Overview

overview

10

Static

static

3

b5273a0163...18.exe

windows7-x64

10

b5273a0163...18.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    21-08-2024 21:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b5273a0163c71fcad373632402716d6d_JaffaCakes118.exe

  • Size

    360KB

  • MD5

    b5273a0163c71fcad373632402716d6d

  • SHA1

    ec6fb6cda84c718abfc23ad6176c09bb5d0c3ea1

  • SHA256

    c5945445ce7edd6dd33a730a4c1bcf6b4d42b2f3e451d9e69e968b67cd40f320

  • SHA512

    5ad7cb8d2721968d532cb33b2a65abf2f19c02ba12f0fb0326926320d60dfaf10705b84464f9096be83e60718d3fc01667e8649dd628691dc4ab2fe09836fa98

  • SSDEEP

    6144:eCAt/ABfs18svlnkczR/MurAXIEAykBnFq/N5tRJoRkSdkalPjavSQot5KP6G:ehMfQ8svlkKtIXIz52J8jdpiSQonKP3

Score
10/10
defense_evasiondiscoveryevasionpersistenceransomwaretrojan

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Modifies Shared Task Scheduler registry keys 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 19 IoCs
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 9 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs
  • System policy modification 1 TTPs 8 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\b5273a0163c71fcad373632402716d6d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b5273a0163c71fcad373632402716d6d_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2340
    • C:\Users\Admin\AppData\Local\Temp\1_dropper_286962.exe
      "C:\Users\Admin\AppData\Local\Temp\1_dropper_286962.exe"
      2⤵
      • Modifies Shared Task Scheduler registry keys
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1352
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\wndutl32.dll,load
        3⤵
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Modifies Shared Task Scheduler registry keys
        • Loads dropped DLL
        • Windows security modification
        • Sets desktop wallpaper using registry
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • System policy modification
        PID:2696
    • C:\Users\Admin\AppData\Local\Temp\2_load.exe
      "C:\Users\Admin\AppData\Local\Temp\2_load.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2208
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c del "C:\Users\Admin\AppData\Local\Temp\2_load.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1488
    • C:\Users\Admin\AppData\Local\Temp\3_baracudanew.exe
      "C:\Users\Admin\AppData\Local\Temp\3_baracudanew.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2264
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 88
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2588
    • C:\Users\Admin\AppData\Local\Temp\4_odb.exe
      "C:\Users\Admin\AppData\Local\Temp\4_odb.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2224
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 300
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2732

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\2_load.exe
    Filesize

    10KB

    MD5

    38afda4effa4cb8a29e8e5b8af91b1e5

    SHA1

    cd2611d911c37dc68525bc36b24fb69e6cea6f34

    SHA256

    8377f14adcb98d8af8e70d74642afc09b6e72cf56aa55d734aafadc41596a317

    SHA512

    83422717402beb076d0177db43e0b99a9da863584a88fc6afdfe80f4d3872976497c4b295a5f81f649ddb0c249a8a4de34ea6af292e0099c6f3b3ddb980e519e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\4_odb.exe
    Filesize

    229KB

    MD5

    5ed2d74e842d4c01b6ae7ef42e068980

    SHA1

    8158cc4dec022ddb7ac3638c6565b239fb476ad3

    SHA256

    73c8370664d9b28d14efcdf705c4195edcd560083fcf6f2ab8f5a74b2f899814

    SHA512

    73ce80fbcf9db42b2d6d01d4b724ee39a118a7cf6996fcd34b04f14f4e3a89de1df891438dcca534e9ac71f40bd441ae7b31a47dffc7844bf28b5b1a79980b83

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wndutl32.dll
    Filesize

    12KB

    MD5

    ee5164fc77d90baa439616fd8b7c8fe1

    SHA1

    75532c4d73fb437b7d863089a01276207f17e872

    SHA256

    17c729128efb050a4ed4cc5cd9127c2f65696f9a81b3057e9a2899fe47eeb9c4

    SHA512

    d3f07bd89fd0e0168601002d976c76e50eadaad0ce3f756143a36147c20690aa6459afc72b6f8389a3f7f605d1beacb1246df7212498e20130c6cbcfbff8a0b5

    Download Submit

  • \Users\Admin\AppData\Local\Temp\1_dropper_286962.exe
    Filesize

    48KB

    MD5

    3e353f7e256abe626507680900efba77

    SHA1

    119bdbb3035e3b17658c8992585acde7804c8050

    SHA256

    0f404bc8550f8c66c922b23a1f94137915bb443f824149fff9d8baf7358e80fa

    SHA512

    7179e571b276e32c189797e96cd53d4d51997e0c20ffd539ac78f1b0049fb33a5db61dc9de4a8d68ee024fee9dc6263e11b99fe80b4398e87c585742a6533d1c

    Download Submit

  • \Users\Admin\AppData\Local\Temp\3_baracudanew.exe
    Filesize

    40KB

    MD5

    42ff43f14d6ba7503644c0e6e196239a

    SHA1

    3bccdc80fcc52723af4e1b9adf7383b616abfdb6

    SHA256

    dcb7130ebd624181ecef49e61b1e4bac01380bc52d5373a439108e1d8478f8ac

    SHA512

    b39d58a7f089113937e3087ad1dff2e04112c977d3d518678cf99b972ef65af7700906bbd3a377e05820c0095b8aa3244d536a451c54b991742d24981db83408

    Download Submit

  • memory/1352-26-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1352-64-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1352-15-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1352-45-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2208-73-0x0000000000400000-0x000000000090A000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2208-43-0x0000000000400000-0x000000000090A000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2208-68-0x0000000000400000-0x000000000090A000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2224-71-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

    Download

  • memory/2264-70-0x0000000013140000-0x000000001314F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/2340-0-0x0000000000402000-0x000000000045B000-memory.dmp

    Filesize

    356KB

    Download

  • memory/2340-40-0x0000000000402000-0x000000000045B000-memory.dmp

    Filesize

    356KB

    Download

  • memory/2340-6-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2340-1-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2340-41-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2696-72-0x0000000010000000-0x0000000010009000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2696-92-0x0000000010000000-0x0000000010009000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2696-110-0x0000000010000000-0x0000000010009000-memory.dmp

    Filesize

    36KB

    Download