Overview

overview

10

Static

static

3

8d8e12ce82...18.exe

windows7-x64

10

8d8e12ce82...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/08/2024, 05:49

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    8d8e12ce826ab74086ad2bade5125f9f_JaffaCakes118.exe

  • Size

    352KB

  • MD5

    8d8e12ce826ab74086ad2bade5125f9f

  • SHA1

    3107e2cdd5a760786bae491f0b764b871e088f46

  • SHA256

    5bc26c7693ff37be77434145a8c383da89123f9155a60bd417c7315c8d5fe307

  • SHA512

    eb2f637b2482dcad37a5ae81bf81c3be76d1d34c76ba944ea5dff15f5450ff422ac12d792c6a7e96a8e21bb29702590d8b815ce639e557c85de8b04b1c69f525

  • SSDEEP

    6144:yahlKL+Ah3FV1bcJzDHfeDnuVbewl5/6G:yElUvt1cRDH2DnuVbewl5SG

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 10 IoCs
    evasion
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8d8e12ce826ab74086ad2bade5125f9f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8d8e12ce826ab74086ad2bade5125f9f_JaffaCakes118.exe"
    1⤵
    • Adds policy Run key to start application
    • Boot or Logon Autostart Execution: Active Setup
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4720
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:948
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • Modifies firewall policy service
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:3956
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\8d8e12ce826ab74086ad2bade5125f9f_JaffaCakes118.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\8d8e12ce826ab74086ad2bade5125f9f_JaffaCakes118.exe:*:Enabled:Windows Messanger" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3556
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\8d8e12ce826ab74086ad2bade5125f9f_JaffaCakes118.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\8d8e12ce826ab74086ad2bade5125f9f_JaffaCakes118.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • Modifies firewall policy service
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:1524
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4032
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • Modifies firewall policy service
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:1196
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\WinDefender.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WinDefender.exe:*:Enabled:Windows Messanger" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5088
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\WinDefender.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WinDefender.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • Modifies firewall policy service
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:1008

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/4720-5-0x00000000751E1000-0x00000000751E2000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4720-6-0x00000000751C0000-0x00000000752B0000-memory.dmp

          Filesize

          960KB

          Download

        • memory/4720-7-0x00000000751C0000-0x00000000752B0000-memory.dmp

          Filesize

          960KB

          Download

        • memory/4720-10-0x00000000751C0000-0x00000000752B0000-memory.dmp

          Filesize

          960KB

          Download

        • memory/4720-13-0x00000000751C0000-0x00000000752B0000-memory.dmp

          Filesize

          960KB

          Download