Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/10/2024, 00:25

General

  • Target

    80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe

  • Size

    548KB

  • MD5

    80cdc7c264ea951dedde8d7cda97fe25

  • SHA1

    9961e22ff166d873068b85f829c0b17f8680c889

  • SHA256

    a7b6fb08d17320632c5a3f97d3f265a5e594035fc2b92585b81d0aba16a46df1

  • SHA512

    1efb232e4569fbb233dd9e60f2d38225cc6e091008a2375f6834e5f0785dddd71970c005b78540123ffb9735df1949933937748d554450e51cd9c302f0d44e53

  • SSDEEP

    12288:N6bvdl0zCB8EDItMTzwg7lMQsvNuqZBRbZEYTwdD7IjLgWgho+5:GvdezCByqTtlMQsFuqzRbzI7IVQ5

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
  • UAC bypass 3 TTPs 13 IoCs
  • Adds policy Run key to start application 2 TTPs 29 IoCs
  • Disables RegEdit via registry modification 7 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

  • Looks up external IP address via web service 6 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 32 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 32 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4820
    • C:\Users\Admin\AppData\Local\Temp\lurwhzlcveb.exe
      "C:\Users\Admin\AppData\Local\Temp\lurwhzlcveb.exe" "c:\users\admin\appdata\local\temp\80cdc7c264ea951dedde8d7cda97fe25_jaffacakes118.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4056
      • C:\Users\Admin\AppData\Local\Temp\jtszeo.exe
        "C:\Users\Admin\AppData\Local\Temp\jtszeo.exe" "-c:\users\admin\appdata\local\temp\80cdc7c264ea951dedde8d7cda97fe25_jaffacakes118.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Impair Defenses: Safe Mode Boot
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:1708
      • C:\Users\Admin\AppData\Local\Temp\jtszeo.exe
        "C:\Users\Admin\AppData\Local\Temp\jtszeo.exe" "-c:\users\admin\appdata\local\temp\80cdc7c264ea951dedde8d7cda97fe25_jaffacakes118.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:4476
    • C:\Users\Admin\AppData\Local\Temp\lurwhzlcveb.exe
      "C:\Users\Admin\AppData\Local\Temp\lurwhzlcveb.exe" "c:\users\admin\appdata\local\temp\80cdc7c264ea951dedde8d7cda97fe25_jaffacakes118.exe"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System policy modification
      PID:2332

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\iplpryaafkhixuxhlukrnrtac.hmj

          Filesize

          272B

          MD5

          c34c9f66ab04b38935fe9fce259c6bc9

          SHA1

          2226524afaa327d58b307e39aaf6a7a0c8bd033d

          SHA256

          997ba8188035e37b3892d0bb05f8630929241f70b8e4a846ca1836e574bcbfe9

          SHA512

          338a23a4ac35295b567d156ffe533ceb4cc234b6471f088b29948d07b1368eb2529f1811378e67fa885fcf5f4d76ad2fdcedda22b619cdb65ab060a90388be5d

        • C:\Program Files (x86)\iplpryaafkhixuxhlukrnrtac.hmj

          Filesize

          272B

          MD5

          559f3411d6948d8e0d53e455c7c486b5

          SHA1

          a843e5c322ded9161602af3b5a9ceb1e38790879

          SHA256

          c6e9175af724ab68991198be1b2fdb0dfcb3e3afa0909f9da11c3ec6abbf6385

          SHA512

          fee19aee29f5cb651494d966349a3448685ebeb92366dd83bbb02c6e40a4168fe569e8d05c4d7d868f594a43ca854590bbfb4c0f990a067078654eaacb6c2051

        • C:\Program Files (x86)\iplpryaafkhixuxhlukrnrtac.hmj

          Filesize

          272B

          MD5

          9432555061f5d97cc4c45427950b56f1

          SHA1

          137ad9bdf40c295f6eecec25ed3127dd96aab382

          SHA256

          a94d969c7978aaf67a17e30a9cf9b03295d8770df9f85f11deceabcb84979022

          SHA512

          98a5436f4ef2ee5339f3103d64f09bd532b4f5612f850e2393286b81bd554c5878d78dd2982204050d366ebc013f518254273abf5b3cc99751783380dde26ec5

        • C:\Program Files (x86)\iplpryaafkhixuxhlukrnrtac.hmj

          Filesize

          272B

          MD5

          2c5849f4cfafaeb74d9c2e01f23b98fc

          SHA1

          3dcb85322e0aae26dcc38bb39f00055e6278df74

          SHA256

          34b0c558204a90d66b7fe1a095a36bc770e20271537fbb6ae3dc861d01ccb7ca

          SHA512

          b66d4ae4fe3efd8b376c25b7b7a66df4ae2673ecc444419be38198e952fea030dc19c6c35c36da8c94ca9c324503c660f0294a2d4e6faef5268b5248da3bc4a8

