Overview

overview

8

Static

static

3

da293fbfe1...18.exe

windows7-x64

8

da293fbfe1...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    140s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-09-2024 10:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    da293fbfe127cef0a67607e4113e2276_JaffaCakes118.exe

  • Size

    191KB

  • MD5

    da293fbfe127cef0a67607e4113e2276

  • SHA1

    38ec2a9b15825f6037fa1f640f41aedacc0da89e

  • SHA256

    2751ffc40e29cde0dc8ff2c99bf40ebd191011215be95539d8cb3dcdd38483be

  • SHA512

    12d60a2c9051c626efe0c24c97508786afdb6f9f6907721d1bc386f98ee1bbd3d3977b05f381115df98c7c0814bf5be5ce9bc53a3d9360a30f9c08c0f207e6eb

  • SSDEEP

    3072:y04gFmx6HgZ6mBsN7foc2GOfAD5In+Y8CQdwvj8C9jtq3Sm3j5n8s2x3Ws0L3amh:ogFmx6Hmcwc2G/9UHtBjg3SOjYWj2aK

Score
8/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Event Triggered Execution: AppCert DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes.

    persistenceprivilege_escalation
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 8 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Executes dropped EXE
    PID:1212
    • C:\Users\Admin\AppData\Local\Temp\da293fbfe127cef0a67607e4113e2276_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\da293fbfe127cef0a67607e4113e2276_JaffaCakes118.exe"
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1688
      • C:\Windows\System32\rundll32.exe
        "C:\Windows\System32\rundll32.exe" "C:\Windows\system32\getmskey64.dll",CreateProcessNotify
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:3068
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\259435278.bat" "C:\Users\Admin\AppData\Local\Temp\da293fbfe127cef0a67607e4113e2276_JaffaCakes118.exe""
        3⤵
        • Deletes itself
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2696
        • C:\Windows\SysWOW64\attrib.exe
          attrib -r -s -h"C:\Users\Admin\AppData\Local\Temp\da293fbfe127cef0a67607e4113e2276_JaffaCakes118.exe"
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2128

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\259435278.bat
    Filesize

    75B

    MD5

    5027450887d9ba84e74a9594d7250c54

    SHA1

    95ed4b37d75cc2db22514a1046ff9f04c66cd0eb

    SHA256

    43aa98cf0b9e5d5de2e5626799e03c7af69a64ba7ea9906b31b0d807b7a2592d

    SHA512

    0c915d8bc1be976281033cfc53abced4d567ccdcfc471642bab24a5c336046166bda823c7e4f83727aeaa180fce6f15ac37abb8acc358587a46856c34741bc8b

    Download Submit

  • \Windows\SysWOW64\getmskey.dll
    Filesize

    55KB

    MD5

    8d5add4097a742837ec101015cf23354

    SHA1

    386c2c3994f64551dbef069a78220e4968105105

    SHA256

    b561ff6cb2623dfe6a376236d1aeac0f0111a4e6abe4eee18f6cf04c08f8c5eb

    SHA512

    31302754f99f6101518633e7566d05b14ef9c4d88233ce11c19e1bb92cfaba2e172d4cd835eabc687ba6bbd1f45702de8c782fbd84e1f2451a3a09de6d1a510f

    Download Submit

  • \Windows\System32\getmskey64.dll
    Filesize

    61KB

    MD5

    cde6aca8ce75c23e287b04f634cb652a

    SHA1

    6320d03cd7124cd98d81bf9f10812db1689b9843

    SHA256

    5914e26e3b3fc5f58680b50af6cbf566780517ae6c81aac864380eda6f83149f

    SHA512

    aca6895f9e0072370ff63d0bfadd819db4e1f3b52ad59053036fdddd460ef324256631030c8b18e541847e236b52be2041c131c80f8fc3a1dae6c5c4e87f40c2

    Download Submit

  • memory/1212-34-0x0000000180000000-0x0000000180015000-memory.dmp

    Filesize

    84KB

    Download

  • memory/1212-29-0x00000000025E0000-0x00000000025E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1688-7-0x0000000010000000-0x0000000010011000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1688-0-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1688-24-0x0000000010000000-0x0000000010011000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1688-23-0x0000000001000000-0x0000000001032000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1688-6-0x0000000001000000-0x0000000001032000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1688-1-0x0000000001000000-0x0000000001032000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2128-42-0x0000000010000000-0x0000000010011000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2696-22-0x0000000000130000-0x0000000000131000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2696-40-0x0000000010000000-0x0000000010011000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2696-43-0x0000000010000000-0x0000000010011000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3068-21-0x0000000000110000-0x0000000000111000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3068-27-0x0000000180000000-0x0000000180015000-memory.dmp

    Filesize

    84KB

    Download