341c4bddb3032de44f73d35a08fc779b2785ea6c12bfca73847861835889b172

Analysis

max time kernel
90s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11/08/2024, 00:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88479040dd0126e0b9bd764ba8bd4c43_JaffaCakes118.exe
Size

93KB
MD5

88479040dd0126e0b9bd764ba8bd4c43
SHA1

5f405ab52af61d9cbf528b0aa2c8bef9f4b4ed80
SHA256

341c4bddb3032de44f73d35a08fc779b2785ea6c12bfca73847861835889b172
SHA512

54b234d17de0573cc6929543001227b21d89d8e8fc7ea8ce9861dd477514c62f72359ef19cc32dff36ab3a7ba3ec4e2242dbf4ab93eecb4c899059f53276933e
SSDEEP

1536:8JGlDUeQq8Nc/xrQ6mo3svzFzJn5Qn/yKNh+0ClNh40CsNdyukfPuz:n+Pq88rLmYsvV55Qn/y3hQsNYFfPY

Score

10^/10

defense_evasion discovery evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	kasper_zaebal.exe

Executes dropped EXE 1 IoCs

pid	Process
2568	kasper_zaebal.exe

Loads dropped DLL 1 IoCs

pid	Process
1952	88479040dd0126e0b9bd764ba8bd4c43_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	kasper_zaebal.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	kasper_zaebal.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\ProgramData\Media\kasper_zaebal.exe:Zone.Identifier	cmd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2268	1952	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kasper_zaebal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	88479040dd0126e0b9bd764ba8bd4c43_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\ProgramData\Media\kasper_zaebal.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1952	88479040dd0126e0b9bd764ba8bd4c43_JaffaCakes118.exe
1952	88479040dd0126e0b9bd764ba8bd4c43_JaffaCakes118.exe
1952	88479040dd0126e0b9bd764ba8bd4c43_JaffaCakes118.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2568	kasper_zaebal.exe
2568	kasper_zaebal.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 2448	1952	88479040dd0126e0b9bd764ba8bd4c43_JaffaCakes118.exe	30
PID 1952 wrote to memory of 2448	1952	88479040dd0126e0b9bd764ba8bd4c43_JaffaCakes118.exe	30
PID 1952 wrote to memory of 2448	1952	88479040dd0126e0b9bd764ba8bd4c43_JaffaCakes118.exe	30
PID 1952 wrote to memory of 2448	1952	88479040dd0126e0b9bd764ba8bd4c43_JaffaCakes118.exe	30
PID 1952 wrote to memory of 2568	1952	88479040dd0126e0b9bd764ba8bd4c43_JaffaCakes118.exe	32
PID 1952 wrote to memory of 2568	1952	88479040dd0126e0b9bd764ba8bd4c43_JaffaCakes118.exe	32
PID 1952 wrote to memory of 2568	1952	88479040dd0126e0b9bd764ba8bd4c43_JaffaCakes118.exe	32
PID 1952 wrote to memory of 2568	1952	88479040dd0126e0b9bd764ba8bd4c43_JaffaCakes118.exe	32
PID 1952 wrote to memory of 2268	1952	88479040dd0126e0b9bd764ba8bd4c43_JaffaCakes118.exe	33
PID 1952 wrote to memory of 2268	1952	88479040dd0126e0b9bd764ba8bd4c43_JaffaCakes118.exe	33
PID 1952 wrote to memory of 2268	1952	88479040dd0126e0b9bd764ba8bd4c43_JaffaCakes118.exe	33
PID 1952 wrote to memory of 2268	1952	88479040dd0126e0b9bd764ba8bd4c43_JaffaCakes118.exe	33

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	kasper_zaebal.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	kasper_zaebal.exe

C:\Users\Admin\AppData\Local\Temp\88479040dd0126e0b9bd764ba8bd4c43_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\88479040dd0126e0b9bd764ba8bd4c43_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\ProgramData\Media\rdb.bat
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:2448
- C:\ProgramData\Media\kasper_zaebal.exe
  -wait
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2568
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 288
  2⤵
  - Program crash
  PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Media\kasper_zaebal.exe

Filesize
93KB

MD5
88479040dd0126e0b9bd764ba8bd4c43

SHA1
5f405ab52af61d9cbf528b0aa2c8bef9f4b4ed80

SHA256
341c4bddb3032de44f73d35a08fc779b2785ea6c12bfca73847861835889b172

SHA512
54b234d17de0573cc6929543001227b21d89d8e8fc7ea8ce9861dd477514c62f72359ef19cc32dff36ab3a7ba3ec4e2242dbf4ab93eecb4c899059f53276933e

Download Submit
C:\ProgramData\Media\kasper_zaebal.exe:Zone.Identifier

Filesize
13B

MD5
38de427224a5082a04fe82e2bd4ea9ec

SHA1
7e4a53de1f83762dd2febd39b818e2258bc83bc1

SHA256
12f99f53144294750fe8713d580eda286f4bd95cd9c840db8ab957def8040028

SHA512
ec3f3c324eeaad91ab0efd47b3084493d863f969344fa1ba87ace1974908053d396673b44c33b4dceeef792a74ad9278e06acc27c83459af1153de52f83afcbf

Download Submit
C:\ProgramData\Media\rdb.bat

Filesize
84B

MD5
c6f7299be3ecbb88acfde79c4dc2b63c

SHA1
1ce9da1d060431581f08d3fa83240aab5b281d81

SHA256
a22d2d0a98cec8c7efccea543dc7d770577b5a966735deffa2f1bce9ecfbad5d

SHA512
b7ce561caff59f6a08702f21dfc953b028ac6b47289c61f85468586ff9f941490bade7f78b4eb198ae958dcb58204c85db3b6ec1d071d9b0af6babe9534baa27

Download Submit
memory/1952-1-0x0000000000280000-0x0000000000289000-memory.dmp

Filesize
36KB

Download
memory/1952-0-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/1952-2-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1952-19-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1952-21-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2568-17-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2568-18-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2568-31-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2568-43-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download