Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    31/10/2024, 00:25

General

  • Target

    80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe

  • Size

    548KB

  • MD5

    80cdc7c264ea951dedde8d7cda97fe25

  • SHA1

    9961e22ff166d873068b85f829c0b17f8680c889

  • SHA256

    a7b6fb08d17320632c5a3f97d3f265a5e594035fc2b92585b81d0aba16a46df1

  • SHA512

    1efb232e4569fbb233dd9e60f2d38225cc6e091008a2375f6834e5f0785dddd71970c005b78540123ffb9735df1949933937748d554450e51cd9c302f0d44e53

  • SSDEEP

    12288:N6bvdl0zCB8EDItMTzwg7lMQsvNuqZBRbZEYTwdD7IjLgWgho+5:GvdezCByqTtlMQsFuqzRbzI7IVQ5

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
  • UAC bypass 3 TTPs 13 IoCs
  • Adds policy Run key to start application 2 TTPs 29 IoCs
  • Disables RegEdit via registry modification 7 IoCs
  • Executes dropped EXE 4 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 32 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 32 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • System policy modification 1 TTPs 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2712
    • C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe
      "C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe" "c:\users\admin\appdata\local\temp\80cdc7c264ea951dedde8d7cda97fe25_jaffacakes118.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2632
      • C:\Users\Admin\AppData\Local\Temp\gssyhm.exe
        "C:\Users\Admin\AppData\Local\Temp\gssyhm.exe" "-c:\users\admin\appdata\local\temp\80cdc7c264ea951dedde8d7cda97fe25_jaffacakes118.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:1552
      • C:\Users\Admin\AppData\Local\Temp\gssyhm.exe
        "C:\Users\Admin\AppData\Local\Temp\gssyhm.exe" "-c:\users\admin\appdata\local\temp\80cdc7c264ea951dedde8d7cda97fe25_jaffacakes118.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Impair Defenses: Safe Mode Boot
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:2744
    • C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe
      "C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe" "c:\users\admin\appdata\local\temp\80cdc7c264ea951dedde8d7cda97fe25_jaffacakes118.exe"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System policy modification
      PID:1964

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\vgfkswgnsqzggcwlxihsrweisze.lss

          Filesize

          272B

          MD5

          49835b131243614a275975638559081b

          SHA1

          870150d801905e6ee2b1a5a5f02dfec6128823d4

          SHA256

          99ed0a78a37808c4e2b6734884098ce3d23441ade2d1eb18fd63faca76f4678c

          SHA512

          a6189ef25b179f73efbaaf6d0b271d9c7eb29e5bd14783b0a27d2db5fbe058431da9c122a79eab5f2a749ee4206ea841b5d588969872868cc37d236a1a79885f

        • C:\Program Files (x86)\vgfkswgnsqzggcwlxihsrweisze.lss

          Filesize

          272B

          MD5

          400fe42db273bcc17fd36c5e93058d3c

          SHA1

          15ebaa9378c071f2ddb3057a991ed901dd1ea649

          SHA256

          3e0e4e3078a3317a098d3e981194c9e5a9cbcc3553bf07c322ef7112129fa355

          SHA512

          69e3779d9fceb1e723aa09e5be38db49070de8a1242e2fc4cc40c92cd45c3148ce4ee5f301da6bd1bac74e903bd3bd6a060545490cb18daeb03c15a687fc5904

        • C:\Program Files (x86)\vgfkswgnsqzggcwlxihsrweisze.lss

          Filesize

          272B

          MD5

          b105162b5c37cd04f382fb40e316efe1

          SHA1

          197d3d95597e6276ee575027c8492211fb8c5680

          SHA256

          f9779815b06d937a1cb0c4bcb040b0d7b56ccb65942c89ab39f45a764399e9ff

          SHA512

          775cd780ed7a4fe1104e89563bfbaf7b9e02e94cb7f5a9dc11de938e88b4c26aa912f99f24fcb2d47472234c759335d3d5961450cb1f2b37fe2d625af618490a

        • C:\Program Files (x86)\vgfkswgnsqzggcwlxihsrweisze.lss

          Filesize

          272B

          MD5

          c7141bf3490cc3a6fedb8a61581b80ac

          SHA1

          71e3cb6cb00e388b0556b11944dd90e56fb9494b

          SHA256

          16851eb70e0d601cf2ae42aba18b39e058f02a965b3128193f2e8e7246446ffd

          SHA512

          b57647d20d10fe4cf15a262ba016a3b7d1d5a3e2c8a631a22b938810ab9e3012e0432984fc4ec930153943499a78d8cf118d4cef99f917810090bf64e2193e83

