Overview

overview

10

Static

static

3

d01b807594...18.exe

windows7-x64

10

d01b807594...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-09-2024 17:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d01b80759402a4c6f5e8b610acc0e682_JaffaCakes118.exe

  • Size

    528KB

  • MD5

    d01b80759402a4c6f5e8b610acc0e682

  • SHA1

    3bd8f379b178333540077d478051a8b9421cb436

  • SHA256

    781445a71a9a94d19b25870851af0d4e8290ed0341a72aa6978adcd1a0fce873

  • SHA512

    5c4056a3b45c90c64a23a3207b8348e6b797add9ebbb5c8dc096f153aefa9abcf70b5f249280bd17b80c422b22b5e48398ca0bab63b47c69e087d90cdab21344

  • SSDEEP

    12288:uVV7Cg6GTkT6keQZqq3Q/Kg9Ok/FUsTyAOonF:u7H+hNZLQbVTyApF

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\d01b80759402a4c6f5e8b610acc0e682_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d01b80759402a4c6f5e8b610acc0e682_JaffaCakes118.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • UAC bypass
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2624
    • C:\Users\Admin\AppData\Local\Temp\abc1.exe
      "C:\Users\Admin\AppData\Local\Temp\abc1.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:264
      • C:\Windows\SYSTEM32\winlogon.exe
        winlogon
        3⤵
          PID:4872
        • C:\Windows\SYSTEM32\winlogon.exe
          winlogon
          3⤵
            PID:4636
        • C:\Users\Admin\AppData\Local\Temp\rundll32.eXe
          "C:\Users\Admin\AppData\Local\Temp\rundll32.eXe"
          2⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1784
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c attrib +r +s +h +i "C:\Users\Admin\AppData\Roaming\MSNMessengerAPI.dll"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2136
            • C:\Windows\system32\attrib.exe
              attrib +r +s +h +i "C:\Users\Admin\AppData\Roaming\MSNMessengerAPI.dll"
              4⤵
              • Sets file to hidden
              • Views/modifies file attributes
              PID:800
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\rundll32.eXe" "C:\Users\Admin\AppData\Roaming\rundll32.exe"
            3⤵
              PID:4180
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c attrib +r +s +h +i "C:\Users\Admin\AppData\Roaming\rundll32.exe"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:3360
              • C:\Windows\system32\attrib.exe
                attrib +r +s +h +i "C:\Users\Admin\AppData\Roaming\rundll32.exe"
                4⤵
                • Sets file to hidden
                • Views/modifies file attributes
                PID:1664
            • C:\Users\Admin\AppData\Roaming\rundll32.exe
              "C:\Users\Admin\AppData\Roaming\rundll32.exe" new
              3⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1908

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\abc1.exe
          Filesize

          332KB

          MD5

          99fcd0a304510e52fc20df8cd4971779

          SHA1

          706c4188ac5f2b3ec3794acc7cb527f4fb150e62

          SHA256

          665f893f3a8f6f82e795fdc619aa2a8af0333e7e12ef4bc43eca740411bbda18

          SHA512

          bf0b6828b86ff0018f485de49e23ebff0fa8ed90e1717461ec80bcf0f33a62b3b772a931902635f6093fe079e665adc5247fd46470d53a346c6ea93c0c0ac6ea

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\rundll32.eXe
          Filesize

          152KB

          MD5

          49b1dfc49432bbe9b8a311113d20efd7

          SHA1

          79c030ae82d4b3a670b6bc1745c5bcba1a826172

          SHA256

          7bede7449f9c39ed911f8aef7fb1f13af8111cd630e9509a9e75a332f689e8fd

          SHA512

          963948b6ad785537c85798906635d1a3f670c2a88af3ace5259cf8443610d782f1d65dd36aa77c88032326fe23c287b67f0efe9bebd10c6dcb2f21a853d96f3e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MSNMessengerAPI.dll
          Filesize

          56KB

          MD5

          23eb031b6159df31ac9cb64fed550e73

          SHA1

          aaa8d925d7d9f94192b9b54589b948d61fb329a6

          SHA256

          eb454b56713fdf8003be674a7da3ea63c24473f8c6f6ee274ec8db55900f2732

          SHA512

          4263ece29f6dcd886d5da436653c2bf4f9ccca99aca364635ca672234efc49ec0a6317517687d9a349fc80e7a44e89133c00d9ad82ac515328f1283595eee985

          Download Submit

        • memory/264-56-0x00007FFC0B370000-0x00007FFC0BD11000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/264-39-0x00007FFC0B370000-0x00007FFC0BD11000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/264-38-0x00007FFC0B370000-0x00007FFC0BD11000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/264-35-0x00007FFC0B370000-0x00007FFC0BD11000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/1784-51-0x00007FFC0B370000-0x00007FFC0BD11000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/1784-40-0x0000000000DD0000-0x0000000000DE4000-memory.dmp

          Filesize

          80KB

          Download

        • memory/1784-42-0x00007FFC0B370000-0x00007FFC0BD11000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/1784-41-0x000000001BE80000-0x000000001BEBA000-memory.dmp

          Filesize

          232KB

          Download

        • memory/1908-52-0x0000000001120000-0x0000000001134000-memory.dmp

          Filesize

          80KB

          Download

        • memory/2624-8-0x000000001BF30000-0x000000001BFCC000-memory.dmp

          Filesize

          624KB

          Download

        • memory/2624-0-0x00007FFC0B625000-0x00007FFC0B626000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2624-13-0x00007FFC0B370000-0x00007FFC0BD11000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2624-12-0x00007FFC0B370000-0x00007FFC0BD11000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2624-11-0x000000001C190000-0x000000001C1DC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2624-10-0x0000000000CC0000-0x0000000000CC8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2624-9-0x00007FFC0B370000-0x00007FFC0BD11000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2624-14-0x000000001D0C0000-0x000000001D192000-memory.dmp

          Filesize

          840KB

          Download

        • memory/2624-7-0x000000001BDC0000-0x000000001BE66000-memory.dmp

          Filesize

          664KB

          Download

        • memory/2624-6-0x000000001BCE0000-0x000000001BD16000-memory.dmp

          Filesize

          216KB

          Download

        • memory/2624-3-0x000000001B120000-0x000000001B134000-memory.dmp

          Filesize

          80KB

          Download

        • memory/2624-2-0x000000001B610000-0x000000001BADE000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/2624-54-0x00007FFC0B370000-0x00007FFC0BD11000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2624-55-0x00007FFC0B370000-0x00007FFC0BD11000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2624-1-0x00007FFC0B370000-0x00007FFC0BD11000-memory.dmp

          Filesize

          9.6MB

          Download