Overview

overview

10

Static

static

10

d5f9fa1a8d...18.exe

windows7-x64

10

d5f9fa1a8d...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09-09-2024 08:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d5f9fa1a8dca5319432f51a5891f7794_JaffaCakes118.exe

  • Size

    7.1MB

  • MD5

    d5f9fa1a8dca5319432f51a5891f7794

  • SHA1

    2a937328f5b99eccb9b8c13ed71d6ffb9dff4521

  • SHA256

    18f4123ee42f5a29f8df7bd1cf95ab73441f082584f390aa218c2dd1134f4055

  • SHA512

    87013b63a9b153c5268784928394dfbf1eeff1b91eea6bdf187025e63d25c535e468e59a33f47d23682a386605bb314311e50a7edd1d6deb1b60f5008237a7d0

  • SSDEEP

    196608:TfavVYaolX+aFFLlPKQ8hY/RkQWslX4ge+:TiYaolrFFEHYu3sSge

Score
10/10
mimikatzzhendiscoveryevasionexploitpersistencepyinstallerransomwarespywarestealer

Malware Config

Signatures

  • Deletes Windows Defender Definitions 2 TTPs 1 IoCs

    Uses mpcmdrun utility to delete all AV definitions.

    evasion
  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

    mimikatz
  • Zhen Executable 2 IoCs
  • Zhen Ransomware

    First seen in September 2020. Drops ransomnote as .ini file.

    ransomwarezhen
  • Renames multiple (1884) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • mimikatz is an open source tool to dump credentials on Windows 1 IoCs
  • Possible privilege escalation attempt 2 IoCs
    exploit
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 13 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 7 IoCs
    evasion
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies data under HKEY_USERS 17 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\d5f9fa1a8dca5319432f51a5891f7794_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d5f9fa1a8dca5319432f51a5891f7794_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\ProgramData\d5f9fa1a8dca5319432f51a5891f7794_JaffaCakes118.exe
      C:\ProgramData\d5f9fa1a8dca5319432f51a5891f7794_JaffaCakes118.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2176
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /F /IM MSExchange*
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:968
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /F /IM Microsoft*
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1404
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /F /IM ora*
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3068
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /F /IM tns*
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1588
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /F /IM mysql*
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1468
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /F /IM sql*
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1216
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /F /IM postgres*
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1032
      • C:\Windows\SysWOW64\takeown.exe
        "C:\Windows\System32\takeown.exe" /F C:\Windows\Web\Wallpaper\Windows\img0.jpg
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1804
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" C:\Windows\Web\Wallpaper\Windows\img0.jpg /grant Users:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:1716
      • C:\Program Files\Windows Defender\mpcmdrun.exe
        "C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all
        3⤵
        • Deletes Windows Defender Definitions
        PID:2096
      • C:\ProgramData\x64.exe
        C:\ProgramData\x64.exe 04298718c4ed4c0a282605560f30b8f0::72a50cf6d7d1042c8b2514f9768fa499 cfad00e8748eaea::7e9372bd97ed3aec6 25427320e7f946c9::7c3a5807a37a26a9 39d6c0440ea63b::33854dce8ddd35e877 exit
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1052
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 1052 -s 568
          4⤵
          • Loads dropped DLL
          PID:1092
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2780

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.zhen
    Filesize

    27KB

    MD5

    ed12f8f25d2f151a93d996de33103351

    SHA1

    d4b35456f99374555bac0074423df190b0d75247

    SHA256

    d577cceeac0cc85af93432aa5a068af61890af77478a85ffb5d3796f1fbb396b

    SHA512

    cb10d88d85f2fbb3a2f3315bae725704910f96ee87e2ed96374c80941cf2b14c87032cf05830042e6ff04032a2de29a15c2ca98437a9d021ebfe452b8a7ffc83

    Download Submit

  • C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.KR.XML.zhen
    Filesize

    806B

    MD5

    61687a00e1e26c375cdc2bab406d4cee

    SHA1

    508d709165633f7990757268f48a38d7a41a67b5

    SHA256

    a8203ba02c73e1f09511d9d704e41796462fa5146693235c53101f566268ec59

    SHA512

    1ef1b6f84d50724f6871e2bfb16933b4a91a97f6c6cf8fc6a860a060446b99781084a15b99e42e487049725ba2bd6bd0dba2b35b8fb5971a438e6372d67ce2f6

    Download Submit

  • C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\logo.png.zhen
    Filesize

    6KB

    MD5

    91928af68d10e95f2da9677142a4af3f

    SHA1

    e2617b4728de3b2824b2d6657d7b33f71042f3b7

    SHA256

    09f89b802d031474d1e6f2ecf3b0fcdd50a9abc5631d89af07133a9001a52f58

    SHA512

    ca52bc8ede045eadc98ca6448b353b6dcefed251dcfe8f95a9845752c6baafdbaf4a2c865bfeef6f48b63e0984eae7d8d9d96c0d3982be6ec78843027d049038

