Overview

overview

10

Static

static

3

ec84d2f901...18.exe

windows7-x64

10

ec84d2f901...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20/09/2024, 00:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe

  • Size

    576KB

  • MD5

    ec84d2f90193a2217ed2ccd2feec9d4b

  • SHA1

    907e912ecf8e741b6ef6bcf190d157c4b52f1994

  • SHA256

    0a8a9b0025e81b6188a01e87638c65d0d7da274a13e8b3c678f0398f3c7e8331

  • SHA512

    e96762edac1f78603c88a31a83334165fcd229aa5e320e93f29833fb6c3e7c0fe0009bdf330db45015585ab6cfc38edceeabeb4598c76595cf37282afbe52a7d

  • SSDEEP

    6144:A1QMivgpQ25+yApTCg3cz6ufWeLuIrybTQg9o214QTB2I/51pftDKHpDbU69SWvT:wQMiG+2gef5x/xQTB2OfDKC7Wgcxp

Score
10/10
defense_evasiondiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • UAC bypass 3 TTPs 13 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 26 IoCs
    persistence
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
    defense_evasion
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    evasiontrojan
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

    defense_evasionpersistenceprivilege_escalation
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 60 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 39 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • System policy modification 1 TTPs 38 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:816
    • C:\Users\Admin\AppData\Local\Temp\ilpzxhicsvz.exe
      "C:\Users\Admin\AppData\Local\Temp\ilpzxhicsvz.exe" "c:\users\admin\appdata\local\temp\ec84d2f90193a2217ed2ccd2feec9d4b_jaffacakes118.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2800
      • C:\Users\Admin\AppData\Local\Temp\vbftr.exe
        "C:\Users\Admin\AppData\Local\Temp\vbftr.exe" "-C:\Users\Admin\AppData\Local\Temp\sjyxgvofwirzixap.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:656
      • C:\Users\Admin\AppData\Local\Temp\vbftr.exe
        "C:\Users\Admin\AppData\Local\Temp\vbftr.exe" "-C:\Users\Admin\AppData\Local\Temp\sjyxgvofwirzixap.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Impair Defenses: Safe Mode Boot
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:1264
    • C:\Users\Admin\AppData\Local\Temp\ilpzxhicsvz.exe
      "C:\Users\Admin\AppData\Local\Temp\ilpzxhicsvz.exe" "c:\users\admin\appdata\local\temp\ec84d2f90193a2217ed2ccd2feec9d4b_jaffacakes118.exe"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System policy modification
      PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Safe Mode Boot

1
T1562.009

Modify Registry

5
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\xzzjddhjlicvppddueprrbv.zbd
    Filesize

    260B

    MD5

    807faa32cba5ecf6ab004bcb7a72f4fd

    SHA1

    2d7d46de97454908de7f05a947ec08c2f8573998

    SHA256

    0041d90f6f9ce17f981d12e107f6115ee30784d234ae5fc9ac7a65458ce1c7c5

    SHA512

    e6a96f22f71c694b553bd8e65ca1a259c3a6b145c5a53d4d7509b5e8a524d9f41ba5ad7c0dfbfaf30e34dbb5110e5a31ef7265ceabc70d0f032997c77f58370d

    Download Submit

  • C:\Program Files (x86)\xzzjddhjlicvppddueprrbv.zbd
    Filesize

    260B

    MD5

    a73508a353b66ed6011effea88dae6d7

    SHA1

    c01082eeafd699254855a59e3726c69f4be5e5d8

    SHA256

    7b64c1631b81e05269dd62c692543caa279db80a85b44d3eb6581272c8ccb3aa

    SHA512

    d68977b541c854e63b9e0af0b42941c88f60266e05d77fbf08fbe0426daccfeadbe4140a3ad5cf116bfed501891d24d1557ed680ec00c11e4e2398a4fe09b032

    Download Submit

  • C:\Program Files (x86)\xzzjddhjlicvppddueprrbv.zbd
    Filesize

    260B

    MD5

    2c3a5cf02b617e8c1002e1c5566e8d26

    SHA1

    ef9315c31a69ca2d4c38627af73a72c533f53cbf

    SHA256

    9c8aba8591b12d9d16665f93879a7b299d3fd29f419cc13206f2fc3f9569abcb

    SHA512

    5925ad387317b9af91f2ec93a0dbd2ac99451196b2e0df356b8bf402ccb0a5447a0d0dbf84e494e94ae680e0994a424792dc47700e148d29928aaa87ad670cd9

    Download Submit

  • C:\Users\Admin\AppData\Local\kxiditiviqvzepozbwsfqlqbqdqydhmxwh.ean
    Filesize

    3KB

    MD5

    e1b2e7727ce982e88be705a763109aba

    SHA1

    a5e314031ecd0ac7b2e86625b6dda4379e6c8d77

    SHA256

    dce1cc8e394583cf53fa0081594f7a1612d8c34200d322eda35e599d429c7a46

    SHA512

    6db701956d7f3f2d236da6b410b9744fc854ee450d31e7fbefaaafad03798f277529a41e857e821db9e5a7ba95e40901499538b8e9f2ca49a28eb76b4a345465

