Overview

overview

10

Static

static

3

976a33974f...18.exe

windows7-x64

10

976a33974f...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/08/2024, 19:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    976a33974f490b31cf4864282ecdabbb_JaffaCakes118.exe

  • Size

    102KB

  • MD5

    976a33974f490b31cf4864282ecdabbb

  • SHA1

    08f8b3de263abfabc61544c9a0caf3f7cff56b2c

  • SHA256

    121a65e9f750c4edd373304119e3860892e0d9faf0cad9b23233e80fe943bc39

  • SHA512

    820f65471eb2540c54bcc3db5a002ef35a13ff2ebad59ef64f867b94c85b4c0bdf7ca9c3eeccc64c1aef3aa90ef3b953c8a0dee344ad1d8c1629234a6176dbbb

  • SSDEEP

    1536:/NLrBTxdDJ0PGFa04C1kPYRWnsDJT9XDJf/:z/DJrQ04C1kPbsFhDJ3

Score
10/10
discoveryevasionpersistencetrojan

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 2 IoCs
    evasion
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Disables Task Manager via registry modification
    evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\976a33974f490b31cf4864282ecdabbb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\976a33974f490b31cf4864282ecdabbb_JaffaCakes118.exe"
    1⤵
    • Modifies firewall policy service
    • UAC bypass
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Enumerates connected drives
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • System policy modification
    PID:3056
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x4b4 0x3dc
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Modify Registry

4
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3056-0-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/3056-5-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download