Overview

overview

8

Static

static

3

8b4ac7b5fc...18.exe

windows7-x64

8

8b4ac7b5fc...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/08/2024, 17:28

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    8b4ac7b5fc69ae9f275abdd0fe5f7a55_JaffaCakes118.exe

  • Size

    122KB

  • MD5

    8b4ac7b5fc69ae9f275abdd0fe5f7a55

  • SHA1

    1138f15258788187a7e0733dbe324abe9772ff51

  • SHA256

    0b25364b8e04ec24f2d03449ddf246130db8e132b12bb7f5bcc624c68b5b1a07

  • SHA512

    c4df3945387306021e5ede9a8f337cda00f99114a2e13cb598caebcdcfa184eced2f10ce67a0550d90f978f0cc619f00ea288ade5259a41a54e305041244f694

  • SSDEEP

    3072:/uvSwwT1pWbkCbTJyaPSMhCe3Dp199E0Rl:2vNw54bkCbHPSMp3Dh9Eg

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8b4ac7b5fc69ae9f275abdd0fe5f7a55_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8b4ac7b5fc69ae9f275abdd0fe5f7a55_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1840
    • C:\Windows\SysWOW64\inf\svchoct.exe
      "C:\Windows\system32\inf\svchoct.exe" C:\Windows\wftadfi16_080922a.dll tan16d
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2340
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "c:\myls3tecj.bat"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4128
        • C:\Windows\system\sgcxcxxaspf080922.exe
          "C:\Windows\system\sgcxcxxaspf080922.exe" i
          4⤵
          • Adds policy Run key to start application
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4432
          • C:\Program Files\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:8
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:8 CREDAT:17410 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1052

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NUB8HZ4Z\suggestions[1].en-US
          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          Download Submit

        • C:\Windows\SysWOW64\inf\svchoct.exe
          Filesize

          60KB

          MD5

          889b99c52a60dd49227c5e485a016679

          SHA1

          8fa889e456aa646a4d0a4349977430ce5fa5e2d7

          SHA256

          6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

          SHA512

          08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

          Download Submit

        • C:\Windows\System\sgcxcxxaspf080922.exe
          Filesize

          122KB

          MD5

          8b4ac7b5fc69ae9f275abdd0fe5f7a55

          SHA1

          1138f15258788187a7e0733dbe324abe9772ff51

          SHA256

          0b25364b8e04ec24f2d03449ddf246130db8e132b12bb7f5bcc624c68b5b1a07

          SHA512

          c4df3945387306021e5ede9a8f337cda00f99114a2e13cb598caebcdcfa184eced2f10ce67a0550d90f978f0cc619f00ea288ade5259a41a54e305041244f694

          Download Submit

        • C:\Windows\dcbdcatys32_080922a.dll
          Filesize

          232KB

          MD5

          14c64e948fce7bc177fba554e86750e7

          SHA1

          437d0af55785e5352dfc793874dec00caff5a7a5

          SHA256

          17eb3b1ed185504174d6dba35053d585c3ba6fdcd96776c0a1a13d5adc8864bc

          SHA512

          7d383a14dc8226b13ad5c3be1cee4beca127556a59c4933786afc89300f6dccddc841ef4173f120831a881db3bc7a7e94733bb4705e5aaa23ed71f69c312eb59

          Download Submit

        • C:\Windows\tawisys.ini
          Filesize

          462B

          MD5

          82dd58bf9deeb49089e6958137643d24

          SHA1

          6d06220c995716d53cf634c1ffca9949ca939e0b

          SHA256

          d458f1637d168ea2b712846faf5643bef33bb3cf8728c0efdfd1761853994e2c

          SHA512

          1bc9bb1f3e81c7a275413520f1ff3b14754edc8656792891e0c9ae841a69c348db44ef7b4cbd00782c6d807ce6246c0893b7b95e57b3137aa5ed691194684334

          Download Submit

        • C:\Windows\tawisys.ini
          Filesize

          378B

          MD5

          825d149fda12d2dd128ff64ff1cb2a37

          SHA1

          e4c655ac56d1ebe36ef646a0cb24d99787d90d86

          SHA256

          ff62ada9a1c49d54aa8b34d7c0f6b71de5766d3a6fdb1b6dc812ff00a362b1e9

          SHA512

          9d78046fd691c262b7e5b801831281759985e5f185bc9a712d4152072e0abc5a4439077ce9c3fdf29eb5622fbc82fa82db07256f030e6db004fee74fb850e36f

