Overview

overview

10

Static

static

3

85a2b27d7e...18.exe

windows7-x64

10

85a2b27d7e...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/08/2024, 09:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    85a2b27d7ea530ecf6279c20f5c4cf54_JaffaCakes118.exe

  • Size

    888KB

  • MD5

    85a2b27d7ea530ecf6279c20f5c4cf54

  • SHA1

    97816df5b2468dc8438094d40f4c532043a8e179

  • SHA256

    f965854098fb35d6291a9dd8c0b3808c8ad944284610fb4eb1a61e9b016e6d22

  • SHA512

    864f13686864cacf237ece120d2026d3e30fe5edba1c8b6e3400f255429a4571087ff00e58e4cb11176d1beda2e310fd607a073d0363b1e4d37a33c316ea6eaa

  • SSDEEP

    24576:YpUNr6YkVRFkgbeqeo68Fhq+NApyQhO0L:YFlXZbDApyQhOy

Score
10/10
defense_evasiondiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • UAC bypass 3 TTPs 13 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 30 IoCs
    persistence
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
    defense_evasion
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    evasiontrojan
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

    defense_evasionpersistenceprivilege_escalation
  • Looks up external IP address via web service 6 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 32 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 32 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 38 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\85a2b27d7ea530ecf6279c20f5c4cf54_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\85a2b27d7ea530ecf6279c20f5c4cf54_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3212
    • C:\Users\Admin\AppData\Local\Temp\obhqxfrnylr.exe
      "C:\Users\Admin\AppData\Local\Temp\obhqxfrnylr.exe" "c:\users\admin\appdata\local\temp\85a2b27d7ea530ecf6279c20f5c4cf54_jaffacakes118.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:220
      • C:\Users\Admin\AppData\Local\Temp\adomq.exe
        "C:\Users\Admin\AppData\Local\Temp\adomq.exe" "-C:\Users\Admin\AppData\Local\Temp\xlhqfbkfsjxpaoan.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • System policy modification
        PID:916
      • C:\Users\Admin\AppData\Local\Temp\adomq.exe
        "C:\Users\Admin\AppData\Local\Temp\adomq.exe" "-C:\Users\Admin\AppData\Local\Temp\xlhqfbkfsjxpaoan.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Impair Defenses: Safe Mode Boot
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:508
    • C:\Users\Admin\AppData\Local\Temp\obhqxfrnylr.exe
      "C:\Users\Admin\AppData\Local\Temp\obhqxfrnylr.exe" "c:\users\admin\appdata\local\temp\85a2b27d7ea530ecf6279c20f5c4cf54_jaffacakes118.exe"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System policy modification
      PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Safe Mode Boot

1
T1562.009

Modify Registry

5
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\adomqbzjlrubbefhndmpaycnlvx.gnn
    Filesize

    280B

    MD5

    9c520a5b1c86e3110eab8635b21f6a98

    SHA1

    3caf33f5f77a501b8434a5cef390ca4c2efe9493

    SHA256

    4b69008ac9161095b3f350801b9744a1adf819ff331bec6566e29e4a4c9a81ef

    SHA512

    bc3a04ca999480e9b5bfd39eea039e03e6bf16ae83c4446cd39cab861862792d1ac1a87dbaea7dc3ad0ee938ffecb2201f9fb2fc1ff3c47dc4f72742cbbaf41a

    Download Submit

  • C:\Program Files (x86)\adomqbzjlrubbefhndmpaycnlvx.gnn
    Filesize

    280B

    MD5

    8a363c9753d8d5f10c45be9fc2bf9dfc

    SHA1

    1078c538e5669790f6d593f23491e466db568082

    SHA256

    7f499e5453f77829b33ab99c376072ceca0335bca5d48d8e30022b9af88d4618

    SHA512

    4e429cebba3e70313f8d4f8f0657c519f1e253d0426642669ffccd316ecf41dd2f49916a13d20d268d36faf43833ecc2f39450f68236a9a9079c79e45a7a3c4b

    Download Submit

  • C:\Program Files (x86)\adomqbzjlrubbefhndmpaycnlvx.gnn
    Filesize

    280B

    MD5

    3e3bb23400e9f565bcc5990cb01b006c

    SHA1

    a14097d212d6bc40469b15cd98075fd6247db151

    SHA256

    7ccc85f0ae9a762db18489c1f2982688147ed7e8e8a5cae2144b055683c4fafd

    SHA512

    7cf5bb2320b09237b64bc2ad90ea3992d0496cb1aba0d86141fd6e44825d2a06b9b5dfcb9407667790c504842e7675b15ae5b3e274ca261956db721f27d7c6ad

