Overview

overview

10

Static

static

7

82feaf4427...18.exe

windows7-x64

10

82feaf4427...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    02-08-2024 04:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    82feaf4427aff3dbad0a259b45bff63d_JaffaCakes118.exe

  • Size

    3.0MB

  • MD5

    82feaf4427aff3dbad0a259b45bff63d

  • SHA1

    f1ca08e6a0866b42e3f7ed7c2e1e1d3ad7a5ceac

  • SHA256

    9a5bdddfeddbfaf15804092d2dd4c0f0edf84ca91781a57ef87a24e2e53c0f31

  • SHA512

    a196d170e7e17b7fbb249bb150cdf088e951183a97687786dbd6935039518b06527be69f7d6c79323f373f8a6d68b0a25c572f5f97962fd40b117a14f777e498

  • SSDEEP

    98304:MDHEfh0QVKtQkgC22K2uJ6AOsmKC81PBTcGcqpXmw8VSfVN7G97BmONSciOi2:m8atgujKC81PBIGcZcNN2EciO/

Score
10/10
discoveryevasionexecutionpersistenceprivilege_escalationupx

Malware Config

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Uses Session Manager for persistence 2 TTPs 3 IoCs

    Creates Session Manager registry key to run executable early in system boot.

    persistence
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\82feaf4427aff3dbad0a259b45bff63d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\82feaf4427aff3dbad0a259b45bff63d_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram C:\windows\system\Plugin.exe RPCCC
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:1796
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn balada /tr c:\autoexec.bat /sc onstart /ru system
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2096
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn startt /tr c:\start.bat /sc onstart /ru system
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2992
    • C:\Windows\SysWOW64\sc.exe
      sc delete GbpSv
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2716
    • C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\SYSTEM\ControlSet001\Control\Session manager" /v BootExecute /t REG_MULTI_SZ /d "autocheck autochk *" /f
      2⤵
      • Uses Session Manager for persistence
      • System Location Discovery: System Language Discovery
      PID:3052
    • C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\SYSTEM\ControlSet002\Control\Session manager" /v BootExecute /t REG_MULTI_SZ /d "autocheck autochk *" /f
      2⤵
      • Uses Session Manager for persistence
      • System Location Discovery: System Language Discovery
      PID:2932
    • C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session manager" /v BootExecute /t REG_MULTI_SZ /d "autocheck autochk *" /f
      2⤵
      • Uses Session Manager for persistence
      • System Location Discovery: System Language Discovery
      PID:2816
    • C:\Windows\SysWOW64\net.exe
      net start GbpSv
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1964
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 start GbpSv
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2300
    • C:\Windows\SysWOW64\net.exe
      net stop GbpSv
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop GbpSv
        3⤵
        • System Location Discovery: System Language Discovery
        PID:916
    • C:\Windows\SysWOW64\sc.exe
      sc stop GbpSv
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2692
    • C:\Windows\SysWOW64\sc.exe
      sc config GbpSv start= disabled
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:280
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\autoexec.bat
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

2
T1112

Credential Access

Discovery

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

2
T1489

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\autoexec.bat
    Filesize

    6KB

    MD5

    3c4efbf13ceeb379b1a102ca466048cd

    SHA1

    cd038f0fe0747102bf0568a9eafc139fb63b7e8b

    SHA256

    1156730d23bd9460f2b577176b8960df0cffe15a72c7df0b1da6ddb13ce6e995

    SHA512

    68f7085a2f3d24a543b25029fa83cfff1ed05f63a99155cecbb4cdc0b9b26354f4d48b08256c5a5212ce319467b23fa6804e9f8d67a81c4231d444ffe1eac320

    Download Submit

  • memory/2232-2-0x0000000000400000-0x0000000000B64000-memory.dmp

    Filesize

    7.4MB

    Download

  • memory/2232-3-0x0000000000400000-0x0000000000B64000-memory.dmp

    Filesize

    7.4MB

    Download

  • memory/2232-19-0x0000000000400000-0x0000000000B64000-memory.dmp

    Filesize

    7.4MB

    Download

  • memory/2232-20-0x0000000000400000-0x0000000000B64000-memory.dmp

    Filesize

    7.4MB

    Download

  • memory/2232-24-0x0000000000400000-0x0000000000B64000-memory.dmp

    Filesize

    7.4MB

    Download