Overview

overview

8

Static

static

3

86cd57473f...18.exe

windows7-x64

8

86cd57473f...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/08/2024, 16:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    86cd57473f366479770b7e98b5993e32_JaffaCakes118.exe

  • Size

    112KB

  • MD5

    86cd57473f366479770b7e98b5993e32

  • SHA1

    0f1834869ff4b7c453871636a3068ce8f7ca7239

  • SHA256

    46c9ebf6367e5998f13ba3ac4259bc1e67371462ebfc2a2c858278cdb5cb608a

  • SHA512

    93408fb92019b8da7831cabc83537e703066d7319dac1a7d7f07a211a507c28ecfaaa36fe5d99457acf835ab03ea90280c756cca6c3a4c3801efccdce0f23c23

  • SSDEEP

    3072:xq6SMOZ7i/tEzZ7wbPi6MY21hTbrnNwIxsLzO:xIzZ7i/tENaPi6/mTPNwIxsLy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\86cd57473f366479770b7e98b5993e32_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\86cd57473f366479770b7e98b5993e32_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2716
    • C:\Windows\SysWOW64\inf\svchostc.exe
      "C:\Windows\system32\inf\svchostc.exe" C:\Windows\twftadfia16_080630.dll tanlt88
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2308
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "c:\mylstecj.bat"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2248
        • C:\Windows\system\sgcxcxxaspf080630.exe
          "C:\Windows\system\sgcxcxxaspf080630.exe" i
          4⤵
          • Adds policy Run key to start application
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1960
          • C:\Program Files\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3456
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3456 CREDAT:17410 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:384

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLXU5DI6\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

  • C:\Windows\SysWOW64\inf\svchostc.exe
    Filesize

    60KB

    MD5

    889b99c52a60dd49227c5e485a016679

    SHA1

    8fa889e456aa646a4d0a4349977430ce5fa5e2d7

    SHA256

    6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

    SHA512

    08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

    Download Submit

  • C:\Windows\System\sgcxcxxaspf080630.exe
    Filesize

    112KB

    MD5

    86cd57473f366479770b7e98b5993e32

    SHA1

    0f1834869ff4b7c453871636a3068ce8f7ca7239

    SHA256

    46c9ebf6367e5998f13ba3ac4259bc1e67371462ebfc2a2c858278cdb5cb608a

    SHA512

    93408fb92019b8da7831cabc83537e703066d7319dac1a7d7f07a211a507c28ecfaaa36fe5d99457acf835ab03ea90280c756cca6c3a4c3801efccdce0f23c23

    Download Submit

  • C:\Windows\tdcbdcasys32_080630.dll
    Filesize

    225KB

    MD5

    19efd317486b8ecee11d4c6c7a2c275f

    SHA1

    ce65042e2723df5724b6a23c6589a7531f78f9c1

    SHA256

    4222c15eae1e68e8dfa32ca92ac46aa172d864a6eb7e00359e4814654ce90c77

    SHA512

    cc8aa9705bf0b660b906518b4e6fa7e7d4ef87ea01964f2b2cfb5248bc14b0c6458668508dbc1ef03792c93a402a3cef139608e9405716ba76794d90b83b199b

    Download Submit

  • C:\Windows\twftadfia16_080630.dll
    Filesize

    31KB

    MD5

    26b88cfdf33ae711533c666025d10827

    SHA1

    271dff0f6c3e83b9c017f5c9fc4792a5257095ef

    SHA256

    bddc85db55326be5bbc0f825546dc6d694840d3e1552bce3acac4b4db34fc08b

    SHA512

    5787c3aa8c4715da98ec15c4d7d18573ca0bebd3ee10359d96564d874c046d2e01b9593929d2dc010937f4baf2d9d53d27054b1deabe53934cbabccd8dacd0b8

    Download Submit

  • C:\Windows\twisys.ini
    Filesize

    97B

    MD5

    6e7b5d2f6516fa44faec2a8c8fd5b720

    SHA1

    ea6e69cc997405d19dc4f9bb6c7ed60a0103a9ac

    SHA256

    c83dc8f1ef2de32b8507fc7b81a110faa5ad8eb8eaf0b817bce14d2b68f165b8

    SHA512

    92dbed1ca16722a20879b664e701b91f57760726317291af2ddbdfdc27757399e9ae39004ec8144e8f25329ed0bbe1acdd289ef285a6879d221e218793b31cdd

