Overview

overview

10

Static

static

3

891e69cb1c...18.exe

windows7-x64

10

891e69cb1c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-08-2024 05:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe

  • Size

    508KB

  • MD5

    891e69cb1cde7862dc9176254867466b

  • SHA1

    6f55b9b414acd5ff1bc1aa03b8bf40460702a3d7

  • SHA256

    b809eb6146962c7c16d350e440a6f8aaebbad5bf8b8ede9329db7d5dd202fa4a

  • SHA512

    ed688f2f891e2ffd44a76e2457df641960361608c6577d5515dc68aee4e6a2edf013d3769d6383e0fd70b45d557d8246ee22c5a0c2a54603aafe9e9593c5ef20

  • SSDEEP

    6144:ej6/wndfF/gl0LQIk8DR3dEuAI7pEfxsZozAm9TMdGQLUg1nYmefPImdrionw08j:k6onxOp8FySpE5zvIdtU+Ymef8049

Score
10/10
defense_evasiondiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • UAC bypass 3 TTPs 13 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 28 IoCs
    persistence
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
    defense_evasion
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    evasiontrojan
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

    defense_evasionpersistenceprivilege_escalation
  • Looks up external IP address via web service 6 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 32 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 32 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 38 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3888
    • C:\Users\Admin\AppData\Local\Temp\unvumojhexf.exe
      "C:\Users\Admin\AppData\Local\Temp\unvumojhexf.exe" "c:\users\admin\appdata\local\temp\891e69cb1cde7862dc9176254867466b_jaffacakes118.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1048
      • C:\Users\Admin\AppData\Local\Temp\chlqbkq.exe
        "C:\Users\Admin\AppData\Local\Temp\chlqbkq.exe" "-C:\Users\Admin\AppData\Local\Temp\bpcqkcrhwidbospw.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Impair Defenses: Safe Mode Boot
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:4736
      • C:\Users\Admin\AppData\Local\Temp\chlqbkq.exe
        "C:\Users\Admin\AppData\Local\Temp\chlqbkq.exe" "-C:\Users\Admin\AppData\Local\Temp\bpcqkcrhwidbospw.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:3300
    • C:\Users\Admin\AppData\Local\Temp\unvumojhexf.exe
      "C:\Users\Admin\AppData\Local\Temp\unvumojhexf.exe" "c:\users\admin\appdata\local\temp\891e69cb1cde7862dc9176254867466b_jaffacakes118.exe"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System policy modification
      PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Safe Mode Boot

1
T1562.009

Modify Registry

5
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\fdayceddcydliwduerfday.edd
    Filesize

    272B

    MD5

    8a2cdfbbba42b8e65449806c654b8e73

    SHA1

    0ec2fe7f60e8c43286f4abf0c78fda2f7b39f917

    SHA256

    1c2c7e334ae56276bee6dd35fb6f376aecee3080b4d441ad43028d453e88ebe3

    SHA512

    e52b41e004a8ac8642f2218bbc0744a55a8d6a394c8f94430acc4d833ca01e09c36fe0f6fcf5ef1725d970b4e3b544e9c0b5f0c232c13bcbad84b544dec8251c

    Download Submit

  • C:\Program Files (x86)\fdayceddcydliwduerfday.edd
    Filesize

    272B

    MD5

    a9582c0e7166bd38d523493afd109567

    SHA1

    8a471d4cd8fc07a067bca89e68819b85691b0855

    SHA256

    0ced106471fbe388392f342416cea67316e105f3232e5caa9d7e644b32b0ca2f

    SHA512

    1e0abc4787ae4fb068729d237657a501cf8e964cfcaecfa9681b5e85509d91a9fd7333428328932474dff6833bb2b158ffa0934bc9647324120e3f155870f58a

    Download Submit

  • C:\Program Files (x86)\fdayceddcydliwduerfday.edd
    Filesize

    272B

    MD5

    34271a94b5b9398143f4074c03669a75

    SHA1

    f3e3b727c2268211d120b4c38c90f4c0ce731eb9

    SHA256

    88b0e44931eae73a19a7410732322dbd3809fb295ca4a651b5e0962a9778a36e

    SHA512

    3f4eb56aba6e836d1e7686916a61a703d45ca4cfc7e2536859836c5924ac9022ad67d2d32364a83092cfc757ff3e52ebcebef72ad702b5a0bfb8daabadcd36df

    Download Submit

  • C:\Program Files (x86)\fdayceddcydliwduerfday.edd
    Filesize

    272B

    MD5

    21a5f3f9ee584198fea5557231c05805

    SHA1

    c43888e352457b50e10c569c1b6a5298faaf3b29

    SHA256

    d24c52ed505ea7363d4d0400ce6b82e0136bc1a2f208ae3258884b944a0ff879

    SHA512

    a91dcc79990cf494d221ca72bc6d0cacc4f6304a315ef6962390ac08d79c73425750529879fcde35e0a51622ad7e381d424ea646b0f6c136a353c7bdadef8a23

