Overview

overview

10

Static

static

3

126b408839...18.exe

windows7-x64

10

126b408839...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    04/10/2024, 07:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    126b408839b1bfacf4616c832bba8be2_JaffaCakes118.exe

  • Size

    169KB

  • MD5

    126b408839b1bfacf4616c832bba8be2

  • SHA1

    c9f08cfbcd9885ad0571b75547b901c7d50c20a7

  • SHA256

    bd6f7d4dd5a4ea81960e7fff7a23e8e2642628fcd02ff05e86c842c4a4836941

  • SHA512

    485c7b3f7daffdb2065f67454ba54ee72cf67960c50543e62f519969aa070f4d9a8e6ee7bc131b6a166d4b2bddcf73e8a31f51142d6ce98dc343097d14f96d77

  • SSDEEP

    3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCm/DE5aXbMK:gDCwfG1bnxLEMXbh

Score
10/10
defense_evasiondiscoveryevasionpersistence

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
    evasion
  • Adds policy Run key to start application 2 TTPs 6 IoCs
    persistence
  • Executes dropped EXE 6 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
    defense_evasion
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\126b408839b1bfacf4616c832bba8be2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\126b408839b1bfacf4616c832bba8be2_JaffaCakes118.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1952
    • C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      2⤵
      • Impair Defenses: Safe Mode Boot
      • System Location Discovery: System Language Discovery
      • Modifies registry key
      PID:2312
    • C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:272
      • C:\Users\Admin\AppData\Local\Temp\avscan.exe
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1504
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c c:\windows\W_X_C.bat
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2720
        • C:\windows\hosts.exe
          C:\windows\hosts.exe
          4⤵
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3068
          • C:\Users\Admin\AppData\Local\Temp\avscan.exe
            C:\Users\Admin\AppData\Local\Temp\avscan.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:3056
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c c:\windows\W_X_C.bat
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2640
            • C:\windows\hosts.exe
              C:\windows\hosts.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2924
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
              6⤵
              • Adds policy Run key to start application
              • System Location Discovery: System Language Discovery
              PID:2936
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2180
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:1696
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:1552
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2528
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
          4⤵
          • Adds policy Run key to start application
          • System Location Discovery: System Language Discovery
          PID:2608
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:1592
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:1136
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:900
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:2156
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\W_X_C.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\windows\hosts.exe
        C:\windows\hosts.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2772
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        3⤵
        • Adds policy Run key to start application
        • System Location Discovery: System Language Discovery
        PID:1996

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp
    Filesize

    387KB

    MD5

    9f311e89849c9918764009dbddd4dd36

    SHA1

    42d95504cc5c4328a3dfd4fb7b39797cf7702761

    SHA256

    ee026ff6d8eeb06d02e626a563fdc25c9810e5cc36f4c1d9a0e18d5556f2a726

    SHA512

    433e78cbe0163ee0e8c75b33027a94791eb63136f15835537d8bc78a057614dd6737a24f4aa10e4dc55196c0889fb9026d3d492d6f2be6e4505e22f85b70a56a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp
    Filesize

    556KB

    MD5

    46206dfe22bdcdc3686870121afbacf0

    SHA1

    eb4b334bc8ae6ea5fc98bdba9b5c5b0f747be991

    SHA256

    f6f4b57ee40150331fa23f695e361d05a6f9c5eae9d384d2d0278e74a8a4d732

    SHA512

    1e429f629ef5f0df1462cf4040252cbbce4934f28cc59a7e2115d59d58f45b47574596d4dcbdd4ead949673984665b2ee5536e83a896e2f095a1b3baf7ee2953

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp
    Filesize

    726KB

    MD5

    f264a8f54ca98082b19fe9461171d88e

    SHA1

    c02bff50d39944bbd64d49cd82bacf356fde3ed5

    SHA256

    67c9afccc89f8890d897a0548ca6322c92b67c23e150e09aee57b4ebb77a7004

    SHA512

    b7b9ab9558a193e8bc94bc5e8ad4ae2e89dbef4782dae0a351a6a2b4ad0fd9d259bf2f0112ad54968b9bb0c7eea684ba107a40e53b7a892d183c5e3b785f2e3d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp
    Filesize

