Overview

overview

8

Static

static

3

d17dd5050c...18.exe

windows7-x64

8

d17dd5050c...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    147s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    07-09-2024 08:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d17dd5050c9a4eec4903767376829500_JaffaCakes118.exe

  • Size

    1.5MB

  • MD5

    d17dd5050c9a4eec4903767376829500

  • SHA1

    0b6599d18ffda4baa21f4bc09ae9e168d9eee802

  • SHA256

    2b64e39e9ab434dd665ac078b8626f093af9933d051972099f0a9599da1c5f26

  • SHA512

    45239813b612f821bb2491511fdeb77cd566851857c5dbf6f90191fe4a864eb5f23960f5a2b8c3f23ab01a50064e03a5b3e4409fe876306d8453f60a9b8c3476

  • SSDEEP

    24576:EInXgjK/K6dipju3/YQX24Fu+WqAH2k8bQpZrdETYl+nfTQxij6IbIcL:EINSRjuA02J0zbQLrdEi+nfTQxijnpL

Score
8/10
discoveryevasionexecution

Malware Config

Signatures

  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Executes dropped EXE 3 IoCs
  • Drops file in Windows directory 27 IoCs
  • Launches sc.exe 5 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\d17dd5050c9a4eec4903767376829500_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d17dd5050c9a4eec4903767376829500_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2644
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Windows\install.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1036
      • C:\Windows\SysWOW64\sc.exe
        sc stop ctf32
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2712
      • C:\Windows\ctfmon.exe
        C:\Windows\ctfmon.exe /i /u /h
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2652
      • C:\Windows\SysWOW64\net.exe
        net start ctf32
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1496
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 start ctf32
          4⤵
          • System Location Discovery: System Language Discovery
          PID:936
      • C:\Windows\SysWOW64\sc.exe
        sc failure ctf32 actions= restart/1 reset= 10
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2820
      • C:\Windows\SysWOW64\sc.exe
        sc config ctf32 error= ignore
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:1296
      • C:\Windows\ctfmon.exe
        C:\Windows\ctfmon.exe /i /u /h
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1812
      • C:\Windows\SysWOW64\net.exe
        net start ctf32
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1216
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 start ctf32
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1492
      • C:\Windows\SysWOW64\sc.exe
        sc failure ctf32 actions= restart/1 reset= 10
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:1808
      • C:\Windows\SysWOW64\sc.exe
        sc config ctf32 error= ignore
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:1512
      • C:\Windows\SysWOW64\attrib.exe
        attrib +s +h +r C:\Windows\ctfmon.exe
        3⤵
        • Sets file to hidden
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:1544
      • C:\Windows\SysWOW64\attrib.exe
        attrib +s +h C:\Windows\syskern32.dll
        3⤵
        • Sets file to hidden
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:1016
  • C:\Windows\ctfmon.exe
    C:\Windows\ctfmon.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:576

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\clusio.sys
    Filesize

    310B

    MD5

    1fcf9ba087443dff8bea77207ee82653

    SHA1

    23b90c44e17d0296a481322a4bc497f39fc4388a

    SHA256

    d0228d2508e9187c56b9f0b032f6d28cc5cbb10667e1e12d9fa82f32ded7071a

    SHA512

    7427969b398e3080836e03f175bc017ee1bc55cc1023b7ce7218581b3ec6c75c9a4ed5d3ab2625a37b1a75c3c97561cd14bda4a96f0196ec3a55607cc39ae114

    Download Submit

  • C:\Windows\ctfmon.exe
    Filesize

    972KB

    MD5

    a97d57906b9427d2d76c1e24d8efc36e

    SHA1

    6d1fef4409bb45a3b03c4d8f1eb5faefcc9363d2

    SHA256

    71f870d447bd74419d718e28c9ed8a3c3a47e9f0ff8f852cb8790903e5d5d50a

    SHA512

    ccb1e1fd83e5d22bfab061373308918d533041b92b46d768e0b410074fafa0893cc8c63a021eeb6ba97f42becbdce8666a60166a588d2340896855d9d22b77ab

    Download Submit

  • C:\Windows\install.bat
    Filesize

    575B

    MD5

    25536ecd5e85d2e751c50d9fc448d5b1

    SHA1

    7950fc3f1ba078147844b1157ff9c62ddaabf887

    SHA256

    4e87787cf54db726dc00b9b5ed90f09cb293d81fb3a1b0af160a8674970c92d2

    SHA512

    b695f588d9bb64d4df4a7be1981fc644cfabb5967ac4427548a7746ca9f57cddecaf2512daf67d917d2d31f4e32a0116b834ff88675c7cce93f1088e1397c1c1

