Overview

overview

10

Static

static

3

eaaf398826...18.exe

windows7-x64

10

eaaf398826...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2024 05:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eaaf3988264b057be42263710a154c02_JaffaCakes118.exe

  • Size

    480KB

  • MD5

    eaaf3988264b057be42263710a154c02

  • SHA1

    cad262d73d16977be6af22824016b2d7a85dddb0

  • SHA256

    0d39657bb20e582a5108850e936d8a093c89ed598e76cd461a69cb4986372472

  • SHA512

    635590875cce0a170d29a36095ebebacb113b789df46136b4446d1365962e56559afb42edd77e13a158ecc727d0ba1960598291d5a02c95df84c36933878abe9

  • SSDEEP

    6144:lj6/wndfF/gl0LQIk8DR3dEuAI7pEfxsZozAm9TMdGQLUg1nYmefPImdrion/Rh:t6onxOp8FySpE5zvIdtU+YmefbRh

Score
10/10
defense_evasiondiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • UAC bypass 3 TTPs 13 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 26 IoCs
    persistence
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
    defense_evasion
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    evasiontrojan
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

    defense_evasionpersistenceprivilege_escalation
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 32 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 32 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • System policy modification 1 TTPs 38 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\eaaf3988264b057be42263710a154c02_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eaaf3988264b057be42263710a154c02_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2528
    • C:\Users\Admin\AppData\Local\Temp\wxiozfmpghs.exe
      "C:\Users\Admin\AppData\Local\Temp\wxiozfmpghs.exe" "c:\users\admin\appdata\local\temp\eaaf3988264b057be42263710a154c02_jaffacakes118.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2692
      • C:\Users\Admin\AppData\Local\Temp\poyeis.exe
        "C:\Users\Admin\AppData\Local\Temp\poyeis.exe" "-C:\Users\Admin\AppData\Local\Temp\bkeuicqhziflbmcn.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Impair Defenses: Safe Mode Boot
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:2620
      • C:\Users\Admin\AppData\Local\Temp\poyeis.exe
        "C:\Users\Admin\AppData\Local\Temp\poyeis.exe" "-C:\Users\Admin\AppData\Local\Temp\bkeuicqhziflbmcn.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:3048
    • C:\Users\Admin\AppData\Local\Temp\wxiozfmpghs.exe
      "C:\Users\Admin\AppData\Local\Temp\wxiozfmpghs.exe" "c:\users\admin\appdata\local\temp\eaaf3988264b057be42263710a154c02_jaffacakes118.exe"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System policy modification
      PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Safe Mode Boot

1
T1562.009

Modify Registry

5
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\fyccaecdfyfvvqqlhzfycc.ecd
    Filesize

    272B

    MD5

    c547fd2e550d9e73c2e9194519947ffb

    SHA1

    e44e20cdc051f5b69241dbde0bec21da24189ec6

    SHA256

    eaca235016412114ec9253b419badcbe3df8cafdd936b6534262c1d4a07cb8d6

    SHA512

    1f6e74638f0c037eac1d1922b9a7ada3fa7bd6c61ff78faaf39fc9e036c666d65d7193c193188b5661addd5b32247a462a0b1c7c3500aaafe678bc20997bd27f

    Download Submit

  • C:\Program Files (x86)\fyccaecdfyfvvqqlhzfycc.ecd
    Filesize

    272B

    MD5

    a6ab83d7b1b2645d2eeea0b0f370376e

    SHA1

    b1a40f7c26e228ffdbaafe7391a37bf274f5775f

    SHA256

    1b294c44231dfcb2b332591294c4d81944c49510b1bcae7124e55144ad80610b

    SHA512

    a4319e0fd56b82081278b268c2bf3b8466d8ebc7a99971fe30705bbd1c310852eff5f89df9dcbd10456e8a669d20c4e114c6d4311e5b44ae6907e0229f3aeb1d

    Download Submit

  • C:\Program Files (x86)\fyccaecdfyfvvqqlhzfycc.ecd
    Filesize

    272B

    MD5

    c7ce17013d5c1c7ab9ead53ae1f4c89c

    SHA1

    9d74b30c0a65f5be4b078e95a6c74206ab5e353c

    SHA256

    f57edfc226c991ce7b898abf41a78b812d52f4957707f7e3a7a83da012865c36

    SHA512

    0238703a6fa9543af35ea47c48a773da33d67ec5324b4bab2146393a47261ecea5b4d4f65e1b7a3e3e12244ea147675fefc79334e10f2f30496dcf44fd8afbb2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\poyeis.exe
    Filesize

    696KB

    MD5

    e37497a003b3aa6f63db0c9923f157aa

    SHA1

    6e84d3904107438c2e3760187ffad60c60dade54

    SHA256

    4704255cc5e2ce794591bfbbfc13b8ae713afae3802faa61bd709a977a0aa259

    SHA512

    e705e2c084635920bc05b0d4cde365c4e2b2587a9865aecff15fef7ff7fefed790c36c2a9afec771241e63f7684580b8de5ec6b07640207ee6f6bcc34efebb62

