Overview

overview

8

Static

static

3

3af0e7ac2d...18.exe

windows7-x64

3

3af0e7ac2d...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2024, 16:15

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    3af0e7ac2dbe0af3f808dd4878ad422a_JaffaCakes118.exe

  • Size

    47KB

  • MD5

    3af0e7ac2dbe0af3f808dd4878ad422a

  • SHA1

    30bca04826d796728b4720566aeb60979b95deae

  • SHA256

    e558eee3ce8b2334e4515463713ea2992cab4c793ad9273f4a82dce3d9baa895

  • SHA512

    a424819abe2d4c02fc0fe46ce17df610de25180920204800a4d481ff448f3a05f5c73cae66df3838ff18d5982b51e22c792ee5ef73ea8477abe3c988451c9ada

  • SSDEEP

    768:uqrPejL1KJuHhhDTZQ1bpp4W2MtLdzNCRE7VQasreDWxNv+vBapAo96FQF9m8:uaejRpDDFip4W2MfzMS7yCkN3pAnSs8

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:616
    • C:\Users\Admin\AppData\Local\Temp\3af0e7ac2dbe0af3f808dd4878ad422a_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\3af0e7ac2dbe0af3f808dd4878ad422a_JaffaCakes118.exe"
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2248
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe C:\Windows\system32\nnnoPJDV.dll,a
        2⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3952
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe "C:\Windows\system32\byXOiJDs.dll",s
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1716
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgGywUnL.bat "C:\Users\Admin\AppData\Local\Temp\3af0e7ac2dbe0af3f808dd4878ad422a_JaffaCakes118.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2632

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\hgGywUnL.bat
            Filesize

            71B

            MD5

            492e54473d37293e26d4ddc3acc9913c

            SHA1

            59f880a27f56f1697383fd68fb1aa13d18103ba1

            SHA256

            8e5edff51e1db5b5f1462514d405c33794d8ac87137a3546230b2b968396056b

            SHA512

            fad4881af271b577429a9a00938738ba8907c28694679af8e878636bcbb6c0d4f4cf456c9b6867d3ed740d722caa78d7f9feaf32e79d3fded91ad85ae966af63

            Download Submit

          • C:\Windows\SysWOW64\byXOiJDs.dll
            Filesize

            1KB

            MD5

            7d003e6691cc80e8415c855612f4dec2

            SHA1

            9ef1a2569cf06c13637d96d257cfe7e50510f410

            SHA256

            48a3f99474a2da97efbcf04e0cb39ab50dc2b3080266632600ee34bc8dc7333c

            SHA512

            f2bd64842de828534240d6ebc119c5a136e6e66011cb6c177e1574d14b213d1efef0d76ac4b5b1b6ff58e5593dd847726e5c1b7939bba37806a441a1c9326231

            Download Submit

          • C:\Windows\SysWOW64\nnnoPJDV.dll
            Filesize

            34KB

            MD5

            241a92a3d4c3feb08445f40544d37daa

            SHA1

            7180d8001ba694a7bedb704212ea80dd7c94d431

            SHA256

            cfd3ddd59bb7bc955f914cb9f6fd888f9b9c4dc7acc9799bb29804b475434040

            SHA512

            3dd9bd820db1ee40d86f42b022eaafae4c0f5708a7ca77f48c415ec2fb7abd1d092d17e802ddefad706a0d88f956b19b8dc1e91a4007d27113911aa45d2758c7

            Download Submit

          • memory/2248-11-0x0000000010000000-0x0000000010014000-memory.dmp

            Filesize

            80KB

            Download

          • memory/2248-8-0x0000000010000000-0x0000000010014000-memory.dmp

            Filesize

            80KB

            Download

          • memory/2248-9-0x0000000000430000-0x0000000000435000-memory.dmp

            Filesize

            20KB

            Download

          • memory/2248-0-0x0000000000400000-0x0000000000411000-memory.dmp

            Filesize

            68KB

            Download

          • memory/2248-2-0x0000000000400000-0x0000000000411000-memory.dmp

            Filesize

            68KB

            Download

          • memory/2248-1-0x0000000000430000-0x0000000000435000-memory.dmp

            Filesize

            20KB

            Download

          • memory/3952-20-0x0000000001320000-0x0000000001325000-memory.dmp

            Filesize

            20KB

            Download

          • memory/3952-22-0x0000000010000000-0x0000000010014000-memory.dmp

            Filesize

            80KB

            Download

          • memory/3952-19-0x0000000010000000-0x0000000010014000-memory.dmp

            Filesize

            80KB

            Download

          • memory/3952-29-0x0000000001320000-0x0000000001325000-memory.dmp

            Filesize

            20KB

            Download

          • memory/3952-30-0x0000000010000000-0x0000000010014000-memory.dmp

            Filesize

            80KB

            Download