    Download Submit

  • C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\14.png.zhen
    Filesize

    3KB

    MD5

    cef56802f6e949447ef27a639150e032

    SHA1

    ab199ec361ac1dfa5456e2b5f914484c1de62761

    SHA256

    2c9e87c75228eb6689b5ca5638f802aa5b0e280d15eab76586dda658546194cb

    SHA512

    c32bf28bec36c3405ffb3ea00fb8bfa406c9fb28bca87bce6a2b5916c626bb30180bbc92f2639f4673262239421b72c23315bccf1d33f835bf2fddcbcfb830ac

    Download Submit

  • C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\3.png.zhen
    Filesize

    5KB

    MD5

    3795345b496a69a93b473791f5b52cff

    SHA1

    545e4a69d837569922d8740700345d54e6d907b9

    SHA256

    73c34439061112ed54ea1956125bf7687037154e734cff7407cffe0513c1e378

    SHA512

    42cd4823458bae35a71a89b3494a38f3fafc9ae62fba4ad4b5320c9b67e8a309ada9d9a04503d53ed9920f8c414ad9d5b62d9d0ebbd056a28c6d39e328c71360

    Download Submit

  • C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\35.png.zhen
    Filesize

    5KB

    MD5

    71d9a5b07ddf3a154331ff32ffecab76

    SHA1

    c0f5351e285d7ef2a3c8f88a672e2f2b7f60f570

    SHA256

    031c8ec6328bc3aee2d038c629434c64d99b1bb8e77a0f1b985825c177ea539b

    SHA512

    9b84a830a92488305cd168b908e1bb5830eb301883b1d73260962d2d487eefdff784f7a84601d53aab3b3467a86238c8afb2c6c11241cebf7429b25083f15581

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html.zhen
    Filesize

    12KB

    MD5

    1f040f3b65ff4d3805949c0b2c4a099c

    SHA1

    1e028024b92c8344dee5394bf981e4231fd3ae29

    SHA256

    f62b1236c729d055adf87d901078824e26f11e32c3eebfe3a7b75dbd84c4d7e4

    SHA512

    72ca2fcb75eba20c8009ce34964c9d30bfb9b76e1b73d9a461b414e867f698cec158cb90010835e160d46285720f2883b61c22160a5bc245dc08ce0e47ceb7ba

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.zhen
    Filesize

    8KB

    MD5

    1425f503ef8ec45db29f93b621d72da8

    SHA1

    0be08dccd38e1bf93ea93a4f87e1216d7e304b2b

    SHA256

    7c76545c2f7b1b36a1dd6fcdcd6a439c7894381ef98fb17b775bf5ff6e74c1e7

    SHA512

    ecf88c053f58dc9ca21b1bb3e21bac51a707c082dff6485a6cb9162938a12885765d34998aa7d8df16ba4f6b65f713bf84b7423b6303e9838d1830f23c081152

    Download Submit

  • C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\22.png.zhen
    Filesize

    5KB

    MD5

    be9193841cc0c92282f51f02ca8bc9ef

    SHA1

    7d53a61e6192bada8657cc979da389401ed6c7f6

    SHA256

    8456571bbf1644623b77f7f32c994eae497cba70c68c2d9567d8e481172a0dbf

    SHA512

    7169b6b69f1e2aa2e75c064dccb12d37ca320f0f90a35bbf45e5115bc7daf2695891c119e4b7c8ac354976223312c8ccd2c332c7651ff9111e7b9e980914a8ba

    Download Submit

  • C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\24.png.zhen
    Filesize

    5KB

    MD5

    632f55ec55f670990ac012a2383e7adc

    SHA1

    add088651c915317b6ebeae328808e62b1ebf2dc

    SHA256

    da8fbc98b5d1df94832a60cbc65b60176f1a30e85f46919b2a3fadd479916a53

    SHA512

    1e87cb1a9c09d230d5fbeef7dced7e22653743e76aa63632a928709afb7affe5f59bc9868979feabd51f8ee5075c6e2599dfe3577caf4cddd9485cc229bf9f7c

    Download Submit

  • C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\27.png.zhen
    Filesize

    4KB

    MD5

    0439af31cca6f24c9d5215dc842d0dae

    SHA1

    0446c730c1f5921bb9fd68fab9044fbefc62231e

    SHA256

    a19cf871a372a815882407c22437fe82f64eef39a89e19e95d2127d1796abc40

    SHA512

    ec158ad6d0cdfb5068f3a7fbd12479921ecd1005c9c0fc664dae5b608d0ef4c3e2d329c004b4c98521947aa832a0a31c937e9ab0bb7a9129dbda9d4727192928

    Download Submit

  • C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\32.png.zhen
    Filesize

