Overview

overview

10

Static

static

3

ffa7457394...18.exe

windows7-x64

10

ffa7457394...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/09/2024, 01:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ffa745739473d73e9f17da60c65a37c7_JaffaCakes118.exe

  • Size

    252KB

  • MD5

    ffa745739473d73e9f17da60c65a37c7

  • SHA1

    310273de5e45fa57484b227e35f5fe1449a4e6af

  • SHA256

    1f0e8a6ccdcbd4755d7544da2037e107349c1d41b4fa4639afb89dd8541b1e09

  • SHA512

    cbc9c8ec1ca570fbc9dc83655e9a5cb1552224d2612306811db63a5954227ca782eeaa694b4a860ebdf71e76e7d65b9807173add9ad1dca8cbeae01c9caebb7d

  • SSDEEP

    3072:VDOU+qJKjmx5YH6GGFNr/UZ5e8GQZhU8LJV+0L4RHgZy7hMFtGFKivarBoJhDi:VqUPJTFpMZ88GUG8LJV+0k7hg0FKiNJs

Score
10/10
defense_evasiondiscoveryevasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Sets file to hidden 1 TTPs 3 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • NSIS installer 1 IoCs
    installer
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Modifies registry class 11 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\ffa745739473d73e9f17da60c65a37c7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ffa745739473d73e9f17da60c65a37c7_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3152
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3224
      • C:\Users\Admin\AppData\Local\Temp\inl9DA9.tmp
        C:\Users\Admin\AppData\Local\Temp\inl9DA9.tmp amd-k5p4g.tmp
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2616
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_lk_file.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4632
          • C:\Users\Admin\AppData\Local\Temp\lieD860.tmp
            C:\Users\Admin\AppData\Local\Temp\lieD860.tmp
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3364
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_rlh_tmp.bat" "
              6⤵
              • Checks computer location settings
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:3640
              • C:\Windows\SysWOW64\PING.EXE
                ping 88.99.00.00
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2936
              • C:\Windows\SysWOW64\mshta.exe
                "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\MICROS~1\NTUSER_LOG.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                7⤵
                • Modifies WinLogon for persistence
                • Modifies visibility of file extensions in Explorer
                • Drops desktop.ini file(s)
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Modifies Internet Explorer start page
                • Modifies registry class
                PID:728
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_kl_file.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5056
          • C:\Users\Admin\AppData\Local\Temp\kil25F.tmp
            C:\Users\Admin\AppData\Local\Temp\kil25F.tmp
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2952
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 260
              6⤵
              • Program crash
              PID:536
            • \??\c:\Program Files\lanmam.exe
              "c:\Program Files\lanmam.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:3600
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c afc9fe2f418b00a0.bat
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4088
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl9DA9.tmp > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4628
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5056
      • C:\Windows\SysWOW64\expand.exe
        expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:4592
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\FFA745~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4996
  • C:\Windows\system32\attrib.exe
    attrib +s +h "D:\RECYCLERMD4"
    1⤵
    • Process spawned unexpected child process
    • Sets file to hidden
    • Views/modifies file attributes
    PID:4020
  • C:\Windows\system32\attrib.exe
    attrib +s +h "D:\VolumeXX\desktop.ini"
    1⤵
    • Process spawned unexpected child process
    • Sets file to hidden
    • Views/modifies file attributes
    PID:3744
  • C:\Windows\system32\attrib.exe
    attrib +s +h "D:\VolumeXX"
    1⤵
    • Process spawned unexpected child process
    • Sets file to hidden
    • Views/modifies file attributes
    PID:4728
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2952 -ip 2952
    1⤵
      PID:4500

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\lanmam.exe
      Filesize

      10.4MB

      MD5

      cb18658a181d6c9574974729bbdd0431

      SHA1

      1d7e6c5a93fe58714ce79d022b7a5cf0a414b8fb

      SHA256

      1f807ae095e9e8580fe486fe57d9f52cb329bd7fdc882ca25d23f45747bdb790

      SHA512

      edc1981fbd89d5c0516c493a6d25f3c0770d539d5862b76739769903729b2892145c398b46d0bb1dc6ef73b19d27107587e87c2ce1df65ba8a497f01414b661c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\afc9fe2f418b00a0.bat
      Filesize

      2KB

      MD5

      1a9f52dccd07d5625b7bdfcab3a3f931

      SHA1

      8425b4881efec05150a14515cbb1bb99132e6058

      SHA256

      f1884c631989540f1e88f580d5753aecb98d27e3651aa7115afb1ba36d08da5d

      SHA512

      ba5edc364e0375c73a9370b22a6b8b588a3c4720b60503ae14c4b8bdcded4e15e8a43a517eebeef45857a1536420ef65ee5e7fef70d911ec59aaa11a25c87dea

