Overview

overview

8

Static

static

5

42e2c1ca8a...18.exe

windows7-x64

8

42e2c1ca8a...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    14-10-2024 15:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    42e2c1ca8af67130d9ffea86fa259c9a_JaffaCakes118.exe

  • Size

    247KB

  • MD5

    42e2c1ca8af67130d9ffea86fa259c9a

  • SHA1

    2bc78cb9dbaf07e646a980538811ae4a0fb9ac24

  • SHA256

    6a1f3dd373df4ff19f842f0171ffa148ac4b2f88b5a87ff3bc42d012a215179f

  • SHA512

    fc1f8198adf886ac148f030a680ae0043b6dcb5975ec24fdedec0db49b50d093cde6249f3058ab33d0a3c161840381679290262953b46b7616850c06d23341ed

  • SSDEEP

    6144:tOxiV8jwcD5MCF8y1unn66DhhA/JMqWVcj3uRmk:2wctMLy0nn68PA/JMnV08mk

Score
8/10
defense_evasiondiscoveryevasionpersistenceprivilege_escalationtrojanupx

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
    persistence
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 12 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Checks for any installed AV software in registry 1 TTPs 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: Clear Persistence 1 TTPs 3 IoCs

    remove IFEO.

    defense_evasion
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops autorun.inf file 1 TTPs 7 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 23 IoCs
  • UPX packed file 28 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 17 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\42e2c1ca8af67130d9ffea86fa259c9a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\42e2c1ca8af67130d9ffea86fa259c9a_JaffaCakes118.exe"
    1⤵
    • Event Triggered Execution: Image File Execution Options Injection
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks for any installed AV software in registry
    • Checks whether UAC is enabled
    • Indicator Removal: Clear Persistence
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c echo ok
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1276
    • C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2028
    • C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1564
    • \??\c:\users\admin\appdata\local\temp\42e2c1ca8af67130d9ffea86fa259c9a_jaffacakes118.exe.log
      "c:\users\admin\appdata\local\temp\42e2c1ca8af67130d9ffea86fa259c9a_jaffacakes118.exe.log"
      2⤵
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks for any installed AV software in registry
      • Checks whether UAC is enabled
      • Indicator Removal: Clear Persistence
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2660
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c echo ok
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2956
      • C:\Windows\SysWOW64\cacls.exe
        "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2844
      • C:\Windows\SysWOW64\cacls.exe
        "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2984
      • C:\Windows\SysWOW64\cacls.exe
        "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2220
      • C:\Windows\SysWOW64\cacls.exe
        "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2968
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2972
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c del /F /Q "C:\Windows\system32\com\lsass.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2732
      • C:\Windows\SysWOW64\com\lsass.exe
        "C:\Windows\system32\com\lsass.exe"
        3⤵
        • Drops file in Drivers directory
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks for any installed AV software in registry
        • Checks whether UAC is enabled
        • Enumerates connected drives
        • Indicator Removal: Clear Persistence
        • Drops autorun.inf file
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2564
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c echo ok
          4⤵
          • System Location Discovery: System Language Discovery
          PID:780
        • C:\Windows\SysWOW64\cacls.exe
          "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2676
        • C:\Windows\SysWOW64\cacls.exe
          "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2900
        • C:\Windows\SysWOW64\cacls.exe
          "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Admin:F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2916
        • C:\Windows\SysWOW64\cacls.exe
          "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Everyone:F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2932
        • C:\Windows\SysWOW64\cacls.exe
          "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2868
        • C:\Windows\SysWOW64\cacls.exe
          "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2896
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1620
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c rd /s /q "C:\Windows\system32\com\lsass.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2064
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\System32\regsvr32.exe" C:\Windows\system32\com\netcfg.dll /s
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:2084
        • C:\Windows\SysWOW64\com\smss.exe
          C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:1300
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c rd /s /q "C:\Windows\system32\dnsq.dll"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:700
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c rd /s /q "C:\Windows\system32\com\bak"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1756
        • C:\Windows\SysWOW64\ping.exe
          ping.exe -f -n 1 www.baidu.com
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2492
      • C:\Users\Admin\appdata\local\temp\42e2c1ca8af67130d9ffea86fa259c9a_jaffacakes118.exe
        "C:\Users\Admin\appdata\local\temp\42e2c1ca8af67130d9ffea86fa259c9a_jaffacakes118.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2756
        • C:\Windows\system32\msiexec.exe
          C:\Windows\system32\msiexec.exe /i ASFAgent.msi
          4⤵
          • Event Triggered Execution: Installer Packages
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          PID:1652
      • C:\Windows\SysWOW64\com\lsass.exe
        ^c:\users\admin\appdata\local\temp\42e2c1ca8af67130d9ffea86fa259c9a_jaffacakes118.exe.log
        3⤵
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1864
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x1bc
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

