Overview

overview

8

Static

static

3

86cd57473f...18.exe

windows7-x64

8

86cd57473f...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/08/2024, 16:28

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    86cd57473f366479770b7e98b5993e32_JaffaCakes118.exe

  • Size

    112KB

  • MD5

    86cd57473f366479770b7e98b5993e32

  • SHA1

    0f1834869ff4b7c453871636a3068ce8f7ca7239

  • SHA256

    46c9ebf6367e5998f13ba3ac4259bc1e67371462ebfc2a2c858278cdb5cb608a

  • SHA512

    93408fb92019b8da7831cabc83537e703066d7319dac1a7d7f07a211a507c28ecfaaa36fe5d99457acf835ab03ea90280c756cca6c3a4c3801efccdce0f23c23

  • SSDEEP

    3072:xq6SMOZ7i/tEzZ7wbPi6MY21hTbrnNwIxsLzO:xIzZ7i/tENaPi6/mTPNwIxsLy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\86cd57473f366479770b7e98b5993e32_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\86cd57473f366479770b7e98b5993e32_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2716
    • C:\Windows\SysWOW64\inf\svchostc.exe
      "C:\Windows\system32\inf\svchostc.exe" C:\Windows\twftadfia16_080630.dll tanlt88
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2308
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "c:\mylstecj.bat"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2248
        • C:\Windows\system\sgcxcxxaspf080630.exe
          "C:\Windows\system\sgcxcxxaspf080630.exe" i
          4⤵
          • Adds policy Run key to start application
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1960
          • C:\Program Files\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3456
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3456 CREDAT:17410 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:384

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLXU5DI6\suggestions[1].en-US
          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          Download Submit

        • C:\Windows\SysWOW64\inf\svchostc.exe
          Filesize

          60KB

          MD5

          889b99c52a60dd49227c5e485a016679

          SHA1

          8fa889e456aa646a4d0a4349977430ce5fa5e2d7

          SHA256

          6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

          SHA512

          08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

          Download Submit

        • C:\Windows\System\sgcxcxxaspf080630.exe
          Filesize

          112KB

          MD5

          86cd57473f366479770b7e98b5993e32

          SHA1

          0f1834869ff4b7c453871636a3068ce8f7ca7239

          SHA256

          46c9ebf6367e5998f13ba3ac4259bc1e67371462ebfc2a2c858278cdb5cb608a

          SHA512

          93408fb92019b8da7831cabc83537e703066d7319dac1a7d7f07a211a507c28ecfaaa36fe5d99457acf835ab03ea90280c756cca6c3a4c3801efccdce0f23c23

          Download Submit

        • C:\Windows\tdcbdcasys32_080630.dll
          Filesize

          225KB

          MD5

          19efd317486b8ecee11d4c6c7a2c275f

          SHA1

          ce65042e2723df5724b6a23c6589a7531f78f9c1

          SHA256

          4222c15eae1e68e8dfa32ca92ac46aa172d864a6eb7e00359e4814654ce90c77

          SHA512

          cc8aa9705bf0b660b906518b4e6fa7e7d4ef87ea01964f2b2cfb5248bc14b0c6458668508dbc1ef03792c93a402a3cef139608e9405716ba76794d90b83b199b

          Download Submit

        • C:\Windows\twftadfia16_080630.dll
          Filesize

          31KB

          MD5

          26b88cfdf33ae711533c666025d10827

          SHA1

          271dff0f6c3e83b9c017f5c9fc4792a5257095ef

          SHA256

          bddc85db55326be5bbc0f825546dc6d694840d3e1552bce3acac4b4db34fc08b

          SHA512

          5787c3aa8c4715da98ec15c4d7d18573ca0bebd3ee10359d96564d874c046d2e01b9593929d2dc010937f4baf2d9d53d27054b1deabe53934cbabccd8dacd0b8

          Download Submit

        • C:\Windows\twisys.ini
          Filesize

          97B

          MD5

          6e7b5d2f6516fa44faec2a8c8fd5b720

          SHA1

          ea6e69cc997405d19dc4f9bb6c7ed60a0103a9ac

          SHA256

          c83dc8f1ef2de32b8507fc7b81a110faa5ad8eb8eaf0b817bce14d2b68f165b8

          SHA512

          92dbed1ca16722a20879b664e701b91f57760726317291af2ddbdfdc27757399e9ae39004ec8144e8f25329ed0bbe1acdd289ef285a6879d221e218793b31cdd

