Overview

overview

9

Static

static

3

b4a92f0eff...18.exe

windows7-x64

3

b4a92f0eff...18.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/08/2024, 19:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b4a92f0eff02fdde0d1c222b7186865d_JaffaCakes118.exe

  • Size

    119KB

  • MD5

    b4a92f0eff02fdde0d1c222b7186865d

  • SHA1

    17e3c026f464471687a217e4ada215fd06b3fe26

  • SHA256

    d594dee438f8177f235385b07c370a9f11209ddf652218ae6571623247c23273

  • SHA512

    1cce00dbc64e8a48dcdcd4e3341c752dd9d1cc34782c0fb7b1324e5b502995e698e83f7ace06cf04ee4efd2e3368af1786eb85bd5b0ab14c03df8fa5d07a1550

  • SSDEEP

    3072:Lf2NJlrelZSlwHvmTKcfhjFtyot72VtGlIAOxJV:KJlqluwmG+5ootS+nOxT

Score
9/10
discoverypersistenceransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (216) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b4a92f0eff02fdde0d1c222b7186865d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b4a92f0eff02fdde0d1c222b7186865d_JaffaCakes118.exe"
    1⤵
    • Drops file in Drivers directory
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3128
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      2⤵
        PID:1356
      • C:\Windows\SysWOW64\net.exe
        net stop "Kingsoft AntiVirus Service"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3772
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:4876
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8184.bat
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1672
        • C:\Users\Admin\AppData\Local\Temp\b4a92f0eff02fdde0d1c222b7186865d_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\b4a92f0eff02fdde0d1c222b7186865d_JaffaCakes118.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1156
      • C:\Windows\Logo1_.exe
        C:\Windows\Logo1_.exe
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4260
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
            PID:4792
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2060
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              4⤵
              • System Location Discovery: System Language Discovery
              PID:4092
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4076
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              4⤵
              • System Location Discovery: System Language Discovery
              PID:5032

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\7-Zip\7z.exe.Exe
        Filesize

        638KB

        MD5

        13f11e77e43ed7208c13eb3544e79976

        SHA1

        5a5d414c2073fa20480e0bb4beb635819748cf4a

        SHA256

        9327eff035a0bdd4bee21b328cbfb601e76c22ab210ea637481a6eed65a08f87

        SHA512

        7ca037256c31fda9c86d9bdf85e3aeb1daf710c705368431abfaf9eadaa454da8d36d26ae4b51e1fa7a2aabd2d32ae7ac60754f647cc7f0da3be841796b65ac4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a8184.bat
        Filesize

        614B

        MD5

        bca0e775c625b7bbd1101789bee132cc

        SHA1

        651db1d79c6b15b9e745ca9a9c298d8269870620

        SHA256

        d306052273a2da6712575f0a4afb6233b446a978b1f27e897fb3626b25f7bf63

        SHA512

        9e24c313bea12cbb968b945e9f6d6522570f387eefe04a39060a07311ae19c255141402c8d2cd8bbcf87d4c9af934b3694e6ed658bcb95ce706cb00c12db91b5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\2.dll
        Filesize

        25KB

        MD5

        31918070aff5a96453c3d867dd3c0ef6

        SHA1

        c8735d8175a49cfd5e72a1719d6c6cd7c85f9729

        SHA256

        b62fd03a4d21a5fc979113adff64c341855666bb45d7c3f833a5a39eb6ea0a9c

        SHA512

        5a287ef253f07a80b61cf8c3aa1d0bba6173d7ccf421c0bb66e006bd0692358f8379c7d1621d9c96c788a18bd36dd8f4852b1341d24aca5bd26b519708facba1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\b4a92f0eff02fdde0d1c222b7186865d_JaffaCakes118.exe.exe
        Filesize

        25KB

        MD5

        6ff84be315cfafbbdf36aa01af8389e7

        SHA1

        2c550a4059ac331f5f5c9d3f218e0f6184aa27c9

        SHA256

        47c67c1c88ceaee3cf1667bf956a3e11a84dea2f7c2afc634777aa5f1bf65c76

        SHA512

        72498b009573a9cc9b5554e61d56b68f273682bfa2e13808f4abd5b2171aa59dd4a64bd9f68a3a416cfaceacb0041df918d8a84f28a5fa7f204fc562c5b6b174

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        94KB

        MD5

        3b03a45e7bdde2ac8987049c069d8971

        SHA1

        3f9b4eb2c73868bf931c262daf2cc0f85e8410a4

        SHA256

        5a894c6ca18c01fe02c788ad19f2bb699cdef217f20efd43e1f9b58f4f30b6e5

        SHA512

        ee9b43f621a8ee5c70a599cfb7ba24b1461020dd2a89cf393ed5201f1e5b32b6b95f2e83aeef60932018b4067abae018d32cd48c79e62344d184a20f97b1fd4a

        Download Submit

      • C:\Windows\system32\drivers\etc\hosts
        Filesize

        842B

        MD5

        6f4adf207ef402d9ef40c6aa52ffd245

        SHA1

        4b05b495619c643f02e278dede8f5b1392555a57

        SHA256

        d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

        SHA512

        a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

        Download Submit

      • memory/3128-9-0x0000000000530000-0x0000000000550000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3128-19-0x0000000000400000-0x000000000044E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/3128-20-0x0000000010000000-0x0000000010017000-memory.dmp

        Filesize

        92KB

        Download

      • memory/3128-0-0x0000000000400000-0x000000000044E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/3128-5-0x0000000010000000-0x0000000010017000-memory.dmp

        Filesize

        92KB

        Download

      • memory/3128-6-0x0000000000550000-0x0000000000570000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4260-18-0x0000000000400000-0x000000000044E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/4260-30-0x0000000000470000-0x00000000004B0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/4260-29-0x0000000010000000-0x0000000010017000-memory.dmp

        Filesize

        92KB

        Download

      • memory/4260-38-0x0000000000400000-0x000000000044E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/4260-39-0x0000000000470000-0x00000000004B0000-memory.dmp

        Filesize

        256KB

        Download