Overview

overview

10

Static

static

3

ee9208d33c...18.exe

windows7-x64

10

ee9208d33c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-09-2024 22:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ee9208d33c6c8d478aab9acd914cc4b4_JaffaCakes118.exe

  • Size

    92KB

  • MD5

    ee9208d33c6c8d478aab9acd914cc4b4

  • SHA1

    7e754aea7fecc1d4e6ee9c39894bdffb2d783358

  • SHA256

    faee5f2aa358d90460ec781a79c7a42abd0e39d33987c8964e05f5e5f3f88334

  • SHA512

    2fd1c320abab018f5c4c6cfb2dc31734aa85cd6c10f83f5a645905cbe13354cc368a11ff67f959c5dfa4a5b6ade199d9e368a6e017e0c235226465733ddb89cf

  • SSDEEP

    1536:92tqbVCAuhkNSAF3V06X7Yvco1l6O+9K5ipE6amZ6dED4LTVz4k:9D9EC46X7Yv/YOb3MyEDqTF

Score
10/10
discoverypersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ee9208d33c6c8d478aab9acd914cc4b4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ee9208d33c6c8d478aab9acd914cc4b4_JaffaCakes118.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Program Files\Common Files\System\commond.pif
      "C:\Program Files\Common Files\System\\commond.pif"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1660
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$c7B89.tmp.bat
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1648
      • C:\Program Files\Windows Media Player\svchost.exe
        "C:\Program Files\Windows Media Player\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:964
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\Deleteme.bat
      2⤵
      • System Location Discovery: System Language Discovery
      PID:5024

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Common Files\System\commond.pif
    Filesize

    78KB

    MD5

    0083ac3f9a4485c6ab4f15ae7de011c6

    SHA1

    a461c464e7f3406a6937445aebfb27eef410b8cc

    SHA256

    f30f1323384118b14c3b4c453f408856b8b0de99a2b8de50744293dad599538f

    SHA512

    5d71a2db4c8e1abcfcb7e379747e7ce78ebb5a52c4a82699d40243439e1f0b393d47ced8ddb692a61f47fa569e9e64479ad72ac745cd36b0aa0136c313b14abe

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\$$c7B89.tmp.bat
    Filesize

    189B

    MD5

    d876629ee2f37f8decc36106cf4b307e

    SHA1

    f492cee34f3873cad35ce4779379c2bdfea5ba31

    SHA256

    1dc91fac2c0045b1343083d2cdaf621ddeb4c16843a9f79dedffe21a782d8ec8

    SHA512

    6f5c77391cac3c666c47baa1ca926c2d6d486b58bc84062d1f0b7d3209f8a6db1e7dbbd5dfaa6f9c175749757fc63caee69041e7acd5982e445c6ff9eeea210a

    Download Submit

  • C:\Windows\SysWOW64\PDLL.dll
    Filesize

    58KB

    MD5

    e71c1aa947ab8a64006e6d598bb0a546

    SHA1

    37d52aff9e88548a164917d37a1e26e61e5343ef

    SHA256

    eb73fd9c39c21ec47474f99ac5fe4a10811b267c2bd0a1e4da3097488bc39093

    SHA512

    323879061f3702671ec09ed364ea314616cbb318a261753607aebeaed834e337c1dd947cfc35c812e311f1163f30a8a7c89ce01b02508ff3807ea86077f52cc2

    Download Submit

  • \??\c:\Deleteme.bat
    Filesize

    212B

    MD5

    f34bfe2b47edd57aa798a83720606c21

    SHA1

    03efb3b3e3c6030137b58a915bafd12c2ea0e22e

    SHA256

    3fa56a3584b3f1f663e38371c6e76e3fbf0dcaa0d12a8cdcc28cb0169a9174e5

    SHA512

    6cb06833e430dce94e55883b1db1fefdd60fdc1c36e1ba25f631937276d60f439e5c20aafc523b707cef6cf17b71b68bbd13cb74ae9af767f3bbe5798b719b38

    Download Submit

  • memory/964-28-0x00000000027E0000-0x000000000282B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/964-29-0x00000000027E0000-0x000000000282B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/964-39-0x00000000005F0000-0x00000000005F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/964-38-0x0000000000590000-0x0000000000592000-memory.dmp

    Filesize

    8KB

    Download

  • memory/964-37-0x00000000027E0000-0x000000000282B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/964-27-0x00000000027E0000-0x000000000282B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/964-36-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/964-25-0x0000000000590000-0x0000000000592000-memory.dmp

    Filesize

    8KB

    Download

  • memory/964-30-0x00000000005F0000-0x00000000005F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/964-19-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/1660-8-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/1660-10-0x0000000000550000-0x0000000000590000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1660-18-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/1660-11-0x0000000000550000-0x0000000000590000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1660-9-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/1680-2-0x0000000012760000-0x000000001279A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/1680-34-0x0000000012760000-0x000000001279A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/1680-1-0x00000000004B0000-0x00000000004B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1680-0-0x0000000012760000-0x000000001279A000-memory.dmp

    Filesize

    232KB

    Download