Overview

overview

8

Static

static

3

bc0ee3e54b...18.exe

windows7-x64

8

bc0ee3e54b...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    23-08-2024 14:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bc0ee3e54b30159aba15019a51197300_JaffaCakes118.exe

  • Size

    76KB

  • MD5

    bc0ee3e54b30159aba15019a51197300

  • SHA1

    b02627317e03b6c669922fccc42ff4eb9da95d1a

  • SHA256

    02358ba4720c5de7691c9fb71e0cfa437f1c1bc0e856d9a207de563bb6b62b8a

  • SHA512

    20b4d6ca2284a52b6198a4ae0699756599503aa41a079de4df4838882dd148b106a78de660e120abf0e586f18be437d32e0084be89dc4c6033450ad75d5bb798

  • SSDEEP

    1536:yy6h6NL247EJlU5IB99muEO40sW9qazlShlq4Se:2hU24uWCB99muEh0sW9nYjq4D

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 54 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 48 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 48 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc0ee3e54b30159aba15019a51197300_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\bc0ee3e54b30159aba15019a51197300_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Windows\system32\mywcc080721.dll bgdll
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2272
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\downf.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2772
        • C:\Windows\SysWOW64\myccdd080721a.exe
          "C:\Windows\system32\myccdd080721a.exe" i
          4⤵
          • Adds policy Run key to start application
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2788
          • C:\program files\internet explorer\iexplore.exe
            "C:\program files\internet explorer\iexplore.exe"
            5⤵
              PID:2888
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c "c:\nmDelm.bat"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2712
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3068
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2204
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1008
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1444
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:268
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2620
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2464
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:772
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1764
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1848
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2268
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2312
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1736
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1328
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:112
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3020
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:968
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:776
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2216
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1744
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1608
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1076
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1552
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2584
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1812
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1656
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1940
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2208
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2404
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2164
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:536
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2128
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2944
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2840
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3000
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2852
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2192
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1904
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1260
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1500
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1540
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:916
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2072
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1668
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1124
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1588
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2200
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "c:\nmDelm.bat"
        2⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2836
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1
          3⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2996

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\myccdd080721a.exe
      Filesize

      76KB

      MD5

      bc0ee3e54b30159aba15019a51197300

      SHA1

      b02627317e03b6c669922fccc42ff4eb9da95d1a

      SHA256

      02358ba4720c5de7691c9fb71e0cfa437f1c1bc0e856d9a207de563bb6b62b8a

      SHA512

      20b4d6ca2284a52b6198a4ae0699756599503aa41a079de4df4838882dd148b106a78de660e120abf0e586f18be437d32e0084be89dc4c6033450ad75d5bb798

      Download Submit

    • C:\Windows\SysWOW64\mywcc080721.dll
      Filesize

      28KB

      MD5

      868feda0c9c6b32ac94b70fb19493b2b

      SHA1

      e59b08baa120a6f9b834844c9c2903662676e37c

      SHA256

      ae44365f29c76a748653f6f698624f7e1d7f6357a0b497833ca70264b1f34fb6

      SHA512

      7b4ad26f8dcc712cf7876969d489667e2598b92e4ea347f774b9234d5dda4984ad1d5f35572e3d0db4a06d656a16bcbcc18593b82537df04694b844ceedde048

      Download Submit

    • C:\Windows\cc16.ini
      Filesize

      150B

      MD5

      dbda144b8729a84cca62b0f9d57610a7

      SHA1

      e749ebeedd1b953cf2da7cb6d53ff0b6fafe664b

      SHA256

      9c976bcf1b873d147c57fe3cfcb53251d2e33d37462124397013bf5204235a7f

      SHA512

      0c7ae7c802a78f67e12a5d8f1c97370be55f763bfdd1a38b5496f2165e842199031cee6129812f2ebc413a773820c9dc73db18e1d07f88bece36c84b4f3d9d9b

      Download Submit

    • C:\Windows\cc16.ini
      Filesize

      464B

      MD5

      69b215aaf113a29d758b21745b0ca3ad

      SHA1

      649c572ed8f99b90ddc60ffe8160a6d27300a00e

      SHA256

      2d12634a8c6a79b050ac3097a9d3789b5aa456770b6c6001f4600d2d1ad4c91c

      SHA512

      a99cff16ca65b7fe9d3ad3a7aa1312df93d050f7fe508ab8adf31fcd703162298a6e076067fe22b8629234d7187a7cd3de7e9610e8fdb92c0c376a193877a9ce

      Download Submit

    • C:\downf.bat
      Filesize

      51B

      MD5

      2b724c6a8fcd230311547ed4e1b9d68e

      SHA1

      10355c1441991688bde91b7c02688f308bf00915

      SHA256

      3f77676fa2c0553c11b7277adcd2666bba06e22d4ce39f0ff3c3245eff645a0e

      SHA512

      48215bac2db84c0445d5c4bd80abe13fbdf0f6750c4bad1306a01283362e2e97ab8992be597634b803bd12892c682615c637dcbae36c5441e50fea5346bb374d

      Download Submit

    • \??\c:\nmDelm.bat
      Filesize

      139B

      MD5

      3a1bd2916250a4d03a63c8877a0098be

      SHA1

      fe761cbb2533906e4a6c5604a79d0c0bf94fd87f

      SHA256

      8183f9a2b8b37f4a70e5296c85d9fff3cba80a6950314d9900026dfc84a00a9d

      SHA512

      d1d03acc696e6b660ddb61c217665f5d202907e4548df4e17c92183490a2bc98c3cb9492a1e3aa678a17c5e8096ba05190c02e918aa4ca0123ca6e50e485e849

      Download Submit

    • \??\c:\nmDelm.bat
      Filesize

      233B

      MD5

      84852456cb8bed92b1a703b43ca80e93

      SHA1

      3f72ba453f0abc410917d57c12c5951c1d020e61

      SHA256

      9398bc91ea704d880e143ed09303baa8a67ad33a0c8d1de30842c2a1948b2948

      SHA512

      8dff637d817c27887c562047c66813f6bee93e70ed3d3f3c10a8103d3e0c25b7c04a0d92bcfd5140eed721e1b812f3957228b0144fae9547df6505f0bf15f7e6

      Download Submit

    • memory/2272-19-0x0000000000170000-0x000000000017D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/2272-42-0x0000000000170000-0x000000000017D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/2272-48-0x0000000000170000-0x000000000017D000-memory.dmp

      Filesize

      52KB

      Download