        • C:\Program Files (x86)\vgfkswgnsqzggcwlxihsrweisze.lss

          Filesize

          272B

          MD5

          fee4953d56b7dd84558e8f9c0799be13

          SHA1

          332431b03b28c79b653eb7f4effcfbc659560b2e

          SHA256

          8183288c5bf3e1bbfc2d4d861c06121607ee8a9b016bc59a3d4e34e03a7c1701

          SHA512

          4e4843fd00880ba99ba189ae72ece5f0d841502b15f0d4410635a6ce0bf3b80db0f55b855b9215d4ae6b03883700e15f0eb638bfb23fe88a85ae04fb5687fc60

        • C:\Users\Admin\AppData\Local\soyohwrjzicufmrrokuqaqjytlbkewhottqmws.sla

          Filesize

          3KB

          MD5

          7ccef092b835bfca8a84526098d4d2f5

          SHA1

          fa940c0ca5a9082a1007a578a0eec17cbf51d8c9

          SHA256

          b11ff6c22c1902c8277bce90e6abcca24487fd6a25b6f12f1a88db6b5650ef67

          SHA512

          9464ec22c6c762816175371c8be58adace9ae8d4899e7df03e1c120dcee5d6308095648184e3d121372ec046915ffab2d208a927d3414ac599b2be1e33ce5db9

        • C:\Users\Admin\AppData\Local\vgfkswgnsqzggcwlxihsrweisze.lss

          Filesize

          272B

          MD5

          55aae867e6a6e7e29933077c41111307

          SHA1

          a1f0fd054c2b87a9d53e3a0f303805919a21cb77

          SHA256

          081974e1c0e9f73e9d50b2658889a1c82e0656d9475cee67fe9108f094093821

          SHA512

          b80e3eb75f7de40580230a3c31fafb9cb694f9e0f37b8be47c11153aa2ac37e336be3d2376b7d28e0432b940d40b2abb034258ea8e71c447a7933f961a1ea2ee

        • C:\Users\Admin\AppData\Local\vgfkswgnsqzggcwlxihsrweisze.lss

          Filesize

          272B

          MD5

          0b268aae6a5b52e3f98bbe949ae280c3

          SHA1

          42ce8e02252bc97f6eb003d284120b786af4c685

          SHA256

          b2797a3cbc304aededba0e0531ba3b1afda014c2903f3c8c81c52502f5b14c9d

          SHA512

          95a1ff3ebc179347464665beb3d993989a908a9aebc7a2eeb3a358c591e075649a50edd7bd13550855fe15eea61addf3b73e96efe8d0452b5e874ba367f2dd8a

        • C:\Windows\SysWOW64\igskfwtnfqmgtcjlki.exe

          Filesize

          548KB

          MD5

          80cdc7c264ea951dedde8d7cda97fe25

          SHA1

          9961e22ff166d873068b85f829c0b17f8680c889

          SHA256

          a7b6fb08d17320632c5a3f97d3f265a5e594035fc2b92585b81d0aba16a46df1

          SHA512

          1efb232e4569fbb233dd9e60f2d38225cc6e091008a2375f6834e5f0785dddd71970c005b78540123ffb9735df1949933937748d554450e51cd9c302f0d44e53

        • \Users\Admin\AppData\Local\Temp\gssyhm.exe

          Filesize

          696KB

          MD5

          4c43b695391adccdf409c2a1fffe0bce

          SHA1

          e145fe5b0ff77f2e5e18424bb91de2fa2e79dddf

          SHA256

          7dbf0715bc46c45e08cd0d171924c45521d27f9f658102aae94484ffd884b6f5

          SHA512

          d526d0fbb495a0ef248f8cd6fecdddcf692527be0e805c331299cc673efa57f889efd879d67ac87780ac551666422c32b538a489f3d9a0021da5ba5c337e5892

        • \Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe

          Filesize

          320KB

          MD5

          89ec3461ef4a893428c32f89de78b396

          SHA1

          8067cdc0901f0dc5bc1bb67a1c9037f502ea85f9

          SHA256

          1849989ee704cda3b552b5021f3165012978d26d0daf7d22a09805deb6be2d0b

          SHA512

          7804fa36e1f050115b00d21a9a94cf92436260a385da67106b0c73eb350abafca53f2dec42d377d4eccc095dd75ac92e841fb66e874e656e412cd71ed7909fe8