Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09-09-2024 19:09

General

  • Target

    d6ee0a7dac7ed714119fb57cb2c84e71_JaffaCakes118.exe

  • Size

    60KB

  • MD5

    d6ee0a7dac7ed714119fb57cb2c84e71

  • SHA1

    4bf82701562eafd234269b47de50d597a91b275c

  • SHA256

    bedd016728ae3519e42317b52a7e0992d1d3b77131aded5aecb1531f32b7b5cb

  • SHA512

    a0702df5c4c08516ee714a8f30ab01691a3c511c4e6d6f125b25bd1ea0c7b46d22e59ebc8777d41b4b51774aeca7ef513f17a4870eb3eb74ef1232eaaf0275f1

  • SSDEEP

    1536:n5qHQFzgTJreVntraXMjC230u/m5B2ex2GNpYYR9uL:n5qHQFzJ8Y30ISxtH3

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 10 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d6ee0a7dac7ed714119fb57cb2c84e71_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d6ee0a7dac7ed714119fb57cb2c84e71_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Program Files (x86)\360Safe\LSPFix.exe
      "C:\Program Files (x86)\360Safe\LSPFix.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2316
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Del.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2556
    • C:\Program Files (x86)\360Safe\360safe.exe
      "C:\Program Files (x86)\360Safe\360safe.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1276
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\system32\rundll32.exe c:\Progra~1\dnf\lpmqjcath.dll Start
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2820
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\PROGRA~2\360Safe\360safe.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2716
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D6EE0A~1.EXE
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\360Safe\LSPFix.exe

    Filesize

    9KB

    MD5

    5a20d75fb0c6243004c28a32b10c1f9a

    SHA1

    c15459d529b74bcab11dc6f9d0799deaba5666d7

    SHA256

    509f52cf2f4cd6bce012bf14fe90b8ab3fec4133802516d49d2571d096df442c

    SHA512

    b9bcd15eedf51db9320542c89c3dfe62492c60e99e80b2ab41b275fc8cc08abb69db20dacf40ce19907082ae930ee50c5215bca406473903726dddad5f8fc4eb

  • C:\Users\Admin\AppData\Local\Temp\Del.bat

    Filesize

    289B

    MD5

    bd9ee3b37c080a816c49de5c01c24d74

    SHA1

    2ea1c9ab889389ed0a3f376e50c7ff2f93e47c24

    SHA256

    dba03ec1089be1c764e6f3a9787c7996e96fbd056abc2b4e3906c1670dacbb09

    SHA512

    81d75be9ed8f36cf591842f62e4ac5ef1b9178ae461a177145cf46b52769daa79717f6f8e0b76221873c88b2fb940a3ffb58cbc8142d7f93e3c1860fdcc0aaf3

  • \Program Files (x86)\360Safe\360safe.exe

    Filesize

    156KB

    MD5

    9c3263a4e82aa62df5b86eb0a1dae5bb

    SHA1

    de7585b23aba1846ceb64ad36e05a79249262389

    SHA256

    cd5982a6b3c0010d70d76fbce9315a79490572026fb4810b29d170fb253a466e

    SHA512

    be19242bde337dce0156bc8054424e12cdd673e8c6e501d2324ed509b6201f68171beac9b783063dbbeea5ba0459da25f836e96f2fa99528b2d263cfbf554b9e

  • \Windows\SysWOW64\lpmqjcath.dll

    Filesize

    64KB

    MD5

    4e9ad126b4dfbc4e5675adc1952a88a0

    SHA1

    625b3d4388c2d99393256ac7aed9e0169b5f9d2d

    SHA256

    8e63217066afa9b52ae644da2d4e41c9c50c40659cf24ec2a36778917376d167

    SHA512

    1e6753b78d23591909a41065d65ff2e4dbf7be29616ebe49c7d64a4881a4cbe6fd24703a4f7c4d0f6d29d8dfcc39b58ab94f8bb049edc82d5ad651a1c479945b

  • memory/1276-33-0x0000000010000000-0x0000000010011000-memory.dmp

    Filesize

    68KB

  • memory/2820-42-0x0000000010000000-0x0000000010011000-memory.dmp

    Filesize

    68KB