Overview

overview

10

Static

static

3

cdd562e9fd...18.exe

windows7-x64

10

cdd562e9fd...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    31/08/2024, 23:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cdd562e9fdf47ce1efeac2de114ee8eb_JaffaCakes118.exe

  • Size

    320KB

  • MD5

    cdd562e9fdf47ce1efeac2de114ee8eb

  • SHA1

    aae238546cb2fab86c76989d9d8c5571841c35aa

  • SHA256

    5f3e82b10f7fba6cc29d2ff56f21c836664a7ee26e706c334c154c6fe1fd6ccc

  • SHA512

    a14d3768545e6f76bf0d360f215ec22a45f1b0801c03b3abe93e0818816ffaf9b9e58b5bdaa246429a9ebe6b937fc203bc3416686ed72c87a7d5c8ffdf88bc10

  • SSDEEP

    6144:aTwZo1IV3puaibGKFHi0mofhaH05kipz016580bHFbl86JQPDHDdx/QtqR:0XgvmzFHi0mo5aH0qMzd5807FRPJQPDV

Score
10/10
defense_evasiondiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
    persistence
  • UAC bypass 3 TTPs 12 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 26 IoCs
    persistence
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
    defense_evasion
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

    defense_evasionpersistenceprivilege_escalation
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 36 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\cdd562e9fdf47ce1efeac2de114ee8eb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\cdd562e9fdf47ce1efeac2de114ee8eb_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds policy Run key to start application
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Hijack Execution Flow: Executable Installer File Permissions Weakness
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1304
    • C:\Users\Admin\AppData\Local\Temp\ygpodjs.exe
      "C:\Users\Admin\AppData\Local\Temp\ygpodjs.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Impair Defenses: Safe Mode Boot
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:2444
    • C:\Users\Admin\AppData\Local\Temp\ygpodjs.exe
      "C:\Users\Admin\AppData\Local\Temp\ygpodjs.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • System Location Discovery: System Language Discovery
      • System policy modification
      PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Safe Mode Boot

1
T1562.009

Modify Registry

5
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\agnkxbiknrfunocizxmszwjnuwz.rgz
    Filesize

    280B

    MD5

    a4ed448990ec58a9af541d88ec5d6d17

    SHA1

    1f781c473a042c7685019952a05bc573080ddab0

    SHA256

    fb176ca8f4e40e53fa3c783c534603ee393cfae3be5b14aeed5a180d34debdcd

    SHA512

    af89f6460de0c5357cf2671c61397bce054478679dc2f8332ec27c5be9b27cf2db550c44baa1e79ecc64dad2e0f553cdebe8f34db2e45d4dcded384896525432

    Download Submit

  • C:\Program Files (x86)\agnkxbiknrfunocizxmszwjnuwz.rgz
    Filesize

    280B

    MD5

    28ab1a0448732b589aeb1585462466ec

    SHA1

    97da24709eac2be8081a8d311ac5f8046479f746

    SHA256

    b14de8f5482d56e992855e3ca6a6ae4ff1524772262464029f047512d3bbb17a

    SHA512

    e5dd5a68998bceb85f85de646b5e8f307413197c0f39ea4329fe99c3071d5870f2f40b26254df26a3677138795b1cbefaa55bb6fe0a1e756c1c3fea1253544d3

    Download Submit

  • C:\Program Files (x86)\agnkxbiknrfunocizxmszwjnuwz.rgz
    Filesize

    280B

    MD5

    5de757bf55626379e960dda4ca692d41

    SHA1

    d194b815aea1449bf89cb518b4c774b281010bb9

    SHA256

    a8e5e147290118668a79ccdb31319e97e0445ce2c81171de43be74975faacf90

    SHA512

    ca4cc0907cd216c9f1769a36b28c0ea32d101677d9e345a3973e92e2107001f2fb0be8fe2704fbb2c309591e7f97f7ec3f70c5faea2ad26c62b08121f85c262c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ygpodjs.exe
    Filesize

    720KB

    MD5

    bc03b2fe84cd76dc53479563ba174f10

    SHA1

    6ea8f58ad94621ace321e331e5e71a6c6eaf2de0

    SHA256

    2933d9147d02e9b9bc25d18884ae786607ff09fc1cb60daf910a4a7b53fdae53

    SHA512

    0b55bcfc8c3ee064d4195a643f4efb580c368121b4d80998f89b691fb477bb5a70baa1ef88370b617303ca29ec76f7c2525c20f8448f8459c01780039d1e5575

    Download Submit

  • C:\Users\Admin\AppData\Local\agnkxbiknrfunocizxmszwjnuwz.rgz
    Filesize

    280B

    MD5

    abd2dfac4b0c785ab273ad93e9e8d5dd

    SHA1

    117b24e2e77c14d3dd52318ce614d5a4fc9536c2

    SHA256

    74ca838359bdf346ccc3340d6798822143602b35a668e740b50bff947e842b0d

    SHA512

    4c350dbdd6ea65d88a938a89660c3a91ecc79983cd6639eb5115b4d937c14024ecd1663ea4f99b80c49715dc03ce0f4fa066df3edd5af473384271529ebd000f

    Download Submit

  • C:\Users\Admin\AppData\Local\agnkxbiknrfunocizxmszwjnuwz.rgz
    Filesize

    280B

    MD5

    2e86a2ff2639f7aeba37a39047430035

    SHA1

    852f8644fd5b8e2f1c5bff1a2ecf02f3a705473e

    SHA256

    c8bf583df5bf3b4e9862583e91abf8602232b3fcb2014e444ff94670a6eb9af6

    SHA512

    ad4a9100107a2f6287e8368af78fd6b1c21bc8609ef50a05948237f5f44a59d8a4a716feee79bcd1407c4b2b2266e2d38385328747a8823b3202edc0bdc7dfe0

    Download Submit

  • C:\Users\Admin\AppData\Local\xogombtgujiimyxoqzzqiqodviwlkkoazqsbbs.sqf
    Filesize

    4KB

    MD5

    3635352cfe7dc9b0213c74a4d009ff86

    SHA1

    5e68f1adb0a904885a3cf96948a7ded2e76456ba

    SHA256

    27d308b48f9b37320e84382920a9136f677f8fec3c52097be5cc3365e1a50bdd

    SHA512

    b16bf48d5643966e8c4a6d1e3d95127e5b2909911851e4e50dce04f77248c4ff268307716c0bf1884430826903b36219c8e4cf55d62507e472c560041eb4b6db

    Download Submit