Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
20/09/2024, 04:48
General
-
Target
ecdec207d42d3576b5c02563d08c106b_JaffaCakes118.exe
-
Size
38KB
-
MD5
ecdec207d42d3576b5c02563d08c106b
-
SHA1
8f0e9cc51d7315bc7b65bb0b5b8042dac70b5042
-
SHA256
aa6f8416b5fba396fdc835a73a1a985aedd136d444edeaa49d54249fdc6c6aaf
-
SHA512
3efb7d60d85022f44b18bc580a7dcf02d81f2f2ff06b96bd392baa0a4c7d884935f603df1f59a5388d54a832d0d69156d209c4190bc876c47790554a35da4a79
-
SSDEEP
768:5A6cObHTNNT6iAdd+WttpaX8rPiwzImZIiWIEnYP4u7anY:53c4z7g/+0pb7iw0ibE64VY
Malware Config
Signatures
-
UAC bypass 3 TTPs 3 IoCs
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
-
System policy modification 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecdec207d42d3576b5c02563d08c106b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ecdec207d42d3576b5c02563d08c106b_JaffaCakes118.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\ecdec207d42d3576b5c02563d08c106b_JaffaCakes118.exe"2⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Event Triggered Execution
1AppInit DLLs
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
1File Deletion
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD519aea6f1bcd8651b20056518802deda7
SHA1f488be9dda6c80e283c843169f49abc0c73f900d
SHA256742a3429917f7a9b7a64fc97d47d4d21337f0aafc60dae06f6f2098e5692ea84
SHA512ff41e0ec5cbfd821f3babf903b34ccec546e74844068d600bc334086da5e5b16c4667f0114c88ceab8d8fc1d2f2344021f3fb293abc4a5758cdf9e6ebe413b1b
-
Filesize
112KB
-
Filesize
112KB
-
Filesize
152KB
-
Filesize
152KB