    Download Submit

  • C:\Program Files (x86)\adomqbzjlrubbefhndmpaycnlvx.gnn
    Filesize

    280B

    MD5

    14c203967b011f2d0986f6ccb629fb14

    SHA1

    be585179a59a990f57f16b3dca6f40ac5c7fd5f8

    SHA256

    01c72a188186a20e71dbdcdcceac4b9869da29c7faf4b5c3c1c13213daba2710

    SHA512

    3550ebf6da544e54712137c19f86c2560ac47f40a33e1a8c9931f59db5b3fa96bc0ec5e096d42afb34b07cc97222a87d99ed75ee52d132455b22b6b5f03c0987

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\adomq.exe
    Filesize

    684KB

    MD5

    65759fffdb39200aec34324458a5c21c

    SHA1

    798a57cc8036c8f3550eaf3940c4b0d4ce5b5c32

    SHA256

    62cc7afaa19a43190cbbe9514ab65b5af23cc0aa8042cee232c544c55fb066ea

    SHA512

    8699034b0e910567296d194a7189d77d133911fe08a4a9e7233f4a8fabac1efc06b15acb206ab007a7214c88f07952a92dce9220bddab1ac07bc86564adb65b3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\obhqxfrnylr.exe
    Filesize

    320KB

    MD5

    cb61354b816a4eec0bb6c6fe5484293e

    SHA1

    88bd7ae9d5b7f614d9857a74bc682db5a0de3484

    SHA256

    dbc3ae1529e284ab74d7dd1e39b06fbb54616dd54df5d0d4994814072d7b455f

    SHA512

    9984eb1fadc28d07a247c1b5b53f05d90674d9d45f15adbf4026b4ca404d97004ae7bd3bf118627d200a9e52ed724b1dc32526c07ade2894ffd249f91ccb40a7

    Download Submit

  • C:\Users\Admin\AppData\Local\adomqbzjlrubbefhndmpaycnlvx.gnn
    Filesize

    280B

    MD5

    07b1aa11b380964aa1e553eb647e38ce

    SHA1

    98d8f17ea3c918e1c6c96fd2f836cc20cf59434f

    SHA256

    8ee7928cfd4c6fe1bc77f1ead701814366e6fd463c6c0f7b0e4fa048340fbb2f

    SHA512

    18b0da7b24b1f5450a1697315a33deacd08d2558589153311e0630cccd9aa1058336ca1a9a30937dabf7fca14a1c4ef4e60529f91286cbebd61576ccd1358d80

    Download Submit

  • C:\Users\Admin\AppData\Local\adomqbzjlrubbefhndmpaycnlvx.gnn
    Filesize

    280B

    MD5

    4a35090605fcf0c861015795c90c7e96

    SHA1

    40652454a3475c69dc699ff931b3da6b9a088aeb

    SHA256

    62192188cb850be93ac77ff8759651ae338a70bee579d36e35404bf7953c6456

    SHA512

    6d01a810cc38a800f0cf2223918fb62a40462c19d5627ddbc52dfa0174cf8fdafe6c6228aa09b18a004ab4157238b7d69671e48c81f8d1c9ba8134539a90cec7

    Download Submit

  • C:\Users\Admin\AppData\Local\adomqbzjlrubbefhndmpaycnlvx.gnn
    Filesize

    280B

    MD5

    b0d11dc09d9912dff8e3a15f1d4e2393

    SHA1

    374fd20cdc5e0d0f163b63cecf02d1f6fbc933c0

    SHA256

    7cfaba21cc4f581593fc493d6a85ac8df53afbadead0c312bde753447fe90c03

    SHA512

    0c3700b6cc6adda4bbb419b99e90adefe3d68e31b06cf7e381b59d790f1576f2d8c658d66dc3dc5f4f974a85e4fc81d01efc90f9f150cd7c1c3c542eeee081bc

    Download Submit

  • C:\Users\Admin\AppData\Local\xlhqfbkfsjxpaoanefznjshdmhulzrcqcpghbp.ujf
    Filesize

    4KB

    MD5

    a4541aad761058161e41c8447538217c

    SHA1

    f290c1ad4d2a8fd53e415613865440cc827ffa52

    SHA256

    a910e6dd74b915e3e613b007d96a7723e9f1cf8c162082464087dcb2ae86cd52

    SHA512

    f059ad350d9e8361b32268872f247fb66516e2313d3762eee2f296f7ac8a25fccdae6dafa91891296fa06b9d9f741f420f29f06c5cf8524b4672b371f470ad1c

    Download Submit

  • C:\Windows\SysWOW64\ndbmdbmjyrhboeshad.exe
    Filesize

    888KB

    MD5

    85a2b27d7ea530ecf6279c20f5c4cf54

    SHA1

    97816df5b2468dc8438094d40f4c532043a8e179

    SHA256

    f965854098fb35d6291a9dd8c0b3808c8ad944284610fb4eb1a61e9b016e6d22

    SHA512

    864f13686864cacf237ece120d2026d3e30fe5edba1c8b6e3400f255429a4571087ff00e58e4cb11176d1beda2e310fd607a073d0363b1e4d37a33c316ea6eaa

    Download Submit