Overview

overview

10

Static

static

3

b91c83f400...18.exe

windows7-x64

10

b91c83f400...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/08/2024, 20:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b91c83f400f4da99dcfd67d6d4be399d_JaffaCakes118.exe

  • Size

    44KB

  • MD5

    b91c83f400f4da99dcfd67d6d4be399d

  • SHA1

    eec3e91b0561d246b3e026e394c811d784374900

  • SHA256

    c3e4d3da736b19e4bb4a37c061a861b5cd10b28e0e5b5aa090ffa6c2042ed37b

  • SHA512

    1c48ae02b326a464bc5c2c86696290471af5ff9e8ab764a6b4d52b5957088e4cdf0d503d2dbd4b0c989d583adb6a1060bd7f5fdcbc9d74a0978cabee6b7449f7

  • SSDEEP

    768:f4IYUB5VhCob0GTmcYDj0BSHhAV02SRpPY:wzUB5VQob07cYs0s0J2

Score
10/10
defense_evasionevasionpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Drops file in Drivers directory 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 1 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

    defense_evasionpersistenceprivilege_escalation
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • System policy modification 1 TTPs 7 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\b91c83f400f4da99dcfd67d6d4be399d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b91c83f400f4da99dcfd67d6d4be399d_JaffaCakes118.exe"
    1⤵
    • UAC bypass
    • Drops file in Drivers directory
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Hijack Execution Flow: Executable Installer File Permissions Weakness
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • System policy modification
    PID:4072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4072-0-0x00007FF9CF835000-0x00007FF9CF836000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4072-1-0x000000001B8A0000-0x000000001B946000-memory.dmp

    Filesize

    664KB

    Download

  • memory/4072-2-0x00007FF9CF580000-0x00007FF9CFF21000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4072-3-0x000000001BE20000-0x000000001C2EE000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/4072-4-0x000000001C3E0000-0x000000001C47C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4072-5-0x00007FF9CF580000-0x00007FF9CFF21000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4072-6-0x0000000001280000-0x0000000001288000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4072-7-0x000000001C640000-0x000000001C68C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4072-8-0x00007FF9CF580000-0x00007FF9CFF21000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4072-9-0x000000001EDF0000-0x000000001EE09000-memory.dmp

    Filesize

    100KB

    Download

  • memory/4072-10-0x00007FF9CF580000-0x00007FF9CFF21000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4072-11-0x00007FF9CF580000-0x00007FF9CFF21000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4072-15-0x00007FF9CF835000-0x00007FF9CF836000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4072-16-0x00007FF9CF580000-0x00007FF9CFF21000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4072-17-0x00007FF9CF580000-0x00007FF9CFF21000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4072-18-0x00007FF9CF580000-0x00007FF9CFF21000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4072-19-0x00007FF9CF580000-0x00007FF9CFF21000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4072-20-0x00007FF9CF580000-0x00007FF9CFF21000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4072-33-0x0000000020F80000-0x0000000021437000-memory.dmp

    Filesize

    4.7MB

    Download