Overview

overview

10

Static

static

3

d57d5ea560...18.exe

windows7-x64

10

d57d5ea560...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    09-09-2024 02:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe

  • Size

    476KB

  • MD5

    d57d5ea560e477737a2b9fe8a55733dd

  • SHA1

    a2cf9826288e15d2107acd5ffc444665bd65cd36

  • SHA256

    ae4ad56a5e8cf751b1b792e78060de75430f19024fe95356b0baa6cc9ca9b3ba

  • SHA512

    64d9c51b7374b1a41606f711c5840d13f10cf5b9be0f61d17ba7a9e974c908c80b574794a3d4258588ef667188eaece130b4b4307782c4615b55cfb79228ba4d

  • SSDEEP

    6144:E8X8RUw9Oz5+iUU03pej1YpTYzOb0kLXhlJFTaLTGu0yvHcr+JB8aU9j1:nsRy+ZyYpaCDJFuPyAHcqrUR

Score
10/10
defense_evasiondiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • UAC bypass 3 TTPs 13 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 28 IoCs
    persistence
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
    defense_evasion
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    evasiontrojan
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

    defense_evasionpersistenceprivilege_escalation
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 60 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 39 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • System policy modification 1 TTPs 38 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Users\Admin\AppData\Local\Temp\hrnoqjwarbx.exe
      "C:\Users\Admin\AppData\Local\Temp\hrnoqjwarbx.exe" "c:\users\admin\appdata\local\temp\d57d5ea560e477737a2b9fe8a55733dd_jaffacakes118.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2760
      • C:\Users\Admin\AppData\Local\Temp\nmyynn.exe
        "C:\Users\Admin\AppData\Local\Temp\nmyynn.exe" "-c:\users\admin\appdata\local\temp\d57d5ea560e477737a2b9fe8a55733dd_jaffacakes118.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Impair Defenses: Safe Mode Boot
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:1408
      • C:\Users\Admin\AppData\Local\Temp\nmyynn.exe
        "C:\Users\Admin\AppData\Local\Temp\nmyynn.exe" "-c:\users\admin\appdata\local\temp\d57d5ea560e477737a2b9fe8a55733dd_jaffacakes118.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:2032
    • C:\Users\Admin\AppData\Local\Temp\hrnoqjwarbx.exe
      "C:\Users\Admin\AppData\Local\Temp\hrnoqjwarbx.exe" "c:\users\admin\appdata\local\temp\d57d5ea560e477737a2b9fe8a55733dd_jaffacakes118.exe"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System policy modification
      PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Safe Mode Boot

1
T1562.009

Modify Registry

5
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\ewbucvrxtigqfvcdvnfkd.eag
    Filesize

    120B

    MD5

    1a3d3794d5e4c656ca5006827720bb24

    SHA1

    8e83c7b53c9996501cb6a34af2723b567a686cbc

    SHA256

    9fee40dcf486b6fd140fb6170a8b418af22ea9aa50da3b9b8befe0c871cafcc7

    SHA512

    d9e7ae82c004dd4a34b30c14a5c98f1b50461645a2dd30c39a0d732e28236386899daa23730e36873c14188615f62db5d37dab4ded75b82f0b0572d84557d209

    Download Submit

  • C:\Program Files (x86)\ewbucvrxtigqfvcdvnfkd.eag
    Filesize

    120B

    MD5

    a1146153a663f734408680fecf09ce04

    SHA1

    b58645b1304f7b098d47bf41aa694309b464ac99

    SHA256

    89d24b65b3b9256f2b8be4e07b31bac0d327e32b0951a92291edccd37c9c57cb

    SHA512

    0b850bc4c7b891dd3b9a7391a36751cfa9eaee397484c6929c98df6eadbe4c1c65fc592f7ed560313fec90a96cdf5bf2003e8ea9eab6c9ad5de59a0ae7cc5e76

    Download Submit

  • C:\Program Files (x86)\ewbucvrxtigqfvcdvnfkd.eag
    Filesize

    120B

    MD5

    55f56caf04dc348a8e75f20b95a3d103

    SHA1

    46653ac2b4a0490853b8e5260b2bb7fa1a3bd7e3

    SHA256

    4ed233e3b2cc3ca7d1e8f8a1e576e77b34ac53389f723afb93847b0d82df0c49

    SHA512

    d4bbc379edad5cdaebe8d79c2537075f5e57f24134d8a20ffd5028f0a3f870154717a409374b855b83473511546d3aa1a8c761b3ff3aaadd1e240c8d2a67857b

