    MD5

    96db3b9aec3b3695fa13cbd594982ecf

    SHA1

    de05cc22d8393d08dfd9f1ee73cc3dba9733f748

    SHA256

    8e6fa1336ff0bd77e2e766e556a999dbcaa707469820879b0f5b0dfe9d7061dc

    SHA512

    b4e1cd02128c5e3d767b169b0d39e1682d7932eb5201c0e76750d6caad6869f8b6489101f08e9254444ac16f7f4f75f670dc07eb331a5758576edf19aff92c95

    Download Submit

  • memory/300-8-0x00000000000E0000-0x00000000000E1000-memory.dmp

    Filesize

    4KB

    Download