Overview

overview

10

Static

static

3

ed511ce684...18.exe

windows7-x64

10

ed511ce684...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/09/2024, 09:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ed511ce684eb3b3dd5f23d1d545120e6_JaffaCakes118.exe

  • Size

    14KB

  • MD5

    ed511ce684eb3b3dd5f23d1d545120e6

  • SHA1

    41fda889ba4aeda72caeab2a6ee018bf9f2ff3b8

  • SHA256

    ed422a2cb60fdd4b402839b5bd6ab80f2a7e518b23733234c3bcc315375cfd06

  • SHA512

    604ec9b554a36a8a30060de9f479e2c7cff2e6ea6bf48b0d3e69a0259d8d5523defcfd70b712e6441b09ff690cddd86aedcd1853e51d2c7e76348d7f0da84e71

  • SSDEEP

    192:W80nffy32NaofZDm9fcfUX987PcImAB8uuNvf4YbZy/4aRBn6jCxKDI4CIlhJPH:W8eyGNaoQ9fRzRNf4KZrMWaiI4Tlhx

Score
10/10
evasionpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed511ce684eb3b3dd5f23d1d545120e6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ed511ce684eb3b3dd5f23d1d545120e6_JaffaCakes118.exe"
    1⤵
    • UAC bypass
    • Adds policy Run key to start application
    • Disables RegEdit via registry modification
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2436
    • C:\Windows\SYSTEM32\Netsh.exe
      "Netsh" Advfirewall set Currentprofile State off
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Modify Registry

4
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2436-0-0x00007FFD699F5000-0x00007FFD699F6000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2436-1-0x00007FFD69740000-0x00007FFD6A0E1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2436-2-0x000000001BF30000-0x000000001C3FE000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2436-3-0x00007FFD69740000-0x00007FFD6A0E1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2436-4-0x000000001C4A0000-0x000000001C53C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2436-5-0x00000000012D0000-0x00000000012D8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2436-6-0x00007FFD69740000-0x00007FFD6A0E1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2436-7-0x000000001E270000-0x000000001E2D2000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2436-8-0x00007FFD699F5000-0x00007FFD699F6000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2436-9-0x00007FFD69740000-0x00007FFD6A0E1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2436-10-0x00007FFD69740000-0x00007FFD6A0E1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2436-16-0x00007FFD69740000-0x00007FFD6A0E1000-memory.dmp

    Filesize

    9.6MB

    Download