Overview

overview

10

Static

static

3

b9cd956fb3...18.exe

windows7-x64

10

b9cd956fb3...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    23/08/2024, 01:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b9cd956fb3dd23a42d76857294b5c5e5_JaffaCakes118.exe

  • Size

    748KB

  • MD5

    b9cd956fb3dd23a42d76857294b5c5e5

  • SHA1

    a66aaf9d00f74a055476c612bf964931a0127498

  • SHA256

    1568bfc419fa7e558d8da48c43c33c420a504578cc691258ec4ded9bbcf55241

  • SHA512

    81c77aeaab903e52dbd48be6ec4d2d2e30f911db1452f990c9038c53bd1bb5eb6cefd35ffbb4707ffa4176d85512496cbe079155eb9ecc451476194afe755173

  • SSDEEP

    12288:kgHsqmAdjxORA4GTe2Pr9hroyCMJOcddfm+Y5kN:Iqmwjfz79iSJOUY5kN

Score
10/10
defense_evasiondiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • UAC bypass 3 TTPs 13 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 30 IoCs
    persistence
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
    defense_evasion
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    evasiontrojan
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

    defense_evasionpersistenceprivilege_escalation
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 32 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 32 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • System policy modification 1 TTPs 38 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\b9cd956fb3dd23a42d76857294b5c5e5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b9cd956fb3dd23a42d76857294b5c5e5_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Users\Admin\AppData\Local\Temp\qapkumnpakz.exe
      "C:\Users\Admin\AppData\Local\Temp\qapkumnpakz.exe" "c:\users\admin\appdata\local\temp\b9cd956fb3dd23a42d76857294b5c5e5_jaffacakes118.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:936
      • C:\Users\Admin\AppData\Local\Temp\nutfen.exe
        "C:\Users\Admin\AppData\Local\Temp\nutfen.exe" "-C:\Users\Admin\AppData\Local\Temp\zqzvexleyjysshek.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Impair Defenses: Safe Mode Boot
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:2532
      • C:\Users\Admin\AppData\Local\Temp\nutfen.exe
        "C:\Users\Admin\AppData\Local\Temp\nutfen.exe" "-C:\Users\Admin\AppData\Local\Temp\zqzvexleyjysshek.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:1372
    • C:\Users\Admin\AppData\Local\Temp\qapkumnpakz.exe
      "C:\Users\Admin\AppData\Local\Temp\qapkumnpakz.exe" "c:\users\admin\appdata\local\temp\b9cd956fb3dd23a42d76857294b5c5e5_jaffacakes118.exe"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System policy modification
      PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Safe Mode Boot

1
T1562.009

Modify Registry

5
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\egahbfeinjjozzhyqvxrysw.zea
    Filesize

    272B

    MD5

    023b36dff06b20a049117a048714eb8f

    SHA1

    ad12cb70f7a37e15df81775108c72f710581036d

    SHA256

    c76b46ac891fdf7d0a44cd20595dbae8b97d8787ff89c92a4d3d3962e454573f

    SHA512

    667ac28a184c8940f6714235d534192422adf4f6996e5021f187818fcc851d45aba493d5a42579f5dc76ddbeaff10ce391bd5d8fbd36b7eb10b965397bcb1e57

    Download Submit

  • C:\Program Files (x86)\egahbfeinjjozzhyqvxrysw.zea
    Filesize

    272B

    MD5

    a2525a67e5b9088e5b8ff7d398f6295b

    SHA1

    fe59373b96ab140fe645f29e264b8f82e738dd01

    SHA256

    5540b27ef51fb86fa6a6637e9817b4d8e6f15d1cbf41ee2dd8cc17f8860f09b2

    SHA512

    92d79bcdd9164c13c0dae7f65602d1ba464240e4aeb0bd67ea7ef538281fdbfe6578bc79651e0578e133356b45aac0c7d2e62df2fe5c8e34b091e7b2f2081960

    Download Submit

  • C:\Program Files (x86)\egahbfeinjjozzhyqvxrysw.zea
    Filesize

    272B

    MD5

    0787c6b5cff43634290498925410ca6e

    SHA1

    9f1606c5fc1a4822478c3c066097259478d5a840

    SHA256

    c77c918c316d8a87088b47c0c896c50040126e4b47aebc0d32f1ae15c4d3f115

    SHA512

    a8c50f7fea8779c614e8b139e86e29912c255c2b512afed4c7a32b60c88597a91044a7ec12b19dacb2a08f3da5590361125ef652f0c103808f11e4161af7cc17

