Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02-10-2024 07:26

General

  • Target

    0988c935717178e91e8acd06450283a2_JaffaCakes118.exe

  • Size

    3.5MB

  • MD5

    0988c935717178e91e8acd06450283a2

  • SHA1

    1a79ee358a1a7c36d4eef2c2c8fad16927d8390d

  • SHA256

    a4dfc90bf63745e6c476ccdd748cb097064b4334478a6cc08ab517f67e6cf13d

  • SHA512

    ac595eea9cb306644d2db40a092b76091eaf8b5b3a28ace83a63524eb16caf93e59845ff68241d18c4986611236451453a67a382e374fbd421a4b5d926ffa193

  • SSDEEP

    98304:8p9FJR47Hh4AtBq2HmvcEcKrslUDwsUWhuqf:8/DIH7HyUEfrmATlTf

Score
8/10

Malware Config

Signatures

  • Possible privilege escalation attempt 2 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0988c935717178e91e8acd06450283a2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0988c935717178e91e8acd06450283a2_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gazv90lv.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3024
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE966.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE965.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2608
    • C:\Users\Admin\AppData\Roaming\temp.exe
      "C:\Users\Admin\AppData\Roaming\temp.exe"
      2⤵
      • Checks BIOS information in registry
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2132
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1948
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c takeown /f C:\ldrscan\bootwin
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1276
          • C:\Windows\SysWOW64\takeown.exe
            takeown /f C:\ldrscan\bootwin
            5⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:824
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2644
        • C:\Windows\SysWOW64\icacls.exe
          icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • System Location Discovery: System Language Discovery
          PID:1160
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /A /C "C:\bootsect.exe /nt60 SYS /force"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1944
        • C:\bootsect.exe
          C:\bootsect.exe /nt60 SYS /force
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2508
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -upk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1912
        • C:\Windows\SysWOW64\cscript.exe
          C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -upk
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1624
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:844
        • C:\Windows\SysWOW64\cscript.exe
          C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1344

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESE966.tmp

    Filesize

    1KB

    MD5

    c7ec7c78d41236384c986863ffecf15e

    SHA1

    82eb65753fefa29c0ef0601ed3047b128f0cd40e

    SHA256

    2c0c1398ec3fd50c126051ed7ae9b47a2b2244bb9c03f1bd4ee46f35161824f8

    SHA512

    bb38e9f696d9e5b08039980211373731586b4036427920c42d4e2639d19fb85300f9d4402c4fcb2c6d266df8b20886de6094d85fc82e35056f99fd2db5fdc422

  • C:\Users\Admin\AppData\Local\Temp\gazv90lv.0.vb

    Filesize

    892KB

    MD5

    f376af31deadaf2deeded400b19e6c85

    SHA1

    e6b7552076f57f2712e0a1b137c0b829954f4738

    SHA256

    4c91daef9324fb4744f8a4e904bdedd0f9703c5ab758d7ed717c8f6ced8a9c0a

    SHA512

    02c152b01397f424d44f3fd4ed73e04365468ad7fd2861a796d788de7f549ab068359e66d21b632c42a8a8b02446867af67dda090582a61ab175a3969aac4aef

  • C:\Users\Admin\AppData\Local\Temp\gazv90lv.cmdline

    Filesize

    138B

    MD5

    bb406a95d4c6233a5bc504818537873a

    SHA1

    b0fe8b350a01a00b634814b2b7b878ce1a7d1f6d

    SHA256

    45b38d5b25b64c5976ca2bcb6c835a44313b41e9ded4a38500feb0ce269a8dee

    SHA512

    3c40ffd0196b75ccf868dc9312d835dc49fb1bdec70c5b03a0502066abb0faa32f5a2a27c58cb5b4d9dafebc3101c121dd91993a3eb3c19e95722c9e7429fccc

  • C:\Users\Admin\AppData\Local\Temp\gazv90lv.dll

    Filesize

    1.7MB

    MD5

    ece057a5d2c1d62ad3450728c7219b22

    SHA1

    1ae530ba9eb0645a715362d1629b2562de7d58e3

    SHA256

    cfa8762ea791e0b0f8a3c58ea9f5335ad34d83b4dbe682427e03f9eab0b34b30

    SHA512

    87e52199c023aff0917225d01115d808057f553b61a8756f29f7f35afb568c17b449da980390d6749a6db8957bf61124e3572deb18621af3331a0ee21c90edf9

