Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
25-09-2024 15:44
General
-
Target
f655af8f16d632c0eba6b1db3a9e9432_JaffaCakes118.exe
-
Size
731KB
-
MD5
f655af8f16d632c0eba6b1db3a9e9432
-
SHA1
31a98d1bd57cbec161e67476a8fdd428028fe6d1
-
SHA256
0f181c8e8d91368485686a7cd3e58ceb3676562882ea25cde566a3da1a9c5f15
-
SHA512
42e8822429fac23c67736753d9d137c846367c9850119fbbbaa870f9f177c4e109b9022635eb9473d5c6d68aeb5042a9b96d4747b695578f5a0b7ed560198aad
-
SSDEEP
12288:Jaingtd/9iCpVEZxzraxdUdpmwFmjnDgGeIttwoPR5pWZhAIRXHYnrmo:JaigD/ArravUdswwnlFttwYQRXHYrmo
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f655af8f16d632c0eba6b1db3a9e9432_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f655af8f16d632c0eba6b1db3a9e9432_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir "C:\Users\Admin\AppData\Local\DirectDownloader"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C echo ifms > "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe" "DirectDownloader" ENABLE2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe" "DirectDownloader" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
780KB