Overview

overview

10

Static

static

3

e2b9bc2b9d...18.exe

windows7-x64

8

e2b9bc2b9d...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-09-2024 14:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e2b9bc2b9df69c9817b2b0247043545c_JaffaCakes118.exe

  • Size

    359KB

  • MD5

    e2b9bc2b9df69c9817b2b0247043545c

  • SHA1

    b9f34acf8cf4326f0519f6025c61f7e00a981521

  • SHA256

    5e02f9eb337fa199f0d89267296b27f45836f5e99c97039125f9f0de2971b684

  • SHA512

    f5530d4326b2760b175f0a46b2e94afac7797b7306090e95360bd4fc5ec02264b909ea38e2651407b5736b1e16a19adf91afaa151aff5a5476539e6f364d3762

  • SSDEEP

    6144:E0bLC5mxx8eYNgOJrIMmFSwL9qhjom0sBe3w:EWuSlYNjrv8SwL9VmTgg

Score
8/10
discoverypersistencespywarestealer

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Contacts a large (514) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Control Panel 4 IoCs
    evasion
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e2b9bc2b9df69c9817b2b0247043545c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e2b9bc2b9df69c9817b2b0247043545c_JaffaCakes118.exe"
    1⤵
    • Adds policy Run key to start application
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2256
    • C:\Users\Admin\AppData\Roaming\{E63A1DE5-8546-65B9-59D5-B92AE75C293A}\verclsid.exe
      "C:\Users\Admin\AppData\Roaming\{E63A1DE5-8546-65B9-59D5-B92AE75C293A}\verclsid.exe"
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2836
    • C:\Windows\SysWOW64\cmd.exe
      /d /c taskkill /t /f /im "e2b9bc2b9df69c9817b2b0247043545c_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\e2b9bc2b9df69c9817b2b0247043545c_JaffaCakes118.exe" > NUL
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:1752
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /t /f /im "e2b9bc2b9df69c9817b2b0247043545c_JaffaCakes118.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2532
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 1 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:364
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {B03A98FA-E25E-4D1C-A3E4-68B5627E8F4B} S-1-5-21-457978338-2990298471-2379561640-1000:WOUOSVRD\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2468
    • C:\Users\Admin\AppData\Roaming\{E63A1DE5-8546-65B9-59D5-B92AE75C293A}\verclsid.exe
      C:\Users\Admin\AppData\Roaming\{E63A1DE5-8546-65B9-59D5-B92AE75C293A}\verclsid.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:552
    • C:\Users\Admin\AppData\Roaming\{E63A1DE5-8546-65B9-59D5-B92AE75C293A}\verclsid.exe
      C:\Users\Admin\AppData\Roaming\{E63A1DE5-8546-65B9-59D5-B92AE75C293A}\verclsid.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      PID:1020

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\verclsid.lnk
    Filesize

    1KB

    MD5

    31e9a9719a8484935178b6016703c567

    SHA1

    8a178376be4b91588f99e974fdd46bc1bd111a69

    SHA256

    844eb4906847f1221ac485fe04c4a5cdd96e13c1e9a496e88e6e192d10478b93

    SHA512

    36c5e5a738a775ecddb6ebd0551e541c899c5ccc8705f22ba455c34c7443f41a5377a3ade305d0b441b3db28ae891732c50dea4410011a7e3e574f6caf4086fd

    Download Submit

  • \Users\Admin\AppData\Roaming\{E63A1DE5-8546-65B9-59D5-B92AE75C293A}\verclsid.exe
    Filesize

    359KB

    MD5

    e2b9bc2b9df69c9817b2b0247043545c

    SHA1

    b9f34acf8cf4326f0519f6025c61f7e00a981521

    SHA256

    5e02f9eb337fa199f0d89267296b27f45836f5e99c97039125f9f0de2971b684

    SHA512

    f5530d4326b2760b175f0a46b2e94afac7797b7306090e95360bd4fc5ec02264b909ea38e2651407b5736b1e16a19adf91afaa151aff5a5476539e6f364d3762

    Download Submit

  • memory/552-24-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/552-27-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/2256-0-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/2256-11-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/2256-10-0x0000000002710000-0x0000000002788000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2836-12-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/2836-16-0x0000000002990000-0x0000000002991000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2836-18-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

    Download