Overview

overview

10

Static

static

3

2b8039c78c...18.exe

windows7-x64

10

2b8039c78c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09/10/2024, 05:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2b8039c78c4dad17c2d0c342322f7680_JaffaCakes118.exe

  • Size

    168KB

  • MD5

    2b8039c78c4dad17c2d0c342322f7680

  • SHA1

    0fa86493bbc6c05d2c643d0c329939368cb5c989

  • SHA256

    df27a81d101b133c0254000f3757a564c5a3a88e2bd6562d4af593a7b0e1c6f0

  • SHA512

    456c3203e8ad28f4e9342fc8128b1b3101ed90ab773eb86a49023d8c2275b608ddecc0e8af1f19db9939027327d3749c55509dcfc9ce53cc71233296d0cd8593

  • SSDEEP

    3072:gcD0SAY4yKdEvffYiihhnSBPKk4cGSgMpurEqDaB2Z+C:hDCWYii7nSBSk41SD4k2Z+

Score
10/10
discoveryevasionexecutionpersistencetrojan

Malware Config

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Drops file in Drivers directory 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Windows directory 1 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b8039c78c4dad17c2d0c342322f7680_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2b8039c78c4dad17c2d0c342322f7680_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:388
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "Security Center"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2636
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "Security Center"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2676
    • C:\Windows\SysWOW64\sc.exe
      sc config wscsvc start= DISABLED
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2276
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2648
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2740
    • C:\Windows\SysWOW64\sc.exe
      sc config SharedAccess start= DISABLED
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2692
    • C:\Users\Admin\AppData\Roaming\8jll534.exe
      C:\Users\Admin\AppData\Roaming\8jll534.exe
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2808
      • C:\Users\Admin\AppData\Roaming\8jll534.exe
        C:\Users\Admin\AppData\Roaming\8jll534.exe -d3526CA20DD1A1FC015E472555014CBCE4EDB5929294BD019C4A89FE99C4AED85522E879A6E121B451A6E7AD5F2CCB59D1AD94FA7379CDC800039C9B580FF1A68400961CEF4FC45A963224601976CA7ADA295A3EF79C85B5BB30120482DD9FA7CE3B4ABB97D6377C765A3782F5C9F481DEA5746751C47C7F07153E5ABE29DD7606177F55C5614CA18D5E4F0A39F5B82FD37DA6A6A8E75D7E9108B98C719C739E51E7B106D0C6A978FA7F0CF95FB657FD00E6580337B5E8633A4A9FB7491D5EA02C0BF0D1F6B26768A126277ED4EDFA6E0348A397CD09E0C9C826110804781F2252C903D31813341F089888819B67CA1E2AF9A85ACBAC9E25640F0169E778C9BF08668319B9B1311A5C324E3DF8EC75A9CC26295ACA788C259B2858EC69F326D573478BA4D460D3E03B38DAAD5746AF814F422DB6143C1A396EEDD3B4C7B02324FDB9BE9504E9262C98F553D1E4688E539092A086A7BBAC0E848AA1DBA0906F1755FDC1057C193568ECC253D591F1ECA5906CB0C5F7CF691F3551F74288529F614E6A6BE62EC8732C41F428C0E5DA7902730101936B498CFBAEB2CC29F6D73C8DAD546
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2044
      • C:\Users\Admin\AppData\Roaming\8jll534.exe
        C:\Users\Admin\AppData\Roaming\8jll534.exe -dB8AB27CD9A5DF02F0DFCCEE9F5B12E2BA2375C2C9FFD73BA513D186E5781CDA5FE82203D4C30FFA16F1BF55A91AF260E5E9D3AD2CB609DC1CDF4B9C52C531D6F9AD3A708A6AE29C55312296E58A3A9A34B7C165A4DFCD4D4EE5DFF95659254DC51056D7093B2A5090DCF693A499FBFE64E8E4274316BF4C627058AC11E611BA9292562DA427DEE2D3304F7A7A163B1338B514D5CC5CB145B2EB63C63B4695B876503B7391F6BBC9599C7541FDC7D09A9680E09B696818E34F8F434B0C4813DD98CFFDFCAD79108F8553B41C5B83C8FC88A3688B77121FB78BA68D5542A9B2AF561B18982589C0CA2BA55BF2831F44D19D5E4193F63143481E955C04A05F3CB9DEB06A61CCE4B40E660980F2485DF8B4F6FF24F7DB89951C93A0FD597B10708306E34689DA69B5C63195EB1C1302CD229BD74FA42FE93AC84A295354ECB470C7E703040F98D515CF7FC266744F03EEC3063402A4802C3DDF555B741E6303F3FBBB437DE99712376AE5EB73256C1C0E271468B3261D15BBEDCCA809BC7FD5149AB410134E87E1524D2D38E53DCE11CFC488DADA2E0B7B46813B438234B8F57150C5ACA72CA
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1512
    • C:\Windows\SysWOW64\Rundll32.exe
      Rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Users\Admin\AppData\Roaming\mdinstall.inf
      2⤵
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2572
      • C:\Windows\SysWOW64\runonce.exe
        "C:\Windows\system32\runonce.exe" -r
        3⤵
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious use of WriteProcessMemory
        PID:2680
        • C:\Windows\SysWOW64\grpconv.exe
          "C:\Windows\System32\grpconv.exe" -o
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2664
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Roaming\6yc5z9g44.bat
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1160

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\6yc5z9g44.bat
    Filesize

    218B

    MD5

    0af0ae8b58d8dd9a1970c0b2c5fc4d07

    SHA1

    60c3066af5ad2dd0a9893d1cec817105260a0b7f

    SHA256

    d3a30aa9d61c46cf8c431c5ef3665cc6c10c4c20b213b6cd9fb4c836192bd8ef

    SHA512

    7044b55b000e15bccef9dca52e949baccbe03548d4456006c8b32b27508c03b80eb168f4a3606325e69c12519421a90b02424535b14553c3c9b6faed1c323575

    Download Submit

  • C:\Users\Admin\AppData\Roaming\mdinstall.inf
    Filesize

    410B

    MD5

    3ccb3b743b0d79505a75476800c90737

    SHA1

    b5670f123572972883655ef91c69ecc2be987a63

    SHA256

    5d96bec9bc06fd8d7abc11efbb3cb263844ee0416910f63581dd7848b4e1d8dd

    SHA512

    09b1cdd4393f515f7569fbccc3f63051823ed7292b6e572bc9a34e4389b727b2914b22118e874864ccb32ef63016b2abd6d84510fd46fdee712fd84be59c114e

    Download Submit

  • \Users\Admin\AppData\Roaming\8jll534.exe
    Filesize

    168KB

    MD5

    2b8039c78c4dad17c2d0c342322f7680

    SHA1

    0fa86493bbc6c05d2c643d0c329939368cb5c989

    SHA256

    df27a81d101b133c0254000f3757a564c5a3a88e2bd6562d4af593a7b0e1c6f0

    SHA512

    456c3203e8ad28f4e9342fc8128b1b3101ed90ab773eb86a49023d8c2275b608ddecc0e8af1f19db9939027327d3749c55509dcfc9ce53cc71233296d0cd8593

    Download Submit

  • memory/388-2-0x0000000003630000-0x0000000004692000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1512-39-0x0000000003690000-0x00000000046F2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2044-32-0x0000000003890000-0x00000000048F2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2808-17-0x0000000003450000-0x00000000044B2000-memory.dmp

    Filesize

    16.4MB

    Download