    Download Submit

  • C:\Windows\jerltybit.crt
    Filesize

    973B

    MD5

    7b8fa286633f087b2faf9a9584dcc72a

    SHA1

    d1845d794abc47f610e88aecdc55b7fb31cecfc8

    SHA256

    015c0cdeb93d4b5ed1c7ee1719be6136eaf871dbca5f9fc7c24492093e6b1712

    SHA512

    9756e14708d370ad20f4ad8ff8cc8f739e5575d7a6049fa6fb1af8936e43d764ffc2fb5cf515e127a2644329b4bd953a6237294e8c60097f5800f6b639cf63b6

    Download Submit

  • C:\Windows\libeay32.dll
    Filesize

    828KB

    MD5

    672fe0788779d4b30b8bec4efb32352e

    SHA1

    52f9eaf79480602759961346beac9489a6b4a13f

    SHA256

    b23cdd7e1189750e3b68edfa2402b00bb92a8a9fe303ad44cab4a33f07d957b8

    SHA512

    50d8fbb0564642ded75818c5fdbf52e1783e7707afcc4f9f44959b81be7cfe3c210b93d2e563738b94ee53d88132700e090678402527c38d9a2b0cf13afb9d66

    Download Submit

  • C:\Windows\rasptq.sys
    Filesize

    1KB

    MD5

    8dd2f2a1e98900b79d67541f7656873a

    SHA1

    65e6035530cbc8b19deb6dd678fa64cd6552dc5e

    SHA256

    26e6462fed6f154a3e09a17338249af30feab16a9636560c5d7e31f6cf566704

    SHA512

    408a5ffee18e437cced77ee9cd76884ce909bb92f7fd4b0262c52a1c79165055f4020966a74bd09d4046e770b0a324f3d13cc66e1b5eba72bef9a83d387bcef8

    Download Submit

  • C:\Windows\regedit32.key
    Filesize

    963B

    MD5

    2293486183632e8634aa30a1798bc5e7

    SHA1

    6a75bae4369c16450858ace07d66d30f5a0532b2

    SHA256

    1eb5b1f5a0c14f2602c61179c275b1e30059eb3c69e48821aeb44d4f06395576

    SHA512

    b332f40791897b4dc3d83b267c9405da35cbebc521cabc2fc76bb906f45355b20d37696fee91d5b139f88aeba92364fda720b167bc6399078a2903a842bd1bac

    Download Submit

  • C:\Windows\ssleay32.dll
    Filesize

    156KB

    MD5

    fc7aff0c5c8d6ef7b24d6e73c754f8d6

    SHA1

    87a9b952f7ed5883b21bad39c40d3b6cc58df3f2

    SHA256

    c53e0fb93cee6cc865a109f7447c92020f3c05684507b93a763a1e6f77b2bd20

    SHA512

    4e049ad03e65cb1d4a57c8e6c1c33cb882df69deafa89af5f23437886a611eb02d4fea6d7ca4d2b0a42892e821711fcae6cc1ab65714f307dbff945e5e68b563

    Download Submit

  • C:\Windows\stc64.bat
    Filesize

    114B

    MD5

    df01a7d9e6b061814a003672acfa0c21

    SHA1

    065ed753b19efd9d28b264c394b3d6601c6d7a67

    SHA256

    055738e2e2573f643980c409300ac1b9a71405a44f09060b55c9f2116c2f9b32

    SHA512

    769b624f064f1d3a73040a954e49df1bf1eb47b400a2664ea89cc6fec211f8ed154d2965e6d4c36833ab7c09cba4f821711620dd68e329dbe2b6f8f260c7a15d

    Download Submit

  • C:\Windows\syskern32.dll
    Filesize

    454KB

    MD5

    03864469e5c2d96bff8449dfdb6354c7

    SHA1

    92583155a4a54f5a8e91123c6a7942991431a6d2

    SHA256

    47be46532fcd21449ecfab8b9409fa62994f89a7cd6f230e168045a5192557a3

    SHA512

    e1afdfc0ef5024467bf96cd1163e5490b9597ef65990a3b8085ebad4aa94355930614b137fddd5715ee0219e869e4f404816803c9afab38f4c8cdc295d7bd972

    Download Submit

  • C:\Windows\syskern32.dll
    Filesize

    454KB

    MD5

    334007bd9b8317ab78aaedb31d4b3d43

    SHA1

    54e667825bed7f54b13596cd74bd86ccb4fb142f

    SHA256

    4e23aebb8d9e54a9356b5fa895e79d5172b0d966ecc7c4939eee33fb0b0bb1f4

    SHA512

    fb697a63f50f526424135b4fd5bbb7839decc604f7ad36751cf1167ecb23c7625614f7e3d86f7de76c81c4ac2db9c3f4d848f3811536c47d4a38600c68e9c844