    895KB

    MD5

    85d7ebab99603a9e7e773dc6b7fcb39e

    SHA1

    ca3379be91e90aa38face5207e571b3c20d16bbb

    SHA256

    d9bf27fb1edf7df676d6655d6897cf074a72a8417d18999ee2b4939797997765

    SHA512

    ac8dec36816637b38781116eeff5ec17d0c9e64bb898970c07c9730bceda4cbc10c30b2ac93dde6b01e089dbb16eefe1a6eaa5c90aea3561be4f159d3f9017ba

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp
    Filesize

    1.0MB

    MD5

    c6812a62ca4313703f7e3ad2ed5d43f0

    SHA1

    557799b637a94d99181d58d87a906f0f3b38986a

    SHA256

    52560dccd30d56c5663098e1981703e552158c8b829b6f90ade7ff2a2d5fc5a9

    SHA512

    a96335d848e6199ccd036bb3cb2b24fc8679cdcdba454c4f4bff9f13271a5b9040eecd54e056cb3ea3d4e9dacf1d9a02e16ca134efb427fbff761a2d3ce4f990

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp
    Filesize

    1.2MB

    MD5

    71eeb3a31db1f7ef956e2b8f43d3c1c0

    SHA1

    04c776a4182a7f88298d2b84287f6ea37c96ee6f

    SHA256

    24f752fa8af137eb7c4db5e78f7878e92e38d30a6746e4dbc58528202f04bac7

    SHA512

    b3e63b2320b7bc3a00c5564fe19909f949b7b7c4ec9bec3f9f7bec8c309ff1406bfcd42ded52c3e1d0e46bf0f4747dd50021a7c76e51c9c633cabb74f6b2f86e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp
    Filesize

    1.4MB

    MD5

    d2be88f52642db59192319c26ee4fb07

    SHA1

    c320a37c856f136596ca42d784823c44f0a01e44

    SHA256

    866f40de2daa0459073487243f5628119efae22234d333a40e6b220041cd2bdd

    SHA512

    1ca0041245126e3d6c1ea09607b684959db12efcc15cea1a915e442921ce98ad769faeb2c0622b8e0188f7ed6755162d7c88413d7e5ada4d657aab8d4aa6d81c

    Download Submit

  • C:\Windows\W_X_C.vbs
    Filesize

    195B

    MD5

    28dfeacd65a1d18db1eb778b04481907

    SHA1

    db5b63dd0760b563ac10c0f412f4ba191480a332

    SHA256

    4e8db376bd9d764d2f22c5464c978dcb9684b6cd4cdbfbf74accfdc4db55585b

    SHA512

    fa7414be098a842e776b55db126a836158f3aaf59e46a49d01fb7a47af7eeda7d3e70102ac3609d784cec0a692584dbd62866de7cd1ab4bd71737abea9eb62f0

    Download Submit

  • C:\Windows\hosts.exe
    Filesize

    169KB

    MD5

    3bfdce274182ac5040cc631b88d16ebb

    SHA1

    c22165e5c3f7ca05c29fe4a0558d537b118c0bcd

    SHA256

    fdb3c1fa2837f1e46cf1d3c0f48d8e3fdc5299aab8cde7f5ce2d13ed40c151fa

    SHA512

    a51e4670c10fcbdd94aca2ddb7a95a38ca43d3d57e3be6b5f79866e3bc7be6714d61ba39fc10bd333cedc8cbffc9a7dec9b27f39ddb96807dc3a19465b4c695a

    Download Submit

  • \??\c:\windows\W_X_C.bat
    Filesize

    336B

    MD5

    4db9f8b6175722b62ececeeeba1ce307

    SHA1

    3b3ba8414706e72a6fa19e884a97b87609e11e47

    SHA256

    d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

    SHA512

    1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\avscan.exe
    Filesize

    169KB

    MD5

    f5abdbac8e4c16f5c8e4a9df39a31985

    SHA1

    29e2a5b23e4db02bacea74bbff96648777e9b35a

    SHA256

    43a30adb5c8c80e15af0dcf0d853932fa4a15936f72bf646c5bb02c58ad4d9a6

    SHA512

    2f4d58d1d3c01f4ecaa01056e78d8a648aee91d7aa45cfd3b2578e1826d2cc494a31bddac4ce5105b8cd56d163e48554ebef3ef8783b1dd4c42f5a4259194bc6

    Download Submit

  • memory/2640-83-0x0000000002500000-0x0000000002600000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2640-81-0x0000000002500000-0x0000000002600000-memory.dmp

    Filesize

    1024KB

    Download