Overview

overview

7

Static

static

3

d672b3a026...18.exe

windows7-x64

7

d672b3a026...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-09-2024 13:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe

  • Size

    145KB

  • MD5

    d672b3a0263bddfa358dd126702b5bf9

  • SHA1

    8eb2e79eb7dd7370ddb4a3c46fe85c39cf5f8937

  • SHA256

    055c6ad96af409328ebe9a4e8ff7189e3a986508d32a2950223d6a1bc4afe98b

  • SHA512

    82b1b9d54a9383b6e829d51e278f765d9489a426d98095cff821e2e9a57bb54079aed4aec830be87aa6f18f35aee41737967b389c0b08cce84ed2c71d14fe0cb

  • SSDEEP

    3072:knN5HYBvjr5SM/yv7VDVKMOQg5H1i8fZ5Ys+iyXFm+GqVphIw:kNC5P5SwQDVKM0H1i8fZ5YxXFm+T

Score
7/10
defense_evasiondiscoverylateral_movementupx

Malware Config

Signatures

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Remote Services: SMB/Windows Admin Shares 1 TTPs 1 IoCs

    Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).

    lateral_movement
  • Drops file in System32 directory 9 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks computer location settings
    • Maps connected drives based on registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Users\Admin\AppData\Local\Temp\Exporer32.exe
      "C:\Users\Admin\AppData\Local\Temp\Exporer32.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5036
      • C:\Windows\Explorer.exe
        C:\Windows\Explorer.exe
        3⤵
        • Executes dropped EXE
        PID:5104
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\Exporer32.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2296
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
    1⤵
      PID:3124
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1840
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
      1⤵
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2072
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
      1⤵
        PID:2344
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
        1⤵
        • Enumerates connected drives
        • Remote Services: SMB/Windows Admin Shares
        PID:4356
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
        1⤵
          PID:4024

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Indicator Removal

        1
        T1070

        File Deletion

        1
        T1070.004

        Credential Access

        Discovery

        Query Registry

        5
        T1012

        System Information Discovery

        6
        T1082

        Peripheral Device Discovery

        2
        T1120

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Lateral Movement

        Remote Services

        1
        T1021

        SMB/Windows Admin Shares

        1
        T1021.002

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Exporer32.exe
          Filesize

          33KB

          MD5

          7e379619ddab7417a5b3a8a73b2c1177

          SHA1

          5a3977aff043e26f75ae369e8aaa3f9fd3b5c450

          SHA256

          a02d3199707b973a3ebaa57b957ef9ea605a1998b844ede23289cd39a28a28a1

          SHA512

          518db5b4bbaddc942110819b7a23145355b00c73fd02be2e4767835f35eada059e3aabe1565491b1efc5130344f6ddfd509f8719c3d824c27a0caad854d4bfe2

          Download Submit
        • C:\Windows\explorer.exe
          Filesize

          4.6MB

          MD5

          30decee483a8196b30643ec6a453a7de

          SHA1

          92266131aff3595c5a95d3aa23c9e40c85d5f982

          SHA256

          3dc254ad131a691acb1f9e3a5bb5ca5b3ea891869e516f4b3580ea4fcfdf2e76

          SHA512

          a8f370c060223d4c2985ac16e78547779e584020e95428e85b497464fc487611d7b080908f904c11aa93bc7b56ec102845fbb6554d97dcba7fdc856c93087f00

          Download Submit
        • memory/2232-0-0x0000000000400000-0x000000000041C000-memory.dmp
          Filesize

          112KB

          Download
        • memory/2232-1-0x0000000002160000-0x0000000002177000-memory.dmp
          Filesize

          92KB

          Download
        • memory/2232-25-0x0000000002160000-0x0000000002177000-memory.dmp
          Filesize

          92KB

          Download
        • memory/2232-24-0x0000000000400000-0x000000000041C000-memory.dmp
          Filesize

          112KB

          Download
        • memory/4024-34-0x00000271D8D60000-0x00000271D8D70000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4024-40-0x00000271D9340000-0x00000271D9350000-memory.dmp
          Filesize

          64KB

          Download
        • memory/5036-21-0x0000000000400000-0x000000000041D000-memory.dmp
          Filesize

          116KB

          Download
        • memory/5036-32-0x0000000000400000-0x000000000041D000-memory.dmp
          Filesize

          116KB

          Download