Overview

overview

8

Static

static

3

8713aa1fe9...18.exe

windows7-x64

8

8713aa1fe9...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-08-2024 17:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8713aa1fe9d9b9499e23cf47af46cbc5_JaffaCakes118.exe

  • Size

    3.4MB

  • MD5

    8713aa1fe9d9b9499e23cf47af46cbc5

  • SHA1

    0891fafc094a52f76b5877c2df0f3673e7e58c3e

  • SHA256

    809d2c2e4b7627aa7f885f32c464b565a6848a56cbbded2fece058e87133174a

  • SHA512

    b9a05a4ebc9921a69da0ad1dd3776b55e06d28a1bccb46f3d2e617cbd8839a629a6f76cb3b73086ef88abef6780fc069a2c591fe641a7a509fd27748c6265dbf

  • SSDEEP

    98304:M8cvccDJxZdk0T33aR1EknVIJZQfPJL8Mc4r/qs2Jb:azf7k0T33aRCknFfPh8crCsM

Score
8/10
discoveryevasionexecutionpersistence

Malware Config

Signatures

  • Stops running service(s) 4 TTPs
    evasionexecution
  • Uses Session Manager for persistence 2 TTPs 3 IoCs

    Creates Session Manager registry key to run executable early in system boot.

    persistence
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8713aa1fe9d9b9499e23cf47af46cbc5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8713aa1fe9d9b9499e23cf47af46cbc5_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3416
    • C:\Users\Admin\AppData\Local\Temp\8713aa1fe9d9b9499e23cf47af46cbc5_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\8713aa1fe9d9b9499e23cf47af46cbc5_JaffaCakes118.exe
      2⤵
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:3360
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn startt /tr c:\autoexec.bat /sc onstart /ru system
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1104
      • C:\Windows\SysWOW64\sc.exe
        sc delete GbpSv
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:3640
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKLM\SYSTEM\ControlSet001\Control\Session manager" /v BootExecute /t REG_MULTI_SZ /d "autocheck autochk *" /f
        3⤵
        • Uses Session Manager for persistence
        • System Location Discovery: System Language Discovery
        PID:540
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKLM\SYSTEM\ControlSet002\Control\Session manager" /v BootExecute /t REG_MULTI_SZ /d "autocheck autochk *" /f
        3⤵
        • Uses Session Manager for persistence
        • System Location Discovery: System Language Discovery
        PID:3656
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session manager" /v BootExecute /t REG_MULTI_SZ /d "autocheck autochk *" /f
        3⤵
        • Uses Session Manager for persistence
        • System Location Discovery: System Language Discovery
        PID:3572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

1
T1562

Modify Registry

2
T1112

Credential Access

Discovery

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\aplib.dll
    Filesize

    16KB

    MD5

    a8c138d9c6070c0be655098b389d85cf

    SHA1

    7345311b860ea92382ec6ac6c69f4e7a6b87c7e9

    SHA256

    c23ad461d2609666a59aec0929cf19b7d818200fc4801ead5158345bf3ca6251

    SHA512

    aad53803ee1320ab15e078cc73e5b634ba1dcc8876d3b52227a6d989a10ffa8bb55d306a3721e9cc02acbb54af9bc9199723bd07a9b7394d8716feafa0ad42f5

    Download Submit

  • memory/3360-8-0x0000000000400000-0x0000000001A12000-memory.dmp

    Filesize

    22.1MB

    Download

  • memory/3360-10-0x0000000000400000-0x0000000001A12000-memory.dmp

    Filesize

    22.1MB

    Download

  • memory/3360-11-0x0000000000400000-0x0000000001A12000-memory.dmp

    Filesize

    22.1MB

    Download

  • memory/3360-14-0x0000000000400000-0x0000000001A12000-memory.dmp

    Filesize

    22.1MB

    Download

  • memory/3360-16-0x0000000000400000-0x0000000001A12000-memory.dmp

    Filesize

    22.1MB

    Download

  • memory/3360-13-0x0000000000400000-0x0000000001A12000-memory.dmp

    Filesize

    22.1MB

    Download

  • memory/3360-17-0x0000000000400000-0x0000000001A12000-memory.dmp

    Filesize

    22.1MB

    Download

  • memory/3360-18-0x0000000000400000-0x0000000001A12000-memory.dmp

    Filesize

    22.1MB

    Download

  • memory/3360-20-0x0000000001CE0000-0x0000000001CE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3360-21-0x0000000000400000-0x0000000001A12000-memory.dmp

    Filesize

    22.1MB

    Download

  • memory/3360-22-0x0000000000400000-0x0000000001A12000-memory.dmp

    Filesize

    22.1MB

    Download

  • memory/3360-23-0x0000000001CE0000-0x0000000001CE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3360-24-0x0000000000400000-0x0000000001A12000-memory.dmp

    Filesize

    22.1MB

    Download

  • memory/3360-25-0x0000000000400000-0x0000000001A12000-memory.dmp

    Filesize

    22.1MB

    Download

  • memory/3360-26-0x0000000000400000-0x0000000001A12000-memory.dmp

    Filesize

    22.1MB

    Download

  • memory/3360-27-0x0000000000400000-0x0000000001A12000-memory.dmp

    Filesize

    22.1MB

    Download

  • memory/3360-28-0x0000000000400000-0x0000000001A12000-memory.dmp

    Filesize

    22.1MB

    Download

  • memory/3360-29-0x0000000000400000-0x0000000001A12000-memory.dmp

    Filesize

    22.1MB

    Download

  • memory/3360-30-0x0000000000400000-0x0000000001A12000-memory.dmp

    Filesize

    22.1MB

    Download

  • memory/3360-31-0x0000000000400000-0x0000000001A12000-memory.dmp

    Filesize

    22.1MB

    Download

  • memory/3360-32-0x0000000000400000-0x0000000001A12000-memory.dmp

    Filesize

    22.1MB

    Download

  • memory/3360-33-0x0000000000400000-0x0000000001A12000-memory.dmp

    Filesize

    22.1MB

    Download

  • memory/3360-34-0x0000000000400000-0x0000000001A12000-memory.dmp

    Filesize

    22.1MB

    Download

  • memory/3360-35-0x0000000000400000-0x0000000001A12000-memory.dmp

    Filesize

    22.1MB

    Download