Analysis

  • max time kernel
    143s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    31/10/2024, 02:12

General

  • Target

    812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe

  • Size

    237KB

  • MD5

    812723d3e69a8a9543dd2ebeff8a7fa5

  • SHA1

    52c49fb43ebb5ef733ffe012c392ba8acceee202

  • SHA256

    1ab4bda709b6dec9b2d4df647e0d4372b1aa9a712b65a32fcc33642005d57e08

  • SHA512

    9205f751ecbccb1d62a0236c7ddb4132e797d75a375f9191fd626cb86fde6625bb6bbd0bc00ecc3429ec6e7861b577761745514f4a81a0473066c7a7d7fdbae6

  • SSDEEP

    6144:2bNfTsrH63mizzzT7nn7EqNuaV60k97lUf+Ld:EAe3mizzzTz7Eioh97lFd

Malware Config

Signatures

  • Disables service(s) 3 TTPs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 28 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 1 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2592
    • C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\cb.exe
      "C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\cb.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2236
    • C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\ic9.exe
      "C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\ic9.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2204
    • C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\EuroP.exe
      "C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\EuroP.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1824
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Mbz..bat" > nul 2> nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3036
    • C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\E4U.exe
      "C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\E4U.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2776
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\E4U.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:860
    • C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\Gi.exe
      "C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\Gi.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Users\Admin\AppData\Local\Temp\geurge.exe
        C:\Users\Admin\AppData\Local\Temp\geurge.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3060
      • C:\Windows\SysWOW64\net.exe
        net.exe stop "Security Center"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1468
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Security Center"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2568
      • C:\Windows\SysWOW64\sc.exe
        sc config wscsvc start= DISABLED
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:1956
      • C:\Windows\SysWOW64\net.exe
        net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)
        3⤵
        • System Location Discovery: System Language Discovery
        PID:692
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2524
      • C:\Windows\SysWOW64\sc.exe
        sc config SharedAccess start= DISABLED
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:324
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\tujserrew.bat""
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2464

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Mbz..bat

          Filesize

          180B

          MD5

          a943a8061383fa691ce9bca68ee0512e

          SHA1

          f89b9e57a0a2ca47e3a9fd7ab6071a25ef117741

          SHA256

          76d679cd188e89bbacacd4b31bb0daae8adc7094c9b43ca04873906d8f7447dc

          SHA512

          6bbb204986e535b2db4b1ff8f60b18282a22a8171899394dbd0a0bb74e40a687864029a5da27b11a28325ab9968c5dd76ada69a794590d697599f0d06a114917

        • C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\E4U.exe

          Filesize

          22KB

          MD5

          88afc5e074effdce294e0da16c805d0f

          SHA1

          bf5f183d44ccf8fab7462022a464981c59119d96

          SHA256

          a41df47a6ed0cc26973c4bc1452f7d2e21946157552a5515052dc8642b48743e

          SHA512

          c53e10bd860b24bc28d9b6f0b9ddd2840b62f677bb4a2e181315b53553eb8c52f13bd6c065a43b6c577f03c8952288f76f61ba799756a731ce54d0099e46da2a

        • C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\Gi.exe

          Filesize

          72KB

          MD5

          2ca85ee33f90ba3705885737aa656a40

          SHA1

          e9f4331ef93d63e1c89707d6acdf699fc095a9b5

          SHA256

          b34881d5e2d3933dc467ed65bf05dc43fc17dac7d3c30d0cc89b98fbe71dcafa

          SHA512

          9ce38d53fa1311c81943d03026b3c1dece41bec20ac109dcb46c9a5766ffb93396af57f6d440d095e205ecc025655b648ea1e73f600126bafbf6fc768ea80787

        • C:\tujserrew.bat

          Filesize

          130B

          MD5

          d08cb97e3b90ca2dac463f834008b9b9

          SHA1

          3db0d4da98d144669284f50d9e8ea87a988ac93a

          SHA256

          033632928b0c1a737728bb51db824f5fc92c84cbebae99553e8a1f40bd05b8f9

          SHA512

          d843a43695c808bf3ee6088e5213f5b97f225412c36a41778a41a950c7459e4e9c4332b98bc9007544863e4d39b5f11bf15308ceeaceff7320847d301febe97d

        • \Users\Admin\AppData\Local\Temp\nszE227.tmp\EuroP.exe

          Filesize

          58KB

          MD5

          4799c30743d59d162a7a4d0f16bce415

          SHA1

          21b11dfedac88b1009b6459b92076b2278954183

          SHA256

          acc6f5666df365ac19248f7854ae8d3753e126ab5125975e232e9d7b924523f1

          SHA512

          bb67e53a36cbb7f73d71c4cb1a75996481ca0646cf73565ef3f34973bc42384aff47d625f171385a3d677e336758e3b5a35ef7f5c2dd21b471f55bf5ff0d8ebd

        • \Users\Admin\AppData\Local\Temp\nszE227.tmp\cb.exe

          Filesize

          3KB

          MD5

          46e07fd3a40760fda18cf6b4fc691742

          SHA1

          53ee1a754bf5e94fa88a6ab8bb6120b4011afcfa

          SHA256

          bd7ca609d2fb63e14d08acab1091579c23e298b4fa2ac1e8d2daaff94fc107be

          SHA512

          ce13f6527cbd13002dca00b71ab38ab12e3f3f7138ada0780ad3f40e7c49946c018a00782ec957b1fd123fb439aabc0d9b3660829dabf10ddcebba08d6e2fbbd

        • \Users\Admin\AppData\Local\Temp\nszE227.tmp\ic9.exe

          Filesize

          81KB

          MD5

          28ee9992c5cc76a2a2385eaa7423411c

          SHA1

          96b5485154f44094627770d5fcf7a4a80aaa111e

          SHA256

          9fb5e5110b4fa98c20c90c6f597a09baaf7c301e417a4d2ac7dcdcf6c19cfea1

          SHA512

          16ff019cb3ca0cae00a4336d0dd77d95cdcd3bce8b064f3072a9d3622bf190290eb33ca8500cb26f104da80df9704f98584c234dd243804547e0c45605c6276e

        • memory/1824-72-0x0000000000400000-0x0000000000429000-memory.dmp

          Filesize

          164KB

        • memory/2204-65-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

        • memory/2204-32-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

        • memory/2744-66-0x0000000000850000-0x00000000008AA000-memory.dmp

          Filesize

          360KB

        • memory/2744-64-0x0000000000400000-0x000000000045A000-memory.dmp

          Filesize

          360KB

        • memory/2744-71-0x0000000002F30000-0x00000000039EA000-memory.dmp

          Filesize

          10.7MB

        • memory/2744-77-0x00000000059D0000-0x0000000005A2A000-memory.dmp

          Filesize

          360KB

        • memory/2744-100-0x0000000000400000-0x000000000045A000-memory.dmp

          Filesize

          360KB

        • memory/2776-108-0x0000000000400000-0x000000000040C000-memory.dmp

          Filesize

          48KB

        • memory/3060-88-0x0000000000400000-0x000000000045A000-memory.dmp

          Filesize

          360KB

        • memory/3060-104-0x0000000000400000-0x000000000045A000-memory.dmp

          Filesize

          360KB

        • memory/3060-116-0x0000000000400000-0x000000000045A000-memory.dmp

          Filesize

          360KB