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\amd-k5p4g.tmp
      Filesize

      765B

      MD5

      0adb15b2c15a01ae051e2c0d87549147

      SHA1

      db340a5eb1da94cf11a7699270ce8f455c0f856d

      SHA256

      8ff35d78625cad1d0d5805a8cdb4208a252f4f42a576e1906e41522e6dc85dc8

      SHA512

      06a1f5ab538036c6d601c8144eac123ffa022541310fb0ca01157e4518cba7dff121a68a6ed05df32b3636fc84d9593d00e9808c07432944d17e6b1983379f69

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat
      Filesize

      59B

      MD5

      c9e449044e083088646143ac7f5bb9f8

      SHA1

      358e065d8c096fd7801ccbcdffb069b4a5398539

      SHA256

      cac2aaf7dd83fc9a9df5145be134ab6009b5d0a7f3e00555799b73d593e36f0e

      SHA512

      fa626e80ed64a92f96c2093815b0ba257f1b4f41ebad48e2c03bfdf70917f9e82bf3478f9198f54df7aff4846a4a93f4b175a4fc3d05432792fcfe7289a04371

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\run_kl_file.bat
      Filesize

      44B

      MD5

      3aa7a29cad7a6b051d279b321849d362

      SHA1

      2f91ac9203056e8571284df4a903b90491dd296b

      SHA256

      9d472d79afd302e2aa2634966937bbc03a064e64c03473a9e6cb8ae972ccf75c

      SHA512

      00a17b0f42d3b3c87b50d3448835d896f09dd31cc7973d5d7939a9650bd596c66229f72e7188229b57be0300ccdf6672354374cee7c77ab9b1eb4034dae976ae

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\run_lk_file.bat
      Filesize

      45B

      MD5

      b92a8433a07c6df70da11f5c98070d2c

      SHA1

      46b9f2b6625524bd5215575a9301b82011bffc87

      SHA256

      1118edec964164d13ef313dd7ecd2e6755bb9888a8b26cb018d8accfc1bdd9db

      SHA512

      6545d367ee76cf932d63b769c422eb87b95695a081295b847b91d88e746693f2fd4ac78a464234730dff5614834995d5f18b80d1db1e4fe1bf95e7d36d1e56b1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\run_rlh_tmp.bat
      Filesize

      70B

      MD5

      edea5cd5060d69b6c558fea75e330a67

      SHA1

      929e7c5ca8c300a98ac6833d0e8fa912ca9fa5dd

      SHA256

      1ed1bc8bfd84479497b2c1e3d0ca1df56eb2f3d82a68862e8b50eead06889b39

      SHA512

      adbe14c811b915972709530049bb6934eacead6c5d19243ecea07abdd6c93aeede3fcae99f6419fb7ca1b2394dcef19e642be36f22c572de01b069dac2b4aa61

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat
      Filesize

      98B

      MD5

      8663de6fce9208b795dc913d1a6a3f5b

      SHA1

      882193f208cf012eaf22eeaa4fef3b67e7c67c15

      SHA256

      2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

      SHA512

      9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

      Download Submit

    • C:\Users\Admin\AppData\Roaming\MICROS~1\NTUSER_LOG.hta
      Filesize

      7KB

      MD5

      ed7e356d003b19e3a5e8f294713c7369

      SHA1

      4cb75b0571cf14dc86179e565010fc25ae9d5c91

      SHA256

      6649e07c8f87501a01d62f21a2f2b50aebe30886c8a3d0b86ef34de4f6519f4d

      SHA512

      7bd690e7e8316a03468c1ad834f9b1fdabe0631b34f349f9cb61203ff2f590c202578a4c830dead46302ad61a6122741f1ed8e319e4c792654cfee8afdeba655

      Download Submit

    • \??\c:\users\admin\appdata\local\temp\favorites_url.cab
      Filesize

      425B

      MD5

      da68bc3b7c3525670a04366bc55629f5

      SHA1

      15fda47ecfead7db8f7aee6ca7570138ba7f1b71

      SHA256

      73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

      SHA512

      6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

      Download Submit

    • memory/2616-42-0x0000000000400000-0x000000000044B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2616-43-0x0000000000190000-0x0000000000193000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2616-40-0x0000000000190000-0x0000000000193000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2616-75-0x0000000000400000-0x000000000044B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2616-77-0x0000000000400000-0x000000000044B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2616-38-0x0000000000400000-0x000000000044B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2952-94-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

      Download

    • memory/2952-104-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

      Download

    • memory/3152-0-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3152-16-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3364-73-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download