Overview

overview

8

Static

static

3

b13d266d79...18.exe

windows7-x64

8

b13d266d79...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    20-08-2024 23:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b13d266d7930d62bb95a0f85e236a111_JaffaCakes118.exe

  • Size

    1.6MB

  • MD5

    b13d266d7930d62bb95a0f85e236a111

  • SHA1

    9aa1b2072bf41a68cf64b94048b8406d50940637

  • SHA256

    98dec3ef3dcfeb1a3a93ff465e718e63ca1414a059cdcb51b7e222f243208e39

  • SHA512

    ab1efdfd88dd36dfdc9a1f8be0a9af1c0c5f44a8e3b115d7ec0cb2009c016ff611763191db5685d7637f0ade196556f2815dcf8971ab4e98b41e4a6d7d3e2cf0

  • SSDEEP

    24576:DKqIJ3/kQicNgECjwS4/qlsJSR7IuRfDLGMJDa7o5225gonhJq3nvT:mrsxcOL4dYRIIfDLN5225r7q3L

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Drops file in System32 directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b13d266d7930d62bb95a0f85e236a111_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b13d266d7930d62bb95a0f85e236a111_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2072
    • C:\Windows\SysWOW64\snetconne.exe
      "C:\Windows\system32\snetconne.exe" /install /silent
      2⤵
      • Sets service image path in registry
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1244
  • C:\Windows\SysWOW64\snetconne.exe
    C:\Windows\SysWOW64\snetconne.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2948
    • C:\Windows\SysWOW64\nlokgbn.exe
      "C:\Windows\system32\nlokgbn.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: GetForegroundWindowSpam
      PID:2000

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\nlokgbn.exe
    Filesize

    98KB

    MD5

    4da0fb6e95cae85273808b52bca50e06

    SHA1

    288d55ca201b70722f706d4c432688d709e89b2e

    SHA256

    e0ae404ac8098884b6f0d309d67270b083809cfb8e9533ff43af3303f6e5476b

    SHA512

    d1af97692e0f540c46179aa601870a43a4096bc7ce9ab80c226a474e0a78c9cb55e7fa26c12810aafac7e3751d5b01ee2d8f32f9731fce5b005cf55209904f58

    Download Submit

  • C:\Windows\SysWOW64\snetconne.exe
    Filesize

    1.6MB

    MD5

    9498afa72fcd14e89a0bfd04892901db

    SHA1

    4de8f640bb9765e1bbf77abb195a47912922f7e1

    SHA256

    3992e0ceb35700e244165b8a987220d067383e1d445df6fa52f8824ca570428b

    SHA512

    207934f7085b096e68ee09744812136ca2a5320b01ffeb41817e00ee6227d543450bbb34315aff7b12de6b4c55912793ec10176a57402920eda880aae3e7f5ea

    Download Submit

  • \Windows\SysWOW64\dpcggf.dll
    Filesize

    342KB

    MD5

    e25601eb34b48a212a30633e24365adc

    SHA1

    6a857d6f9bee922f616238081a64457a9b1596ce

    SHA256

    f0efbd3864f2cc8ba241c6b1e2f64d878a450d302332b4ed4bad60978162cc04

    SHA512

    e7cb43a46ea38f33031b9f3154d9a1c75eaf595425b6dc1604ea1225f5a4fc915434c5f3ff50b8c1b85aa028212fcd4d3a3784f970f2ea674018e2c3eeb02fad

    Download Submit

  • memory/1244-14-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1244-16-0x0000000000400000-0x000000000048E000-memory.dmp

    Filesize

    568KB

    Download

  • memory/2000-44-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2072-18-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2948-40-0x0000000002A30000-0x0000000002B35000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2948-41-0x0000000002B50000-0x0000000002B51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2948-17-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2948-45-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2948-46-0x0000000002A30000-0x0000000002B35000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2948-47-0x0000000000400000-0x000000000048E000-memory.dmp

    Filesize

    568KB

    Download

  • memory/2948-51-0x0000000000400000-0x000000000048E000-memory.dmp

    Filesize

    568KB

    Download