Overview

overview

9

Static

static

3

fb317b990f...18.exe

windows7-x64

9

fb317b990f...18.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-09-2024 00:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fb317b990f2f41f7de3a4be4d67db9b2_JaffaCakes118.exe

  • Size

    160KB

  • MD5

    fb317b990f2f41f7de3a4be4d67db9b2

  • SHA1

    3890c26a6052090c88c953b01a69b7e19439442b

  • SHA256

    5d779261d7787da657d9e77b3dee4a4371f3f5432592ad8c60e8863209f2285c

  • SHA512

    c9efcca432a770e06877d51f4fec58412a569c9ee5a335d2d5ff6b2f1c9185b8a6e5cfb7e1ee279401b8716f71be996633bc87b2f420c64c21441b7539094986

  • SSDEEP

    3072:m6cpbetNSe92q0158JUMD3cvC5qrI/q07:m6cBetke92q458qYKCwrR07

Score
9/10
credential_accessdefense_evasiondiscoverypersistencespywarestealer

Malware Config

Signatures

  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request 4 IoCs
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Network Service Discovery 1 TTPs 1 IoCs

    Attempt to gather information on host's network.

    discovery
  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

    discovery
  • Drops file in System32 directory 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Permission Groups Discovery: Local Groups 1 TTPs

    Attempt to find local system groups and permission settings.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Connections Discovery 1 TTPs 1 IoCs

    Attempt to get a listing of network connections.

    discovery
  • Discovers systems in the same network 1 TTPs 1 IoCs
    discovery
  • Gathers network information 2 TTPs 3 IoCs

    Uses commandline utility to view network configuration.

  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fb317b990f2f41f7de3a4be4d67db9b2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fb317b990f2f41f7de3a4be4d67db9b2_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1944
    • C:\ProgramData\Application Data\wmimgmt.exe
      "C:\ProgramData\Application Data\wmimgmt.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:408
      • C:\Users\Admin\AppData\Local\Temp\avp.exe
        C:\Users\Admin\AppData\Local\Temp\avp.exe
        3⤵
        • Server Software Component: Terminal Services DLL
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1388
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\avp.exe" /A /F /Q> nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1200
        • C:\Windows\SysWOW64\NotePAD.exe
          NotePAD.exe "C:\Users\Admin\AppData\Local\Temp\VMvareDnd.log"
          4⤵
          • System Location Discovery: System Language Discovery
          • Opens file in notepad (likely ransom note)
          PID:4216
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe "C:\Windows\system32\EventSystem.dll",TStartUp 0x11
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:5072
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\avp.exe" /A /F /Q> nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4616
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /v:on /c C:\Users\Admin\AppData\Local\Temp\ghi.bat
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2156
        • C:\Windows\SysWOW64\findstr.exe
          findstr /s "YM.CGP_" "C:\Users\Admin"\..\*.txt
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4564
        • C:\Windows\SysWOW64\chcp.com
          chcp
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4768
        • C:\Windows\SysWOW64\net.exe
          net user
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2908
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 user
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3320
        • C:\Windows\SysWOW64\net.exe
          net localgroup administrators
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2384
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 localgroup administrators
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2056
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:3432
        • C:\Windows\SysWOW64\systeminfo.exe
          systeminfo
          4⤵
          • System Location Discovery: System Language Discovery
          • Gathers system information
          PID:3176
        • C:\Windows\SysWOW64\reg.exe
          reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3564
        • C:\Windows\SysWOW64\find.exe
          find "REG_"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4484
        • C:\Windows\SysWOW64\reg.exe
          reg query HKEY_CURRENT_USER\Software\Microsoft\Office
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1508
        • C:\Windows\SysWOW64\reg.exe
          reg query HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Common\UserInfo
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3260
        • C:\Windows\SysWOW64\reg.exe
          reg query HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Common\UserInfo
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2980
        • C:\Windows\SysWOW64\reg.exe
          reg query HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\UserInfo
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1752
        • C:\Windows\SysWOW64\reg.exe
          reg query HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\UserInfo
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4632
        • C:\Windows\SysWOW64\reg.exe
          reg query HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\UserInfo
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2064
        • C:\Windows\SysWOW64\reg.exe
          reg query HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Common\UserInfo
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4788
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig /all
          4⤵
          • System Location Discovery: System Language Discovery
          • Gathers network information
          PID:1424
        • C:\Windows\SysWOW64\NETSTAT.EXE
          netstat -ano
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Connections Discovery
          • Gathers network information
          • Suspicious use of AdjustPrivilegeToken
          PID:3560
        • C:\Windows\SysWOW64\ARP.EXE
          arp -a
          4⤵
          • Network Service Discovery
          • System Location Discovery: System Language Discovery
          PID:2796
        • C:\Windows\SysWOW64\NETSTAT.EXE
          netstat -r
          4⤵
          • System Location Discovery: System Language Discovery
          • Gathers network information
          PID:3664
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2852
            • C:\Windows\SysWOW64\ROUTE.EXE
              C:\Windows\system32\route.exe print
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3436
        • C:\Windows\SysWOW64\net.exe
          net start
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3780
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 start
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3440
        • C:\Windows\SysWOW64\net.exe
          net use
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2028
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo n"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2784
        • C:\Windows\SysWOW64\net.exe
          net share
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1804
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 share
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1068
        • C:\Windows\SysWOW64\net.exe
          net view /domain
          4⤵
          • System Location Discovery: System Language Discovery
          • Discovers systems in the same network
          PID:2496
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:5076
        • C:\Windows\SysWOW64\find.exe
          find /i /v "------"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2556
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4132
        • C:\Windows\SysWOW64\find.exe
          find /i /v "domain"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4764
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:792
        • C:\Windows\SysWOW64\find.exe
          find /i /v "¬A╛╣"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4748
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3828
        • C:\Windows\SysWOW64\find.exe
          find /i /v "░⌡ªµª¿"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3320
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3396
        • C:\Windows\SysWOW64\find.exe
          find /i /v "├ⁿ┴ε"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2384
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1848
        • C:\Windows\SysWOW64\find.exe
          find /i /v "completed successfully"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1364
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4264,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=4500 /prefetch:8
    1⤵
      PID:2888