    5KB

    MD5

    07adc2f8c028aaa2d7416c2a477ee4cd

    SHA1

    ef958e35064c8312e85691e4ad16da59f19327c1

    SHA256

    daf7897c4b368f9bacc1986fc38ad45c2f6e6daff239b08e0b175a62a6623bcb

    SHA512

    c26f5ab78fd0461f83e69cd89bfd118e9e4bcba51e40456b67333daee743753cb03f6617f5a55b24e12e0f9ed0e54483bc3a230134f570a71c47d697dadb1f23

    Download Submit

  • C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\34.png.zhen
    Filesize

    4KB

    MD5

    a7ba893611026b7ff8dc7aa2e7d90cdb

    SHA1

    dd7932191de52241b99473c01cc6a355bfaed71d

    SHA256

    b4d99bf7d9a4dcf7f65d3c31013776ad00e24ed6c687056a3956d498e6fb0534

    SHA512

    d4def0090c03c46fc036bb06cb8b8b13b9c88c987eda9f809d79af4f0042fc3f19ea63584188b691c074878f1fb1631db63f2431c784aeda922574dbcb01ab9a

    Download Submit

  • C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\6.png.zhen
    Filesize

    5KB

    MD5

    22c6138563ac4013c2a44669ab6a3391

    SHA1

    6f7b6d488651a44c506a17b4f7a5855b669e1cc1

    SHA256

    b470d7f631ca192f36316da5b24f7363c36c1627cd923d20c9d9e4b8d61ae536

    SHA512

    d04cce013f1959796786795f7b64590184c09f1351941365a7473e993d031a07d18398eafc47c905519ecdc9a8c10c28ed664cf87dbccf5b1921515e7d4246ff

    Download Submit

  • C:\ProgramData\x64.exe
    Filesize

    423KB

    MD5

    1fc80528461d08dad2d9f234fa971add

    SHA1

    1c45209056da5f783cd707e7002597a31befb1c0

    SHA256

    17f606594427c58ff6cdf1270f83aa2595e9168b6cc1618665a1548650a40637

    SHA512

    0a71fd620ac01b031a240450a01af3ce592a228dbfcc74136a680946e36753e5107e8d45bc382baa3f5f30985321f1179fae504e59d13d8f469705b124b96156

    Download Submit

  • \ProgramData\MSWINSCK.OCX
    Filesize

    105KB

    MD5

    9484c04258830aa3c2f2a70eb041414c

    SHA1

    b242a4fb0e9dcf14cb51dc36027baff9a79cb823

    SHA256

    bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

    SHA512

    9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

    Download Submit

  • \ProgramData\d5f9fa1a8dca5319432f51a5891f7794_JaffaCakes118.exe
    Filesize

    7.1MB

    MD5

    d5f9fa1a8dca5319432f51a5891f7794

    SHA1

    2a937328f5b99eccb9b8c13ed71d6ffb9dff4521

    SHA256

    18f4123ee42f5a29f8df7bd1cf95ab73441f082584f390aa218c2dd1134f4055

    SHA512

    87013b63a9b153c5268784928394dfbf1eeff1b91eea6bdf187025e63d25c535e468e59a33f47d23682a386605bb314311e50a7edd1d6deb1b60f5008237a7d0

    Download Submit

  • memory/1052-5860-0x000000013FD20000-0x000000013FE26000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1052-5871-0x000000013FD20000-0x000000013FE26000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2176-23-0x0000000000400000-0x000000000154B000-memory.dmp

    Filesize

    17.3MB

    Download

  • memory/2176-5859-0x00000000055C0000-0x00000000056C6000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2176-5870-0x00000000055C0000-0x00000000056C6000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2176-22-0x00000000051B0000-0x00000000051C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2176-19-0x0000000000400000-0x000000000154B000-memory.dmp

    Filesize

    17.3MB

    Download

  • memory/2176-5840-0x00000000046C0000-0x00000000046D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2176-5842-0x0000000000400000-0x000000000154B000-memory.dmp

    Filesize

    17.3MB

    Download

  • memory/2176-5869-0x0000000000400000-0x000000000154B000-memory.dmp

    Filesize

    17.3MB

    Download

  • memory/2176-15-0x0000000000400000-0x000000000154B000-memory.dmp

    Filesize

    17.3MB

    Download

  • memory/2176-5868-0x00000000046C0000-0x00000000046D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2176-495-0x0000000000400000-0x000000000154B000-memory.dmp

    Filesize

    17.3MB

    Download

  • memory/3008-14-0x00000000038D0000-0x0000000004A1B000-memory.dmp

    Filesize

    17.3MB

    Download

  • memory/3008-18-0x0000000000400000-0x000000000154B000-memory.dmp

    Filesize

    17.3MB

    Download

  • memory/3008-4-0x0000000000400000-0x000000000154B000-memory.dmp

    Filesize

    17.3MB

    Download

  • memory/3008-12-0x00000000038D0000-0x0000000004A1B000-memory.dmp

    Filesize

    17.3MB

    Download