Overview

overview

10

Static

static

3

ee81a9efbf...18.exe

windows7-x64

10

ee81a9efbf...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    108s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-09-2024 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ee81a9efbf5b2983dae5260844943b73_JaffaCakes118.exe

  • Size

    270KB

  • MD5

    ee81a9efbf5b2983dae5260844943b73

  • SHA1

    33785cac32bfe4a65e6d503eee1de42b3fa07020

  • SHA256

    d41164fe5c0091f51baf9abef94f3d1828f52458b3ff4fa31d7163ff94d83597

  • SHA512

    d140f46773b4c5cd0839de74e3a77730e7ef3927c87d37de5b6dbcf5da2cb3101fb62f158b233078c074e84c8411a26fba542939adff351b72d4886e5140b071

  • SSDEEP

    6144:yyZcAuFcCf38XolyxnDFJ6V1vSmgKBw83Yjf3DfTc8sqWVWg37XG1:/TOcCf6yJgKH3YfrfW0gy1

Score
10/10
adwarediscoveryevasionpersistencestealertrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ee81a9efbf5b2983dae5260844943b73_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ee81a9efbf5b2983dae5260844943b73_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1592
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\aramatk.msi" /q
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1004
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Installs/modifies Browser Helper Object
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3900
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding A5AB3C5304414370E3F38FC4205232EE
      2⤵
      • UAC bypass
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer start page
      PID:1064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Browser Extensions

1
T1176

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

4
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e57691d.rbs
    Filesize

    11KB

    MD5

    2abf58d2592712fa8f0a5269ead79bbf

    SHA1

    29d5da93888f202d2cab5cfa7234cb5a97ec5f82

    SHA256

    aa782bf3372bf060f5a8354de2a41fd9cbb85bbc5306061abf06fb53723eda22

    SHA512

    b8cd764add7b0afdd556446d75c87e2f173efec19f58f0ae011af286e90a1b8e54173205c29d12ab56a1c85464d6cb866fefc4c5e16a53be370127a9592ec856

    Download Submit

  • C:\Program Files (x86)\Internet Explorer\Internet Explorer\gvdde.dll
    Filesize

    41KB

    MD5

    1d7b7a38b63ca00a58a6ef4adb4c1f5e

    SHA1

    236769db9bac48aec397014e8bcf7f3742611f50

    SHA256

    6afe2f564782c1e533c06d58d4e21daa24de52f8f443945ef2d5778b9495d7ba

    SHA512

    9ec715507af2b6efb159d04dcb2cef3a383823fbcde832a48da00ae2dd87564a630bb60fb670ee535235ac5aaadf6c320214fd5810bf47dfe7e0a20835df7174

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\aramatk.msi
    Filesize

    387KB

    MD5

    8846cbcefa11ba6a233dda825d94ac15

    SHA1

    87d31bdb20142a8fa226755583901613940bcb50

    SHA256

    76bb8b2f3b7e5e3310422360f2dafa2a1bc0c3d746a37fd3422640e51b9206bc

    SHA512

    2ac2bd61cf6464c3a93b0747562c1f8ffc3183fbaf1c1b603516ab82491fe371af566f8afe5bf664dd2f54444c9e20232e9eb1f42585127288a3b04425eeed28

    Download Submit

  • C:\Windows\Installer\MSI69D6.tmp
    Filesize

    209KB

    MD5

    f6a25d999d9d84f6675e1756da57f3f0

    SHA1

    1a33d32feb96730824996b59d5ba38446ae5d609

    SHA256

    21100a197e3674e9f68a5dd92ed14a15c1b86611bf7003021cb35beaacf23032

    SHA512

    b2fa4013eecd0747e6f7575058140e95a0755030b58156c9c3246cddb62ff141342872b900ba01e4b2551a6f495f414410dc24ff32ed2e7109c21f038a9dbfa0

    Download Submit

  • C:\Windows\Installer\MSI6C3A.tmp
    Filesize

    54KB

    MD5

    4b6f4f52de80f1a7890c9bd0a7cac5e3

    SHA1

    e45efe29240c68452730fc32327eb3048a162e2d

    SHA256

    2b0f0ef5f0b1421bac638768b590cf1824a8407b47bbcedb5eba48c736b61155

    SHA512

    bd8930de68b070eb8e4d50665fd604e84f587f2dffc5bbbc5d96a70877ffcac8ddfc180449b3aa048acda698d98495c87a30adb88bb94d537135336636afbff4

    Download Submit