Overview

overview

8

Static

static

3

c1d60bd69f...18.exe

windows7-x64

8

c1d60bd69f...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-08-2024 23:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe

  • Size

    27KB

  • MD5

    c1d60bd69f7401a7b89e68477568890b

  • SHA1

    69bb44e4deee308720df5d7875ada0713a77500b

  • SHA256

    8acc540558b6b27cb3cb317f518be14c8fa14357c95f9121645b6f05b77ae934

  • SHA512

    03497a5c2283442eb8861ba1354d43652f4088793ee56e2113098e6566f65781829a9afb6cf7db9ade3cc7dfee0960d306da14e7e365617534f6636b11b4c636

  • SSDEEP

    768:vGt/RmafR6e2pjX9rNxpyxc7JbTi3ckCI:vYRVke2p79RxWc7n8

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 43 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 13 IoCs
    adwarespyware
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe"
    1⤵
    • Event Triggered Execution: Image File Execution Options Injection
    • Checks computer location settings
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3356
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c net stop McShield
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3540
      • C:\Windows\SysWOW64\net.exe
        net stop McShield
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1124
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop McShield
          4⤵
          • System Location Discovery: System Language Discovery
          PID:5080
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c net stop KWhatchsvc
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3896
      • C:\Windows\SysWOW64\net.exe
        net stop KWhatchsvc
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2112
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop KWhatchsvc
          4⤵
          • System Location Discovery: System Language Discovery
          PID:224
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c net stop KPfwSvc
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1904
      • C:\Windows\SysWOW64\net.exe
        net stop KPfwSvc
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:652
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop KPfwSvc
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3188
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c net stop "Symantec AntiVirus"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\Windows\SysWOW64\net.exe
        net stop "Symantec AntiVirus"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2764
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Symantec AntiVirus"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4764
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c net stop "Symantec AntiVirus Drivers Services"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1628
      • C:\Windows\SysWOW64\net.exe
        net stop "Symantec AntiVirus Drivers Services"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3420
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Symantec AntiVirus Drivers Services"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2932
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c net stop "Symantec AntiVirus Definition Watcher"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4092
      • C:\Windows\SysWOW64\net.exe
        net stop "Symantec AntiVirus Definition Watcher"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1588
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Symantec AntiVirus Definition Watcher"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3908
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c net stop "McAfee Framework ·þÎñ"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:664
      • C:\Windows\SysWOW64\net.exe
        net stop "McAfee Framework ·þÎñ"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2516
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "McAfee Framework ·þÎñ"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2200
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c net stop "McAfee Framework Service"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2396
      • C:\Windows\SysWOW64\net.exe
        net stop "McAfee Framework Service"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3548
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "McAfee Framework Service"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3544
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c net stop "Network Associates McShield"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3616
      • C:\Windows\SysWOW64\net.exe
        net stop "Network Associates McShield"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2328
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Network Associates McShield"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:704
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c net stop "Network Associates Task Manager"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:812
      • C:\Windows\SysWOW64\net.exe
        net stop "Network Associates Task Manager"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1640
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Network Associates Task Manager"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3912
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c net stop "Norton AntiVirus Server"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3916
      • C:\Windows\SysWOW64\net.exe
        net stop "Norton AntiVirus Server"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4456
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Norton AntiVirus Server"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:716
    • C:\Users\Admin\AppData\Local\Temp\c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
      2⤵
      • Executes dropped EXE
      PID:2272
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 12
        3⤵
        • Program crash
        PID:3708
    • C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\packet.dll /e /p everyone:f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:316
    • C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\pthreadVC.dll /e /p everyone:f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3532
    • C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\wpcap.dll /e /p everyone:f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4204
    • C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\drivers\npf.sys /e /p everyone:f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4856
    • C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\npptools.dll /e /p everyone:f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3548
    • C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\drivers\acpidisk.sys /e /p everyone:f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4948
    • C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\wanpacket.dll /e /p everyone:f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2808
    • C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Documents and Settings\All Users\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯ /e /p everyone:f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3940
    • C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:652
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:652 CREDAT:17410 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:628
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2272 -ip 2272
    1⤵
      PID:4500

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\AUTORUN.INF
      Filesize

      143B

      MD5

      77959cc588db738d0b8fe7e0e71551e2

      SHA1

      6c87e5994a72ebc9e0a012eecb9572e05820d2f4

      SHA256

      d1b07ae3ba2f9a1b5522cee988c0c67b3451bec2a61f7ad19bc1c9831c447a9b

      SHA512

      407931710444de7b0335d30833bae567c06bdb6ce8b77f2140de67902ef12c7ce850bf01cdc16d37fdeb791258a1c7226b440d682e64db9b783b5a1e227a1fdd

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FGWUB7UN\suggestions[1].en-US
      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\c1d60bd69f7401a7b89e68477568890b_JaffaCakes118.exe
      Filesize

      27KB

      MD5

      c1d60bd69f7401a7b89e68477568890b

      SHA1

      69bb44e4deee308720df5d7875ada0713a77500b

      SHA256

      8acc540558b6b27cb3cb317f518be14c8fa14357c95f9121645b6f05b77ae934

      SHA512

      03497a5c2283442eb8861ba1354d43652f4088793ee56e2113098e6566f65781829a9afb6cf7db9ade3cc7dfee0960d306da14e7e365617534f6636b11b4c636

      Download Submit

    • memory/2272-2-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3356-0-0x0000000013140000-0x000000001315C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/3356-1-0x0000000000590000-0x0000000000591000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3356-4-0x0000000013140000-0x000000001315C000-memory.dmp

      Filesize

      112KB

      Download