          Download Submit

        • C:\Windows\tawisys.ini
          Filesize

          420B

          MD5

          4922f175b4a59b206314dbc304b56798

          SHA1

          243df9beba302a4b064abf545846c70c52f54aee

          SHA256

          0275d8a86614adecc47586811b948958945906b73258219dc3dd0bc0a515efdf

          SHA512

          567d6321abd5bc787673d4d6b0b76695e48d95f05b5d6f97a3c7191f8564909f65fc946033a0dc68ef9188f3a6194b0d5dd65ba5804ce22a048223364e76fe66

          Download Submit

        • C:\Windows\tawisys.ini
          Filesize

          61B

          MD5

          908709e80dffa1ac78f5976ad32da98e

          SHA1

          f4ea4e0506f53b8ef68298d9f8ad9fdf80c8cf1e

          SHA256

          c79d55a1e4064dc10d1e406d5f9448c91f6fc1bb8b892de266260485a426280d

          SHA512

          a159a3608a4be240938fd97629b589f33e3665623e180a444880064b116c085f4f50631a2291ad443c5e4575f165bc5769edc7686bb23d3d8bc88371d5b118a5

          Download Submit

        • C:\Windows\tawisys.ini
          Filesize

          426B

          MD5

          7d4fbe3b118864428fdffd875e1df4ed

          SHA1

          82e6f3dbffb861eaadbf537598a94146c19669ed

          SHA256

          a03732a62c3cab2da5ca7f1d2c8226b43f0bcdb6ebd9b5de3a605a8e58ffa192

          SHA512

          521c9be11adb8a1d347930b598d9bac0364f7c3c9e01486cd0c866d9ad02655446081bc03da36b9178cad03570d66913225969805d1db1823306cacf9b135008

          Download Submit

        • C:\Windows\tawisys.ini
          Filesize

          459B

          MD5

          cabc732b07d13407a2e05e67a2205b45

          SHA1

          34f6ed9109d0a5fc4fad56c78de7a4b490d90671

          SHA256

          608499c9c8f98b0b61ac5dc3615aad9ef3272fb0b0cf03865471b409c597bef8

          SHA512

          1545b11a11d037c273b4ae70bf736161c1d93f45fc1a6540091bcdda2a3f3be6168b7d9f7e5cc614e987aa695395ccc6ceeeead60fbd6fa8180efd26ac4da440

          Download Submit

        • C:\Windows\tawisys.ini
          Filesize

          486B

          MD5

          e414acec451a914a3092916aebb9b9ab

          SHA1

          01ba9902a690367690ab4be10237f1b8f6bd6b0b

          SHA256

          59e886025a950705b1b9de066fcaa1172acec4d9e69774aef723147292b40502

          SHA512

          0964386b3f853311199e20d24946bf9f4a82c4c2ea68d548ecd28a142f56b7ed9e88128c46b78e96a61e1c4e1efc4b3914ee61141197e6386d6d114149bd6816

          Download Submit

        • C:\Windows\wftadfi16_080922a.dll
          Filesize

          35KB

          MD5

          ded93fa6288471b3e6d3aa0c30eee11a

          SHA1

          2b9351c0ce0204a4cc09c320a97e68d38864c4b4

          SHA256

          8bad68aafc85602622d69bf257cb2e466e4b597f2e162f6f64a8e9ed7948abff

          SHA512

          09c9b469f0bcb9288b3775c73773a22a4d48cf9cd9f76fdf2b9dccbe5666bbed997564f5b1a4cd5644c5c5427771af5eb552448c66a0fca193953ecf11025be6

          Download Submit

        • \??\c:\myls3tecj.bat
          Filesize

          53B

          MD5

          47df77fab6045ec684ca921e72dce72e

          SHA1

          6e5775a96434c88ec1aa6cf32ed4d35430452b3c

          SHA256

          32d087de0d9887edef87152846ededf9cf14de5e901865d4320f417df082614f

          SHA512

          9b05021f1b4cbf27830548b0d6c512e9317b75d017c21f42711db9c5f17b29a158a1cd50c4dd405d497a567ae1fdf14df0602b12c88be527a2ff9a1dfbae78b9

          Download Submit

        • memory/2340-76-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/2340-68-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/2340-91-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/2340-113-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download