2
T1546

Image File Execution Options Injection

1
T1546.012

Installer Packages

1
T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

2
T1546

Image File Execution Options Injection

1
T1546.012

Installer Packages

1
T1546.016

Defense Evasion

Indicator Removal

2
T1070

Clear Persistence

1
T1070.009

File Deletion

1
T1070.004

Modify Registry

2
T1112

System Binary Proxy Execution

1
T1218

Msiexec

1
T1218.007

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

Remote System Discovery

1
T1018

Software Discovery

1
T1518

Security Software Discovery

1
T1518.001

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\NetApi000.sys
    Filesize

    4KB

    MD5

    cef91687bf84b5546bd3a4f3162385c4

    SHA1

    ef54687918e82a74423aa4c1b576b957cd436803

    SHA256

    25c9718e3fbc111fe63153f6222311e6d66544f3626b22e6d2bd93781c86ed80

    SHA512

    00e82d14301f58d7b021ec1377b4778e5e49ca66b729a20f9b4daf58d2394772e0b950168848c7fb13be57f5b6521a4375b569ca10a3a99c73a87411be057ccc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\42e2c1ca8af67130d9ffea86fa259c9a_JaffaCakes118.exe
    Filesize

    63KB

    MD5

    24cf4bccd6ae57aadc7712834d057cef

    SHA1

    e072ff6acdaa8f9ffaa48bc4e8f966a11844f749

    SHA256

    efeb78b0ddf901d93b68530cdef68167fe34be0641035b683ed26327091fe5fa

    SHA512

    1f209cd1acad7ee81ba346cab44346b0db5d2e05a000003b91c13b886693e0c17edb18b35faa7ab8d19091006b59d58c1c7502d5fa3a165408e53d790b2fc04b

    Download Submit

  • C:\Windows\SysWOW64\com\lsass.exe
    Filesize

    92KB

    MD5

    9da293793ea046cdd4b110559d00e4b8

    SHA1

    4da412e440d6e69eb25c26a6783b2e841df8fdf4

    SHA256

    035672b615839a566d62023cdb7331bbcf411e64bb792fc6bb2a31e594ed29a3

    SHA512

    1d040b7abaf626fc88564033ae9158fea88a4a787f2e8723470f541a9c88ab972e1e9b6fbe19280072b7563ea228a70a223bc97b82585129b27eb1a192c48e63

    Download Submit

  • C:\Windows\SysWOW64\com\netcfg.000
    Filesize

    16KB

    MD5

    d1f6b9273cbb2e23aeed11346d0072c5

    SHA1

    0d012a7c7b37082dcbd5e1688f72eeade705f825

    SHA256

    dfb2d7cdc6ea056948d09fe139255af2dcc58f3581f4a50f4e5ee0f5a03c39fc

    SHA512

    4c3ab878131ad38a54d04cf0d268430ab98a67df474a18ee7858c62561d90ec14c34ed63dd973fdf24115ebf17ef65a6a9fc9ac612c247903e881e584dc3b77e

    Download Submit

  • C:\Windows\SysWOW64\com\smss.exe
    Filesize

    40KB

    MD5

    ae1cd1d740c265b7f18f827f9e37afab

    SHA1

    6b976bc56e4021e7237b3cd4dbe412b6949fb0a0

    SHA256

    a961e4f09ebcf11e1e384361d20d4ac031b3c159b9e6d50e3b4612102bef2a11

    SHA512

    c8f973cbece698f0701171be501c5c24fb77345c05c136ba992b97f74b81c0487e4039c5bb9b43176cc3815e8f2181377811a8a4d8fb08f741fa304767b50571

    Download Submit

  • C:\Windows\SysWOW64\dnsq.dll
    Filesize

    31KB

    MD5

    f515bd3278588b6d58a316d059e2778f

    SHA1

    ae8d987f33930d305b9d60685549dcabefa8e932

    SHA256

    5c8d02e0398882cb177fe91068fb31cf28fa401c7c060692ca2fda86479f9310

    SHA512

    688227aa4355cc7c156327992ae855b2aae294f12bb786bc71fb30690af3f46ad32ae360f004b899a575d833636b0c546005c85313c325e1893e5e67c9d1121c

    Download Submit

  • \Users\Admin\AppData\Local\Temp\42e2c1ca8af67130d9ffea86fa259c9a_jaffacakes118.exe.log
    Filesize

    247KB

    MD5

    42e2c1ca8af67130d9ffea86fa259c9a

    SHA1

    2bc78cb9dbaf07e646a980538811ae4a0fb9ac24

    SHA256

    6a1f3dd373df4ff19f842f0171ffa148ac4b2f88b5a87ff3bc42d012a215179f

    SHA512

    fc1f8198adf886ac148f030a680ae0043b6dcb5975ec24fdedec0db49b50d093cde6249f3058ab33d0a3c161840381679290262953b46b7616850c06d23341ed

    Download Submit

  • memory/1300-94-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

    Download

  • memory/1864-53-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1864-56-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2084-91-0x0000000010000000-0x0000000010010000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2564-81-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2564-118-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2564-144-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2564-136-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2564-41-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2564-133-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2564-130-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2564-127-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2564-124-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2564-99-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2564-100-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2564-103-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2564-106-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2564-109-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2564-112-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2564-115-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2564-121-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2660-54-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2660-40-0x0000000002F20000-0x0000000002F4C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2660-32-0x0000000002F20000-0x0000000002F4C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/3012-14-0x0000000002000000-0x000000000202C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/3012-16-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/3012-13-0x0000000002000000-0x000000000202C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/3012-0-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download