    Download Submit

  • C:\Users\Admin\AppData\Local\xzzjddhjlicvppddueprrbv.zbd
    Filesize

    260B

    MD5

    46fc9e1978a2309f79f11335c0407ec7

    SHA1

    ba8c0c49729d94bcce7c293572c10315e6074107

    SHA256

    7916ba55da2955f3097b47a46f17f5006a6d46af1d58f0defb208dcb26e45b36

    SHA512

    f6aa11537084cf62ed3c1de1d2a6205e76a81b32c826e24dcd6f13edcb597854c3cfce30257abc9498cee8e6e9f767b3fbd1fee0441a10a82c996f34e7b78f04

    Download Submit

  • C:\Users\Admin\AppData\Local\xzzjddhjlicvppddueprrbv.zbd
    Filesize

    260B

    MD5

    a1fdf27c703a7a6c0a295f6ec5dbe0ea

    SHA1

    36e63855e0fed49b4870294b0d76e1411cd56ce4

    SHA256

    d11d4f503d3f8d348dfecba1ab11339b14f016ec3204dd4dbcfa8ae93ac7a55f

    SHA512

    bdf1989cb83b37f9c5776467739c6f7fed2e457d0801d03af888a094028b94a61f8d16ddfbf232832c000029e2f3c22c848105f12479762092a3e42ee6c355e1

    Download Submit

  • C:\Users\Admin\AppData\Local\xzzjddhjlicvppddueprrbv.zbd
    Filesize

    260B

    MD5

    19612b39b3b48c0b77e79ec3c669daf6

    SHA1

    b8f3337cd677a72f48d80b92c78a7299bc63b484

    SHA256

    5be521f247b5a0aeaadc81f4ffc170240c75cb35eefdcd7bdbab075d98c0a116

    SHA512

    aea275cefbb1f184c2fee0a33aeae06c6d106985f6255fb2afe9f871e6bc71bae30bbfa5fdc11e0df1ac2a9a234f47c787686504806d2b5041480b1114b893d3

    Download Submit

  • C:\Users\Admin\AppData\Local\xzzjddhjlicvppddueprrbv.zbd
    Filesize

    260B

    MD5

    41493eb57144da0e14d1b4a59c1672cb

    SHA1

    8cd13928b4092def15dec21500abcf494c84f553

    SHA256

    d3297f28b12e759eb6cde1445e2ac4ec9bcffaabf31089756ae196baaa1eb7a5

    SHA512

    f99dc0721f690df1cf3de6dec1739a7c7b9b3cd9e5110bb9abc9f7327daf24818ab4aadb1d0737956cb61aef1323bd3e50babe3c870d9cbcb0e6cecd9b649777

    Download Submit

  • C:\Windows\SysWOW64\ibstevqjcqblwnsjrs.exe
    Filesize

    576KB

    MD5

    ec84d2f90193a2217ed2ccd2feec9d4b

    SHA1

    907e912ecf8e741b6ef6bcf190d157c4b52f1994

    SHA256

    0a8a9b0025e81b6188a01e87638c65d0d7da274a13e8b3c678f0398f3c7e8331

    SHA512

    e96762edac1f78603c88a31a83334165fcd229aa5e320e93f29833fb6c3e7c0fe0009bdf330db45015585ab6cfc38edceeabeb4598c76595cf37282afbe52a7d

    Download Submit

  • C:\sdmfirepag.bat
    Filesize

    492KB

    MD5

    0c1c7173326003282084a4e7e8be5fa9

    SHA1

    e9fd2a062aa4b7c5bf387e51147a0319d6df8865

    SHA256

    bc5ee41d77f7c6239728b9cc76930236682899067ae8f5a8d4bacf3701657ec3

    SHA512

    ed5a1dd3c336ccdd2d122349443cc63a8e0fabe07609f2dc9387feb62cd41a45d84d0959b89b4426e9093d0aee13804e820075c980c6d6db57360f983fe613c4

    Download Submit

  • \Users\Admin\AppData\Local\Temp\ilpzxhicsvz.exe
    Filesize

    320KB

    MD5

    304415df6ad55a90301aa8158e5e3582

    SHA1

    cc20ee7d5e8607f4fa0633093083ec0a68dcf3cd

    SHA256

    34a5f9e2b494b086abad2721019be271fa43350c9146f000e50fe554f170743d

    SHA512

    4ef2a9a8a3b36ba8c40a0bda9de415c76f985da34475f9110f7fe7b70a8e235d66ec6e15f76b45c5f75f5594fe05051d8112745e5031a18c817bd5d86212c687

    Download Submit

  • \Users\Admin\AppData\Local\Temp\vbftr.exe
    Filesize

    712KB

    MD5

    077be19c1ce80014640cef3f63b17df5

    SHA1

    2ac9e3dd52e91bd2a758e7728ab06a305cfa0229

    SHA256

    ea74a18dd9345fcb2b8849aa3bfe897bac1e3f4ed3890ec5c3900045b5715160

    SHA512

    096f2dc8a0b5b8138d62aa937aeea021b5b9329e149af9007791e86fed2d71d9faacc217d5983ebb9ef67dc99e3fd73894951c7bde89ea57b18a45f2c42d77a0

    Download Submit