        • C:\Users\Admin\AppData\Local\Temp\jtszeo.exe

          Filesize

          704KB

          MD5

          49a9c0154cc052271825d57cc922a1dc

          SHA1

          6ff64ab519472480cf24e61a0829be7be27c382a

          SHA256

          7d084645a008323bc93814434c5225b438caec09e49a17d4efc73711885e2bf5

          SHA512

          909fd7bdadf4b45776d4208f402a3c3971ca7ae69fef3cf569ce362d2328862235dc86ae5a61fecc4acb12bf24a503572e8f6e7b392fca2987a647fb1762c0dc

        • C:\Users\Admin\AppData\Local\Temp\lurwhzlcveb.exe

          Filesize

          320KB

          MD5

          89ec3461ef4a893428c32f89de78b396

          SHA1

          8067cdc0901f0dc5bc1bb67a1c9037f502ea85f9

          SHA256

          1849989ee704cda3b552b5021f3165012978d26d0daf7d22a09805deb6be2d0b

          SHA512

          7804fa36e1f050115b00d21a9a94cf92436260a385da67106b0c73eb350abafca53f2dec42d377d4eccc095dd75ac92e841fb66e874e656e412cd71ed7909fe8

        • C:\Users\Admin\AppData\Local\iplpryaafkhixuxhlukrnrtac.hmj

          Filesize

          272B

          MD5

          49e4ec9898fc7e6919e0cd197a895e2b

          SHA1

          59d11dbf1260efcf3bbb3a6410f4474033888b59

          SHA256

          0e242e74664def0e8b61c303f9c67086873c851e31d9eef9492f300d13f84f3c

          SHA512

          5fd18be016b410eb175501423da233c4384bac94edb68647dbe9318fcaf3e3308e0b8718e98ebadb9020db078f3cf446573754defabdd05c1bbddeb8d8778d00

        • C:\Users\Admin\AppData\Local\iplpryaafkhixuxhlukrnrtac.hmj

          Filesize

          272B

          MD5

          64c88e6ed3c3eed43e5c7fb3488b82bc

          SHA1

          a4cb8aa72641a4a47a8e016615bc428df9335629

          SHA256

          2ed767c82dec28166166224327da373f168cddb9a0f87e153d48613640f15836

          SHA512

          5da4af07520c2600ef192b992a22e1f2c709a61c2b01553a6ec1c3c83ebbfcf3c3fbf0feb5a734e047577d25d80653f1068ada023ac36d96385b7bc7927c9ff0

        • C:\Users\Admin\AppData\Local\iplpryaafkhixuxhlukrnrtac.hmj

          Filesize

          272B

          MD5

          fab835a6a4d9ca673f823057a995c4ca

          SHA1

          dc39ebffec735685bf1a2b6adf670493abbfb57c

          SHA256

          31cdfe72a78b6c915f12f19d4aff212817dfc1db21b7289db89233b05e2e42b3

          SHA512

          750a68e21c5d44dec81121d496309324d7b60a9fef115792af10e3e4dbfd7795503518cf20c6993c2d413ffc986f3b885b0a3566cf530a9bb14d5d7016d7841b

        • C:\Users\Admin\AppData\Local\nfmbogteukseemavkefxetgylwmckwwesncw.pwl

          Filesize

          3KB

          MD5

          64d1d8ea2e7fd7ff09fafe138ed7c821

          SHA1

          88412af7ba6d5818e27d53db3bc5fe385fa2c47d

          SHA256

          04ab8d7737d6a19b2230c66e233751df1ba0ca8c6905b19f09ce8bf45d8bfab8

          SHA512

          78bc906b00da71ab1b4b81db11a21fa6dc87f8f82b24529714eb719dd1a118f0b412709f87091a75dd360a6dc67390be5ab00db499760bb484fab3e48fb7aa72

        • C:\Windows\SysWOW64\lhslcypeyseuykcbus.exe

          Filesize

          548KB

          MD5

          80cdc7c264ea951dedde8d7cda97fe25

          SHA1

          9961e22ff166d873068b85f829c0b17f8680c889

          SHA256

          a7b6fb08d17320632c5a3f97d3f265a5e594035fc2b92585b81d0aba16a46df1

          SHA512

          1efb232e4569fbb233dd9e60f2d38225cc6e091008a2375f6834e5f0785dddd71970c005b78540123ffb9735df1949933937748d554450e51cd9c302f0d44e53