    Download Submit

  • C:\Program Files (x86)\ewbucvrxtigqfvcdvnfkd.eag
    Filesize

    120B

    MD5

    25d1796a69b29b5d4a628545a3e30e96

    SHA1

    e9ca16003975274695140fb8332ca1e4761e5dfc

    SHA256

    66bdaecffd7f101c988fd035490e98aa79ea131797370d30c711ec8783547d5b

    SHA512

    4a53e4df58403f472a487a775ceff74985a97e14f78d6854afa84895684b991d90adc512ad33103f6880a874698cab27757693e555fe0ecbbf936f82dccf8d58

    Download Submit

  • C:\Program Files (x86)\ewbucvrxtigqfvcdvnfkd.eag
    Filesize

    120B

    MD5

    d2387a7834389c069e476d4a0c94824c

    SHA1

    87f672538591db304913e66e2d102478dc28c599

    SHA256

    5f6f90c91e542b34cfb1593e2d9855104c7b65bde5cbc0004ba8cebfaed8fd0f

    SHA512

    38093707845cffa05ed02571bc35482af3aff6a61ed68f65635945c0b8bd5b73ae217efa4c00b8c2fe21191da1bfcce1805d298cb58141880b1d67319d2da328

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\hrnoqjwarbx.exe
    Filesize

    308KB

    MD5

    85cb856b920e7b0b7b75115336fc2af2

    SHA1

    1d1a207efec2f5187583b652c35aef74ee4c473f

    SHA256

    6fff20aabe8265b6e811c9dbcb987f9c15cf07d1d8b80ced7b287d96900f5c62

    SHA512

    120ff9c77c19216e5691b6ba812f09f7db7b46685a391027fff56e5b73200f4211b6bac2c2d28cdfe461d1fbf10f1a3204adeedbd0a34a034a862c6278d901e8

    Download Submit

  • C:\Users\Admin\AppData\Local\ewbucvrxtigqfvcdvnfkd.eag
    Filesize

    120B

    MD5

    cf9ca4771e273bc754565dc5e6dfb1ff

    SHA1

    7fab41d234267fe5b82283146ea9ff048655c292

    SHA256

    9ed3c123a95a0a7ea5beff83409357395fb92e9d42e853ae7ccc7310be2c6634

    SHA512

    e03b35a811ae27fa0584ae311120ef653ffbfe100a964c5f3b6a39f6b6af79eff387a9d3fcfb8a058d8bce775e8bd3f371fb6147c8d6140402416ea797f73101

    Download Submit

  • C:\Users\Admin\AppData\Local\zcswptaryyhccdvhknqgkdhofmmvqqrj.ybe
    Filesize

    3KB

    MD5

    8639bc2547618ff36ff2db4f497a88b0

    SHA1

    bceb7e30aa3edadbb33eb382352dcc7d511d3430

    SHA256

    720f87e89b8b7426fd9dbb8774b08c9dac5303b0f5b79e33d2b31bf0a439019f

    SHA512

    10131de36a9b4288b7c7fb4e8c95f56f4e8a0e6e5d2dca402f89d77588fc2ad21ee2bd14528f6e670eebb60cd7c19cf458ab3770d92efe7d7067c209335ff731

    Download Submit

  • C:\Windows\SysWOW64\payklxmlaizckttnyj.exe
    Filesize

    476KB

    MD5

    d57d5ea560e477737a2b9fe8a55733dd

    SHA1

    a2cf9826288e15d2107acd5ffc444665bd65cd36

    SHA256

    ae4ad56a5e8cf751b1b792e78060de75430f19024fe95356b0baa6cc9ca9b3ba

    SHA512

    64d9c51b7374b1a41606f711c5840d13f10cf5b9be0f61d17ba7a9e974c908c80b574794a3d4258588ef667188eaece130b4b4307782c4615b55cfb79228ba4d

    Download Submit

  • C:\pqegxzet.bat
    Filesize

    480KB

    MD5

    4d0235c1e5e6ee44c046496a45c81d85

    SHA1

    028e2c85674549125a29daa4bcea29ee6a2470ea

    SHA256

    c7926b7f8bba918be71715dee451335819676bdd22be8c2dd71326749f0427bd

    SHA512

    e9234b37f779d2499f0b5bb4fe3910ffdbf331fa9b7fa2292bc5b22de0fad12be2d6970a54d8ccdf0c74897e6e7e084d60798fe0ac24c77cf686745a2b7da07c

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nmyynn.exe
    Filesize

    684KB

    MD5

    c77df82d2a4514706e8db758b5da21fb

    SHA1

    4a78c45a004ee0ec39f7c5b1c153f1d9e91d1af1

    SHA256

    cde2442d69c2a170f2a1af075f62197187bf4d119c2eb2cb5dab09c1a95ece32

    SHA512

    ee438cb5172d4907e51d0a4876a97fb3044cde664059b37e917f15c818a6926012c0014befe90ca369b7f19714ee1492a14035e0ee73d5ef1e979d94ed2111de

    Download Submit