    Download Submit

  • C:\Users\Admin\AppData\Local\fyccaecdfyfvvqqlhzfycc.ecd
    Filesize

    272B

    MD5

    c8ce0e901825eb07ecaabaae871c43cc

    SHA1

    f26e2f43f57cb2f39187b279be6b24888d588a89

    SHA256

    a5d5b75ae529e9a994f160a62a98951b45be54fe727b73243cca24abb44d7f4c

    SHA512

    d966ed97fc0cb8984929ef6a00d2177e65b328a2b3d7824a874e285e89adf33c1d183d9f7e859a3da7ec304fd145039008c000d98cc455822dab9983251a66cf

    Download Submit

  • C:\Users\Admin\AppData\Local\fyccaecdfyfvvqqlhzfycc.ecd
    Filesize

    272B

    MD5

    d3a717abcb87c8da13b0010d8698d1e8

    SHA1

    fd2f0d120eb87b8537bb73495006e9bc30e94857

    SHA256

    bcca44837a3c4c57400474b0d2ca0811ae5b30a4ba4242f73cb13966617a46bb

    SHA512

    f5b774de4530ff957099ef1daa45bdc89aae8fd12454a0f30a140d1e7f2db652a717d9c65ea42800e9258c706b0791a49ec659e2f26ea19980c71ee520c45067

    Download Submit

  • C:\Users\Admin\AppData\Local\fyccaecdfyfvvqqlhzfycc.ecd
    Filesize

    272B

    MD5

    4e0e29ebad3bba1319a7bb9a65e08be6

    SHA1

    081d5dc45d524370851e86867b4270dcd5671437

    SHA256

    5cf619aff5b892c86862671741fa11cc9de6605d28f144eaa14779ec2e2266e3

    SHA512

    bb0e6d81ca38970a571d9d046ecb0c7e4f76a15680c4553eda9c8fea8ba25d0220da9bd14da6ffa61ac60deecb107d4e3696144a2da06b5f726f87497eb85400

    Download Submit

  • C:\Users\Admin\AppData\Local\fyccaecdfyfvvqqlhzfycc.ecd
    Filesize

    272B

    MD5

    68376bb3fc9b687d2e4dda44a872ede3

    SHA1

    b69db7ef93e47874c179e1cd4f62341a91837881

    SHA256

    7706407f2200e61d89647620b515ac3ae3497263a499519f70d112cd6d8a25fc

    SHA512

    662297764ee9be38d936d3c1a286530413d3ef9319b907b6aaed571429ead5ac7b69a70b02a92c62913ce7f26edf103e49d38c2d46cf957e9997ba19e37386e8

    Download Submit

  • C:\Users\Admin\AppData\Local\fyccaecdfyfvvqqlhzfycc.ecd
    Filesize

    272B

    MD5

    f2bc958b5bfafcc07ffd5999d1db9988

    SHA1

    38944230e5968369a60c806cfdb02bd0f3a74b41

    SHA256

    d924930c836a20bf7cee6c14045cff75cf470eef1700721dda6eb25af9581851

    SHA512

    46cb5585b64df4417d171ee2399bc40aa1c760a4e32747d379de3a547c48b8cba82dc34b378749152066fa55d0f2b0d4a19faf53d72b115460f1f810d3272ec6

    Download Submit

  • C:\Users\Admin\AppData\Local\wapajyhtgkcdouflsvmqfqzoxjwastekv.ilc
    Filesize

    3KB

    MD5

    277cb6f077a45f43bd2c358a1784a29a

    SHA1

    395494ab1ea468af46c1c70a96ca01c3fd6dc4fc

    SHA256

    d0f439efac578e56746c8956c638ed35dd0d275775f67d091d3be25651a896db

    SHA512

    8393eb4fc184ab4b967842e7018ed12b9af600edb0254c74609b8e5ae42ad5f7ca71c6028cd4b0567cae05729a83a7c4f92481307dda1bc45f0673f1c046ff1e

    Download Submit

  • C:\Windows\SysWOW64\rcyqgcslfqpxpcuhvf.exe
    Filesize

    480KB

    MD5

    eaaf3988264b057be42263710a154c02

    SHA1

    cad262d73d16977be6af22824016b2d7a85dddb0

    SHA256

    0d39657bb20e582a5108850e936d8a093c89ed598e76cd461a69cb4986372472

    SHA512

    635590875cce0a170d29a36095ebebacb113b789df46136b4446d1365962e56559afb42edd77e13a158ecc727d0ba1960598291d5a02c95df84c36933878abe9

    Download Submit

  • \Users\Admin\AppData\Local\Temp\wxiozfmpghs.exe
    Filesize

    320KB

    MD5

    5203b6ea0901877fbf2d8d6f6d8d338e

    SHA1

    c803e92561921b38abe13239c1fd85605b570936

    SHA256

    0cc02d34d5fd4cf892fed282f98c1ad3e7dd6159a8877ae5c46d3f834ed36060

    SHA512

    d48a41b4fc4c38a6473f789c02918fb7353a4b4199768a3624f3b685d91d38519887a1ccd3616e0d2b079a346afaec5a0f2ef2c46d72d3097ef561cedb476471

    Download Submit