    Download Submit

  • memory/576-230-0x0000000000400000-0x000000000078D000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/576-90-0x0000000000400000-0x000000000078D000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/576-210-0x0000000000400000-0x000000000078D000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/576-207-0x0000000000400000-0x000000000078D000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/576-208-0x0000000010000000-0x00000000100D2000-memory.dmp

    Filesize

    840KB

    Download

  • memory/576-209-0x00000000034C0000-0x00000000034E7000-memory.dmp

    Filesize

    156KB

    Download

  • memory/576-206-0x0000000000400000-0x000000000078D000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/576-219-0x0000000000400000-0x000000000078D000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/576-224-0x0000000000400000-0x000000000078D000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/576-202-0x00000000034C0000-0x00000000034E7000-memory.dmp

    Filesize

    156KB

    Download

  • memory/576-227-0x0000000000400000-0x000000000078D000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/576-213-0x0000000000400000-0x000000000078D000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/576-233-0x0000000000400000-0x000000000078D000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/576-236-0x0000000000400000-0x000000000078D000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/576-239-0x0000000000400000-0x000000000078D000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/576-245-0x0000000000400000-0x000000000078D000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/576-242-0x0000000000400000-0x000000000078D000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/1036-32-0x00000000024D0000-0x000000000285D000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/1812-195-0x0000000000400000-0x000000000078D000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/1812-197-0x0000000000400000-0x000000000078D000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/2644-91-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2652-73-0x0000000003350000-0x0000000003351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-62-0x00000000025A0000-0x00000000025A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-60-0x00000000024D0000-0x00000000024D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-59-0x0000000002510000-0x0000000002511000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-58-0x0000000002550000-0x0000000002551000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-57-0x0000000002540000-0x0000000002541000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-56-0x0000000003340000-0x0000000003341000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-55-0x0000000003340000-0x0000000003341000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-54-0x0000000003340000-0x0000000003341000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-53-0x0000000003350000-0x0000000003351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-52-0x0000000003350000-0x0000000003351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-51-0x0000000003350000-0x0000000003351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-50-0x0000000003350000-0x0000000003351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-49-0x0000000003350000-0x0000000003351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-48-0x0000000003350000-0x0000000003351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-47-0x0000000003350000-0x0000000003351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-46-0x0000000003350000-0x0000000003351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-45-0x0000000003350000-0x0000000003351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-44-0x0000000003350000-0x0000000003351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-43-0x00000000003E0000-0x00000000003E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-82-0x0000000000400000-0x000000000078D000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/2652-86-0x0000000003350000-0x0000000003351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-85-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-84-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-83-0x0000000003340000-0x0000000003343000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2652-87-0x0000000000400000-0x000000000078D000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/2652-88-0x0000000000360000-0x00000000003BA000-memory.dmp

    Filesize

    360KB

    Download

  • memory/2652-61-0x0000000003340000-0x0000000003341000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-64-0x00000000025C0000-0x00000000025C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-65-0x0000000002570000-0x0000000002571000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-66-0x0000000002580000-0x0000000002581000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-67-0x0000000003350000-0x0000000003351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-68-0x00000000025B0000-0x00000000025B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-69-0x0000000003350000-0x0000000003351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-70-0x0000000003350000-0x0000000003351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-71-0x0000000003350000-0x0000000003351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-72-0x0000000003350000-0x0000000003351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-74-0x0000000003340000-0x0000000003341000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-75-0x0000000002520000-0x0000000002521000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-76-0x0000000003340000-0x0000000003341000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-77-0x0000000003350000-0x0000000003351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-78-0x0000000003350000-0x0000000003351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-79-0x0000000003350000-0x0000000003351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-80-0x00000000024F0000-0x00000000024F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-81-0x0000000002530000-0x0000000002531000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-63-0x00000000025E0000-0x00000000025E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-36-0x0000000002490000-0x0000000002491000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-37-0x00000000008B0000-0x00000000008B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-38-0x00000000003F0000-0x00000000003F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-39-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-40-0x00000000002D0000-0x00000000002D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-41-0x0000000003350000-0x0000000003351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-42-0x00000000024A0000-0x00000000024A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-35-0x00000000003D0000-0x00000000003D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-33-0x0000000000400000-0x000000000078D000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/2652-34-0x0000000000360000-0x00000000003BA000-memory.dmp

    Filesize

    360KB

    Download