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    Persistence

    Account Manipulation

    1
    T1098

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Server Software Component

    1
    T1505

    Terminal Services DLL

    1
    T1505.005

    Privilege Escalation

    Account Manipulation

    1
    T1098

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Indicator Removal

    1
    T1070

    File Deletion

    1
    T1070.004

    Modify Registry

    1
    T1112

    Credential Access

    Credentials from Password Stores

    2
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Windows Credential Manager

    1
    T1555.004

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Browser Information Discovery

    1
    T1217

    Network Service Discovery

    1
    T1046

    Network Share Discovery

    1
    T1135

    Peripheral Device Discovery

    1
    T1120

    Permission Groups Discovery

    1
    T1069

    Local Groups

    1
    T1069.001

    Process Discovery

    1
    T1057

    Query Registry

    1
    T1012

    Remote System Discovery

    1
    T1018

    System Information Discovery

    3
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    System Network Connections Discovery

    1
    T1049

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\wmimgmt.exe
      Filesize

      160KB

      MD5

      fb317b990f2f41f7de3a4be4d67db9b2

      SHA1

      3890c26a6052090c88c953b01a69b7e19439442b

      SHA256

      5d779261d7787da657d9e77b3dee4a4371f3f5432592ad8c60e8863209f2285c

      SHA512

      c9efcca432a770e06877d51f4fec58412a569c9ee5a335d2d5ff6b2f1c9185b8a6e5cfb7e1ee279401b8716f71be996633bc87b2f420c64c21441b7539094986

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\INFO.TXT
      Filesize

      43B

      MD5

      9f8713aff6dc4949d0dcf7869a488a12

      SHA1

      83529c6bf10be34c28615d988c4147493cc66607

      SHA256

      f1a58d2b6c8377fcc07081342bfd0bf6c394abe39b1575d6983bd30f716e6fec

      SHA512

      98005207c23cbb927eea0ee745b631413ca466dc89c8ea74af8ca228a209d835681c5c80a4c9e762b4decd3d53047d27e4063c6b42ac0da8d03628ebb80e923a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\INFO.TXT
      Filesize

