Overview

overview

10

Static

static

3

127c37c001...18.exe

windows7-x64

10

127c37c001...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/10/2024, 07:57

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    127c37c001099e0929452c493085ce54_JaffaCakes118.exe

  • Size

    155KB

  • MD5

    127c37c001099e0929452c493085ce54

  • SHA1

    a0563de29d3178aa7a1a1e6df9331f8eee37dc95

  • SHA256

    e5bee028efdb93be33d474cad9a294e631ad6a8fa75f29884745681598087b6c

  • SHA512

    b4199d3d30bdde229d4d35c0e09fd729057585d31f299c0b829e98e598d1f9b0987400434dc3e5dba2f46a10ff3f4599733c32e4e033cc9db248fcc16730193a

  • SSDEEP

    3072:yNwGloXeMOy9Vackr+/N8uMRuO+dxGQiHnwFCJIPGHOA:yNNloXeMOy9kcky/N8uquO+jdgHOA

Score
10/10
evasiontrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 5 IoCs
    evasiontrojan
  • Drops file in System32 directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    PID:608
  • C:\Users\Admin\AppData\Local\Temp\127c37c001099e0929452c493085ce54_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\127c37c001099e0929452c493085ce54_JaffaCakes118.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Windows security bypass
    • Checks computer location settings
    • Windows security modification
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1428
    • C:\Users\Admin\AppData\Local\Temp\update64.exe
      "C:\Users\Admin\AppData\Local\Temp\update64.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4844
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\un_update.bat" "
        3⤵
          PID:2628
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mxz.bat" "
        2⤵
          PID:4884

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\mxz.bat
              Filesize

              389B

              MD5

              aaa474ca2a0ea73573f30c49046eec7e

              SHA1

              70bb5f50a24f83a417644447b6d80b64bcedc3f4

              SHA256

              7391988e22a079985db9f4a5e87cb033b828b40e387bbfdc43a6936cb0a6ca3a

              SHA512

              b4e0fe91a826b6e2a31c340871fd6f3820ca3d4079c7e66ae00a8a921c72d44f02e276183c2c3fac9e98deb01dddb5ce239aa8b308f051ee7e3df31148d0f223

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\un_update.bat
              Filesize

              187B

              MD5

              95bac65b30c3cf0e390dd7559a014c8a

              SHA1

              f231d40a6e8bd6cec005452cec1cf8a8f1f6ae06

              SHA256

              2f4f65d54e3e19f079fd20b15d02d09be22eeb0089002eed6747200be028a92f

              SHA512

              8c6305c4b8ef06d92e0a6985ca39608f43118eac78dedb2bf43c428140b188067545a4672db9d56c2ababfc9c635d26471474d2185faa6acbaf640d97aef0dcd

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\update64.exe
              Filesize

              28KB

              MD5

              de51a16c0b55e9e574621f5beb76014c

              SHA1

              63dbf7d435a74735afde3f4b380b53ea5140d6ec

              SHA256

              de72451284a709d493766316a32f2a56545ab13ca474f2e45235ab9f87eb00d8

              SHA512

              62b61fc1e19582066e8113ff777d7b94add2be589260c82379d44b391d7f9c35545b5079c250519cde047d3525f904fe6e236164567408b7cd7873528d9fe547

              Download Submit

            • C:\Windows\SysWOW64\insvc32.exe
              Filesize

              9KB

              MD5

              8219200bed17b14b1887b3e38e8c170e

              SHA1

              6d27a03882b51a86b7209953b6cb10af806422cd

              SHA256

              092f1d112fe7e7e9b4661be993e96a17f8d89efd946900c7046f076c90807e8d

              SHA512

              7c3e1e9626f546ad1fcca44cd7d2bec3ccd846621bb98f8f41fbf36de401d89ba0c6d6aa4290eb1551efe813c181d3406bc4e1be0abf2af5bae074364ce4eba7

              Download Submit

            • C:\Windows\system32\SoAction64.dll
              Filesize

              26KB

              MD5

              4d8abca5a88b43541a1dbb20f012f8a8

              SHA1

              7ab8c63b2349d7ac87344bc3c67dd06c0b9e6325

              SHA256

              b1d54b61bd034dcd103d2259a097d9c67b2068d2fc71871fc0a8820eb923d7b1

              SHA512

              6a2592029cffc1a29719260c60fd7265376fd7830cbe0b46cb40be7e95110f26708e221aeadeaf5b013cad93cdc693198662b57870ec937b8301fbadc268cd55

              Download Submit