    Download Submit

  • C:\Windows\twisys.ini
    Filesize

    448B

    MD5

    a0b47bdb405af66455cd19fd975bfce1

    SHA1

    f2decb3a78601d4a54a3085408acdedf0e850725

    SHA256

    3750544bf3c1febae58127022c8380a8a08beb73d312c05d246bb1cd985fa4b1

    SHA512

    f4a90715da434118e1cf40be78bf5cd59dcdfb803cabf4ad15076f71b06c7968ba6a5c319be8356cc98abdf0034b7abfac2b17b736f300a7404b0849fee3e5b8

    Download Submit

  • C:\Windows\twisys.ini
    Filesize

    364B

    MD5

    d8d44aa5e6cb1a7b2d5194d84ec91ba1

    SHA1

    095bdc3ee31cb85e854aa15cbf915c05d3e96216

    SHA256

    edc04c9858be8bb3f689456ae7ed4c3d76634667259f55f517df812015583896

    SHA512

    dd164a0b6969e24a190f7cde7a9106a50dbb451a79c3f5edea82e0baad54cad43cf04b01d5c5c2f896f0244566e9f1cff5c5603fcf079338827fa0390ca78e95

    Download Submit

  • C:\Windows\twisys.ini
    Filesize

    392B

    MD5

    388b0391153dc53cd97b96067482a50a

    SHA1

    22f47e000cda9595b8fe02adb14783dda2f02bec

    SHA256

    d39828c8c889401f143a98344b08fd4c5d93bf59a843b4433e7068fa1dcffe45

    SHA512

    5d9e9e0e818599c479b28e01f6cedd3db4027f0fbafa9cfc5fd39ec4cfd33560533ddbbbd26bcda912f19a6251b192dabac10c19d8e9f4318f7609b4c0ba8728

    Download Submit

  • C:\Windows\twisys.ini
    Filesize

    398B

    MD5

    ae765e5d9fb7edb4b7a3eac49c8cfbcc

    SHA1

    455d99c66e74b377ab0b58da747c98358f5b1f97

    SHA256

    805a693c89b50cc59eac61314295db08dd0c19e7b82458ec00f362d0c8feca68

    SHA512

    1e05e682ca382c92015c7d30374a5d7b6037ba9cb36c9c72687afab117ac807fc5d8bd46dee63691cdad1e945d285e361c4f71b6093f9b756a084223575c7bfc

    Download Submit

  • C:\Windows\twisys.ini
    Filesize

    431B

    MD5

    c870fd1d10d75227d17beb4e64658e7e

    SHA1

    fef44e3be3cc0051e65230c25e8e1e5167a75e3a

    SHA256

    3e32c560896db52cedcd341bfe06a08e83d2a5c47827d93497538ac8f6b3ed4b

    SHA512

    6089fae72801397820a93added22d5f9f096bd6ab4897602aa8e67e4879e31f2bd0f0a094f1772591113328fc1ad7517b61544767ba9b52744db7871e9972ec9

    Download Submit

  • C:\Windows\twisys.ini
    Filesize

    458B

    MD5

    901fa3734c12fda300fcb538b398302c

    SHA1

    fda8c6444f944470f5ebcf5d68179f79bc9aac13

    SHA256

    d8a53c4819f06f6b4272d051ad1654ee1edfa3cabae081236c4ad806cb5fae6f

    SHA512

    6fdf32c6e723cc654f154fe6cf4d5faf390a08431eb3d1b3b3f91785ef74cf6ca6972b948bb7966a933af02f19d8ba5a7be91b56deb0f0ed65b79caf5cdb44fd

    Download Submit

  • \??\c:\mylstecj.bat
    Filesize

    53B

    MD5

    75220483f38ea3b1e9d028656c66c5dd

    SHA1

    2cde9a69c6dfab9c197f605d1600a634563f30e9

    SHA256

    8a03a8689361d6f83a30e3763bdf34588b846c4dc0199a776eee0289dc27ea79

    SHA512

    70bd1a9c88f50e69b99c00ea6211371042a272c00951b39a495b1c14d240c463c06ddf0bdd2b83688940bfc1c2ca646d4d4c20846e91594983f49ba8e6e8947d

    Download Submit

  • memory/2308-72-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2308-64-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2308-93-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2308-108-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download