    Download Submit

  • C:\Users\Admin\AppData\Local\egahbfeinjjozzhyqvxrysw.zea
    Filesize

    272B

    MD5

    b927c1f8d8a1a49a008f6ad6a45df322

    SHA1

    5c313b2ee9a6eb5252f079210dd20aadde9b8e2e

    SHA256

    a4173a1d60a2359f5fad6896419dc8f61659d93d017f99bb3eaff69b36a1287c

    SHA512

    b19344b8de7f9041cd257ef9b914fd2c717e5b5c10cf830f76db75200799722a055031eb8dc04902dca8ebb19f8776670f35344e6603ccca7224f6788dd56c6f

    Download Submit

  • C:\Users\Admin\AppData\Local\egahbfeinjjozzhyqvxrysw.zea
    Filesize

    272B

    MD5

    0db430f83b41317cb388ff2f0b52b5dd

    SHA1

    2c2321ca3c27ecf7a7dd7cc07e02b5027b1552db

    SHA256

    7d3f8769ffe981a569647721e8b8a5d5fadcb260d523b8192a7ac71a8bb49a4a

    SHA512

    53195b5a683ab64fce700482034c1993689e8c8087ae1961789bdba171632fa3001e8209afaddecac2ecab784b442c556f3f3750616c4b619fb7ed20293104ae

    Download Submit

  • C:\Users\Admin\AppData\Local\egahbfeinjjozzhyqvxrysw.zea
    Filesize

    272B

    MD5

    ceeacf442a2b1fe37c91428986eae335

    SHA1

    335c3e751de9d2fa1b55ed7e29ef2d75856b5c6e

    SHA256

    68ca23a7b46c197335a8790a18307b3b9cdda6cdc1885a7f62f8eda1a53fcbc7

    SHA512

    0c4f1c3df216f8fdd2311b15e27816565899b2c1c07586eaa52ed5826e32676a31b70e6c8ac9d5d5c8d9983b3af6e8a3f98dfa09872f56bae5d49d1526175841

    Download Submit

  • C:\Users\Admin\AppData\Local\rejbgvfukrcsozsuxnafxcrbqgnyokvoqt.wbt
    Filesize

    3KB

    MD5

    dfe1697cc2a5e71262a04057750c12a9

    SHA1

    52449ffed4c9fad50513ab5f93e53427fa8de28a

    SHA256

    6f32d908e4a541d9e0dd961a709065b7aa7c93768b174a5396352bfbcfdba837

    SHA512

    2cf73500a5a46743dee650a839f48d8a4dd39da7db7c48437d78821360fdf89aa85c7174f2c99c2e43036b5f913f0e2ee172b2cc3208ba88a125c63364f12be2

    Download Submit

  • C:\Windows\SysWOW64\pitrcxnieriegxwenj.exe
    Filesize

    748KB

    MD5

    b9cd956fb3dd23a42d76857294b5c5e5

    SHA1

    a66aaf9d00f74a055476c612bf964931a0127498

    SHA256

    1568bfc419fa7e558d8da48c43c33c420a504578cc691258ec4ded9bbcf55241

    SHA512

    81c77aeaab903e52dbd48be6ec4d2d2e30f911db1452f990c9038c53bd1bb5eb6cefd35ffbb4707ffa4176d85512496cbe079155eb9ecc451476194afe755173

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nutfen.exe
    Filesize

    692KB

    MD5

    86144dc5f3113c59de67a12058f17699

    SHA1

    96a813a8336cd608417d0849ff39a547084b174e

    SHA256

    09a22088b21dd74b581b040513dbcb3d62fa1dda2eae35243d422aedd4097ceb

    SHA512

    c7933adb1c504771d4599a3a66a47541e61153c89c8749313b7f3ac86dd76a4935ff70bcdbba0aa19ec6fef5dcd313b9215b31d520d2006f4f1378b79006badf

    Download Submit

  • \Users\Admin\AppData\Local\Temp\qapkumnpakz.exe
    Filesize

    320KB

    MD5

    b92314203327a733531042bc58e54f57

    SHA1

    1f3d0081f308a82c9659f4a57fc1ad551167a181

    SHA256

    d936bfd3b4264fe1650dee22119858b9d0cc58598e7e956ebecf72fb82f7c7d3

    SHA512

    2982559183e13830cd795c7badadb15b4dad50315155299d9713970aff034c827ade98c79d6da836aea743890aca71bc0f7d5348a32f2858b4f40884ecccf7f7

    Download Submit