    Download Submit

  • C:\Program Files (x86)\fdayceddcydliwduerfday.edd
    Filesize

    272B

    MD5

    6a2fc97a7741765b2527543cf8512418

    SHA1

    fc46e97b9a1d12a214d798921c039f859a26181e

    SHA256

    5aa80f13081b6fb3f7a7db0a8c7300bb81d3fc16200d860e20c2ba9232539f2a

    SHA512

    92c13f8dacf0c9a05754b61d85deaec2eb9126acdf0c6fb0a600256987ba7587648b527193411e38c0ddc4919a79669f76b7992b5b9cac514ad4e764d5812da3

    Download Submit

  • C:\Program Files (x86)\fdayceddcydliwduerfday.edd
    Filesize

    272B

    MD5

    445a0850d7f53dca283368eda5f3b872

    SHA1

    da63ab22f0d8bea3227e29a3c4665f7f9979a409

    SHA256

    6637417772905425f0bb3ecb89faada648ea4f412c107a437e020889e687342f

    SHA512

    ae6a7886d5ff957ceeda1a1e87ca7d3af9a80bb482c1de6bba2034955bbd2fa663d1fd644cc2f3cd2245cec50c9a3376af44c7a5feae6ec010b89db7e25c1774

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\chlqbkq.exe
    Filesize

    684KB

    MD5

    b3e3e429656bc0d7e6212119b9278a83

    SHA1

    7a80793fa4647b5aa14c93d82eb0590c43c89a16

    SHA256

    9b800e70ba6c8037016ed36320b07766817f7ebe6541e58c854809f0a24b8339

    SHA512

    1da13f67411887806095942c90fb16532c3d98ba374e916de5f5a1a32ced787c4c2526e2a16edd68611b34e23be3ee16c96988f80913657b926f70e615a58f07

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\unvumojhexf.exe
    Filesize

    320KB

    MD5

    5203b6ea0901877fbf2d8d6f6d8d338e

    SHA1

    c803e92561921b38abe13239c1fd85605b570936

    SHA256

    0cc02d34d5fd4cf892fed282f98c1ad3e7dd6159a8877ae5c46d3f834ed36060

    SHA512

    d48a41b4fc4c38a6473f789c02918fb7353a4b4199768a3624f3b685d91d38519887a1ccd3616e0d2b079a346afaec5a0f2ef2c46d72d3097ef561cedb476471

    Download Submit

  • C:\Users\Admin\AppData\Local\fdayceddcydliwduerfday.edd
    Filesize

    272B

    MD5

    7709a81337d34c59f1456fd8db92703c

    SHA1

    0526a5f6fe5bf76318b6399076cc8900747ae403

    SHA256

    c386b8fe9c6d5cc3ffbfecb40a55d9dfa041fe3409b9568afec93fca7a9b5850

    SHA512

    3474bfb8f9d40e920bacb7511afcbfa1e8e6921efc147670b17d04ec73a11553acc63de28801cc60407b364357e65e063fb7882e9edf03a8844e3ad8d8e761fc

    Download Submit

  • C:\Users\Admin\AppData\Local\wfnwlyitdkatbasupnmvdmboyjtaqjrqi.fdc
    Filesize

    3KB

    MD5

    ae542f68c4658c67859b9c83533d5589

    SHA1

    6ea74f25e92e4bfbaed3577352d557f04c55452c

    SHA256

    3fd8c23e07b32ea27e292f3b73c9b192f06269df2b14bee6f706d723e6dca0dd

    SHA512

    cb0aea4df0b2786d2a03f363acf31cd0589315cecfc2946f7e00daf8f2aa93f59d6db903ef92a94750f30afd024c3b0c130701fc7dcf197c1617c6faf3444d69

    Download Submit

  • C:\Windows\SysWOW64\rhwmictlcqnncihqsx.exe
    Filesize

    508KB

    MD5

    891e69cb1cde7862dc9176254867466b

    SHA1

    6f55b9b414acd5ff1bc1aa03b8bf40460702a3d7

    SHA256

    b809eb6146962c7c16d350e440a6f8aaebbad5bf8b8ede9329db7d5dd202fa4a

    SHA512

    ed688f2f891e2ffd44a76e2457df641960361608c6577d5515dc68aee4e6a2edf013d3769d6383e0fd70b45d557d8246ee22c5a0c2a54603aafe9e9593c5ef20

    Download Submit