  • C:\Users\Admin\AppData\Local\Temp\vbcE965.tmp

    Filesize

    652B

    MD5

    3657a9ea37c4879952df6e111d56c5b1

    SHA1

    1f39680bdb12a7064a7c2bc23737a70d8ac81d31

    SHA256

    e1a507cb7106b4b8fc401e8881f9b55fa425f1f4394e9073097fe551eb357a31

    SHA512

    3c6e5801c6290c79ee24f18573135e6f99ad949fc7b38c2092558eb64187c7264fc7553c8c6ee207b3c4e781d5e1cc152f70f4507c37e2e7ee938a8984272a44

  • C:\bootsect.exe

    Filesize

    95KB

    MD5

    17b18a2feb3dcfe8a165af86ebc29fe7

    SHA1

    bf00a8ef28200a3bbc73633b360e1484ee2874d5

    SHA256

    99c4970f1f4b9dc50a5db9ff6f3a581754a1631f0751bdec2b5e3a261f35d85a

    SHA512

    034e809a3f2a2eaa633b7c1c9bffd0ac65041bf0a3fc6ba861e281712cdcb1e063d6c29e562bdc864e1963466ebcec9e30475907bea80a67ab48111ae583e65c

  • \Users\Admin\AppData\Roaming\temp.exe

    Filesize

    3.3MB

    MD5

    c4d6d3633382fe25a25aa4ee12a19560

    SHA1

    c6fd5d70f7609c589757fac45811dd7c1c63f93a

    SHA256

    27b4ea627778b5f75622daab8c736f4024778b69ca93f2ec940e3d44107902d6

    SHA512

    7b4d1471e2c79d9b23c6fda2d0388ffdfad174f6624625df14e86be16c345696640d43564848fdc9a4a0e228c2c70d783f936e1b11a8510ec8efb533b35b6aa7

  • memory/2132-52-0x00000000003D0000-0x00000000003E1000-memory.dmp

    Filesize

    68KB

  • memory/2132-97-0x0000000000400000-0x0000000000623000-memory.dmp

    Filesize

    2.1MB

  • memory/2132-26-0x0000000000400000-0x0000000000623000-memory.dmp

    Filesize

    2.1MB

  • memory/2132-105-0x0000000000400000-0x0000000000623000-memory.dmp

    Filesize

    2.1MB

  • memory/2132-76-0x0000000001FC0000-0x0000000001FE0000-memory.dmp

    Filesize

    128KB

  • memory/2132-68-0x0000000001FB0000-0x0000000001FC0000-memory.dmp

    Filesize

    64KB

  • memory/2132-60-0x00000000003F0000-0x0000000000400000-memory.dmp

    Filesize

    64KB

  • memory/2132-44-0x0000000010000000-0x0000000010021000-memory.dmp

    Filesize

    132KB

  • memory/2132-36-0x00000000003C0000-0x00000000003D0000-memory.dmp

    Filesize

    64KB

  • memory/2132-28-0x00000000002A0000-0x00000000002B1000-memory.dmp

    Filesize

    68KB

  • memory/2132-98-0x0000000000400000-0x0000000000623000-memory.dmp

    Filesize

    2.1MB

  • memory/2508-104-0x0000000001000000-0x000000000101B000-memory.dmp

    Filesize

    108KB

  • memory/2872-12-0x0000000076250000-0x0000000076360000-memory.dmp

    Filesize

    1.1MB

  • memory/2872-10-0x0000000076250000-0x0000000076360000-memory.dmp

    Filesize

    1.1MB

  • memory/2872-94-0x0000000076250000-0x0000000076360000-memory.dmp

    Filesize

    1.1MB

  • memory/2872-95-0x00000000088A0000-0x0000000008A60000-memory.dmp

    Filesize

    1.8MB

  • memory/2872-11-0x0000000076250000-0x0000000076360000-memory.dmp

    Filesize

    1.1MB

  • memory/2872-9-0x0000000076264000-0x0000000076265000-memory.dmp

    Filesize

    4KB

  • memory/2872-0-0x0000000001170000-0x00000000014DA000-memory.dmp

    Filesize

    3.4MB

  • memory/2872-24-0x00000000088A0000-0x0000000008AC3000-memory.dmp

    Filesize

    2.1MB

  • memory/3024-91-0x0000000076250000-0x0000000076360000-memory.dmp

    Filesize

    1.1MB

  • memory/3024-18-0x0000000076250000-0x0000000076360000-memory.dmp

    Filesize

    1.1MB