      13KB

      MD5

      e1a35f0d4632bd995f4c15ad445486c4

      SHA1

      717937a4ee56fef14db294a57638d3b43b03cb9a

      SHA256

      5cb33132eb4ea417e58385392ce67e681e71879f788cd49f18c51eb16f9c4466

      SHA512

      e74d19cb5601903bd60b4c47fa98c01754e6055c2acb9fce33e8b1e1932e934c6800328f3b66e20c3c51b6b10f0a8bd149e8784b38ff03f846757ded8bbba482

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\INFO.TXT
      Filesize

      22KB

      MD5

      a9db202fb4be91391a079ea9b10ca547

      SHA1

      9ccf0d4f3e08118bb4fd9e4cca1074a114b7e223

      SHA256

      aea4678b62c0acca4c8e58b12171d57b571b171225607842622fc27508148fba

      SHA512

      c0d95faf801d8a7217062d3ae8b29ef9bca04402c5e0477374e60a23fa741dee4e1f2435a1b571bca4c0054550b477dedeae5e616d289fa8eb04d96a40ceb866

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\INFO.TXT
      Filesize

      37.6MB

      MD5

      a6495a9733c79fcf8baae680b03f7141

      SHA1

      57be7a2352aeba40be8f8f9dcc582aed10b0ded8

      SHA256

      1cb2c3feb83d141458b31d6235f8e264fba3a68b4759d7c26903703d307b7005

      SHA512

      8fa435f53863f500bbcd190329308844eb7535db207454f976a7291dd016110a866c96b05f195e225eee60e28b230049214f4a80c2d1415be139829552adfc90

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\avp.exe
      Filesize

      73KB

      MD5

      d0b2a18b2220a3248eec7874b75867fe

      SHA1

      47bfbb801c7643f3bc1f767cca4c496d4a620268

      SHA256

      c0879137834b57ed4d7c59a1972737e74528032a39ff7ca8aa2560b9babb8d3b

      SHA512

      3edf0025f8d5a36667b026b1102acca3ca03a2c0539f037fd3e7a28c61b1d10cdc81ee9553ad47eee7c907e02ef1ffa97e3b22d2666c60aa3fb2e7457141ac24

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\drivers.p
      Filesize

      15B

      MD5

      4ff8e80638f36abd8fb131c19425317b

      SHA1

      358665afaf5f88dfebcdb7c56e963693c520c136

      SHA256

      6b8ceb900443f4924efd3187693038965ad7edb488879305489aa72d78f69626

      SHA512

      d4e6e3d789bc76102c500b46a5aa799c5ebfc432a44117aa0b7c7512439d33a423630b963fb04cda1da17a7f6517b276a3e9298c17cbf795964090f4b9e5d8f1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ghi.bat
      Filesize

      3KB

      MD5

      b98e8fcde49a1caee295a6bd3d264e56

      SHA1

      71c82391a8617212ad48c8d79755e71be2e20be9

      SHA256

      e369c7e2e7ac0280882693038b213be0309c910df62f35a5159a125ecd18fb9a

      SHA512

      fb5fa414449e7dd4ce1fedcb92487f59ed18d7fbd3146eb59ec8f7256d68551adebb7d35e859fe7b6bce5a0b042b0de1e9ee56369a8686976dd121b44ff46742

      Download Submit

    • C:\Windows\SysWOW64\EventSystem.dll
      Filesize

      61KB

      MD5

      e752f85ed0c2d7a737c1b7cb69a7f8f1

      SHA1

      16a1d54c5255668a3076026efb4befb406ed03b7

      SHA256

      a6925ccf46342ac629280fbc24cc5f5f87318bddb59a412528e1974fa80a2647

      SHA512

      a18591db11dfd61ae3a90d53f9e2d222f8d6c1f389b07c51a9844c64b7767f1bf8313ef9459b497857e83e339328577c56f92d24705eea9799ded5b3d46f65c7

      Download Submit

    • memory/408-14-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/408-7-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1944-0-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1944-8-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download