          Download Submit

        • C:\Windows\twisys.ini
          Filesize

          448B

          MD5

          a0b47bdb405af66455cd19fd975bfce1

          SHA1

          f2decb3a78601d4a54a3085408acdedf0e850725

          SHA256

          3750544bf3c1febae58127022c8380a8a08beb73d312c05d246bb1cd985fa4b1

          SHA512

          f4a90715da434118e1cf40be78bf5cd59dcdfb803cabf4ad15076f71b06c7968ba6a5c319be8356cc98abdf0034b7abfac2b17b736f300a7404b0849fee3e5b8

          Download Submit

        • C:\Windows\twisys.ini
          Filesize

          364B

          MD5

          d8d44aa5e6cb1a7b2d5194d84ec91ba1

          SHA1

          095bdc3ee31cb85e854aa15cbf915c05d3e96216

          SHA256

          edc04c9858be8bb3f689456ae7ed4c3d76634667259f55f517df812015583896

          SHA512

          dd164a0b6969e24a190f7cde7a9106a50dbb451a79c3f5edea82e0baad54cad43cf04b01d5c5c2f896f0244566e9f1cff5c5603fcf079338827fa0390ca78e95

          Download Submit

        • C:\Windows\twisys.ini
          Filesize

          392B

          MD5

          388b0391153dc53cd97b96067482a50a

          SHA1

          22f47e000cda9595b8fe02adb14783dda2f02bec

          SHA256

          d39828c8c889401f143a98344b08fd4c5d93bf59a843b4433e7068fa1dcffe45

          SHA512

          5d9e9e0e818599c479b28e01f6cedd3db4027f0fbafa9cfc5fd39ec4cfd33560533ddbbbd26bcda912f19a6251b192dabac10c19d8e9f4318f7609b4c0ba8728

          Download Submit

        • C:\Windows\twisys.ini
          Filesize

          398B

          MD5

          ae765e5d9fb7edb4b7a3eac49c8cfbcc

          SHA1

          455d99c66e74b377ab0b58da747c98358f5b1f97

          SHA256

          805a693c89b50cc59eac61314295db08dd0c19e7b82458ec00f362d0c8feca68

          SHA512

          1e05e682ca382c92015c7d30374a5d7b6037ba9cb36c9c72687afab117ac807fc5d8bd46dee63691cdad1e945d285e361c4f71b6093f9b756a084223575c7bfc

          Download Submit

        • C:\Windows\twisys.ini
          Filesize

          431B

          MD5

          c870fd1d10d75227d17beb4e64658e7e

          SHA1

          fef44e3be3cc0051e65230c25e8e1e5167a75e3a

          SHA256

          3e32c560896db52cedcd341bfe06a08e83d2a5c47827d93497538ac8f6b3ed4b

          SHA512

          6089fae72801397820a93added22d5f9f096bd6ab4897602aa8e67e4879e31f2bd0f0a094f1772591113328fc1ad7517b61544767ba9b52744db7871e9972ec9

          Download Submit

        • C:\Windows\twisys.ini
          Filesize

          458B

          MD5

          901fa3734c12fda300fcb538b398302c

          SHA1

          fda8c6444f944470f5ebcf5d68179f79bc9aac13

          SHA256

          d8a53c4819f06f6b4272d051ad1654ee1edfa3cabae081236c4ad806cb5fae6f

          SHA512

          6fdf32c6e723cc654f154fe6cf4d5faf390a08431eb3d1b3b3f91785ef74cf6ca6972b948bb7966a933af02f19d8ba5a7be91b56deb0f0ed65b79caf5cdb44fd

          Download Submit

        • \??\c:\mylstecj.bat
          Filesize

          53B

          MD5

          75220483f38ea3b1e9d028656c66c5dd

          SHA1

          2cde9a69c6dfab9c197f605d1600a634563f30e9

          SHA256

          8a03a8689361d6f83a30e3763bdf34588b846c4dc0199a776eee0289dc27ea79

          SHA512

          70bd1a9c88f50e69b99c00ea6211371042a272c00951b39a495b1c14d240c463c06ddf0bdd2b83688940bfc1c2ca646d4d4c20846e91594983f49ba8e6e8947d

          Download Submit

        • memory/2308-72-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2308-64-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2308-93-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2308-108-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

          Download