Overview

overview

8

Static

static

3

82762edbcc...18.exe

windows7-x64

8

82762edbcc...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    31/10/2024, 08:28

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe

  • Size

    555KB

  • MD5

    82762edbcceecc53d46d76988ae4d134

  • SHA1

    5c170ede2eadf2003bba8c8bd519876e044ee542

  • SHA256

    e10874ab420cb32cef248f4ba9a7074268597316d813d1176580a2677e344588

  • SHA512

    7c61d74a6e25fcb10bc6e51f9417f77a20583115cf6965bd7578b67fa8101db0887e24b3283ba4f74e3d58652b4eafc9e2136c8150696e493ec2735150fa0508

  • SSDEEP

    6144:sBaZA6AM5tm1BS4i4jARHKhyFxQZZxbU3GABUs4r110glX1Wt10glX19CSYesP91:scA6SbVi42BFx8dU3lMB1fe1fEeshYc

Score
8/10
discoveryevasionpersistenceprivilege_escalation

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 33 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 17 IoCs
  • Drops file in Windows directory 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe"
    1⤵
    • Adds policy Run key to start application
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Adds Run key to start application
    • Modifies WinLogon
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2772
    • C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      2⤵
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Modifies WinLogon
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2848
      • C:\Windows\Xplorer.exe
        "C:\Windows\Xplorer.exe" /Windows
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:2380
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1596
        • C:\Windows\SysWOW64\at.exe
          AT /delete /yes
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1804
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2004
        • C:\Windows\SysWOW64\at.exe
          AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1872
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2152
        • C:\Windows\SysWOW64\regsvr32.exe
          RegSvr32 /S C:\Windows\system32\avphost.dll
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2960
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2396
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2464
    • C:\Windows\System\gHost.exe
      "C:\Windows\System\gHost.exe" /Reproduce
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:316
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1184
      • C:\Windows\SysWOW64\at.exe
        AT /delete /yes
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2212
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1936
      • C:\Windows\SysWOW64\at.exe
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2928
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3008
      • C:\Windows\SysWOW64\regsvr32.exe
        RegSvr32 /S C:\Windows\system32\avphost.dll
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3000
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1484
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2084
  • C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:1748

Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Replication Through Removable Media

        1
        T1091

        Execution

        Persistence

        Boot or Logon Autostart Execution

        3
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Event Triggered Execution

        1
        T1546

        Netsh Helper DLL

        1
        T1546.007

        Privilege Escalation

        Boot or Logon Autostart Execution

        3
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Event Triggered Execution

        1
        T1546

        Netsh Helper DLL

        1
        T1546.007

        Defense Evasion

        Impair Defenses

        1
        T1562

        Disable or Modify System Firewall

        1
        T1562.004

        Modify Registry

        4
        T1112

        Credential Access

        Discovery

        Peripheral Device Discovery

        1
        T1120

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Lateral Movement

        Replication Through Removable Media

        1
        T1091

        Collection

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNK
          Filesize

          1KB

          MD5

          5ca176f9d4c56815ff3567aef5911b55

          SHA1

          7b68fbd64933b2159e49fc50f91131806106dfd1

          SHA256

          7952e08a9a7cf8853988d8de10922ede7c79955f1cdb5375ecc382079ae0e25c

          SHA512

          6bd38b70c3bc56d4e676cc86a97b65b46a95543f3acc148abb4494ba1d6dcfae928480c963896e689f951a2e35f6bd224e1f5d25c3a304d83c5b555229d44780

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf
          Filesize

          884B

          MD5

          3b9456132c9ccbf8d0670d5d9bf6b38d

          SHA1

          4f47f1b2e938f3fc5906418f2df69e589a78cb90

          SHA256

          d0677a3139c57325b3559841fe27933786923c1b66a05b19022c4ce9283f205d

          SHA512

          9325360ca0ee6f8de88ac217984be5c7bad38748e32f25d58ac70e9dfc088034ff862c272e464a32ec27b54340dbe15207f46fe194a46ba84b0012de3b7ab7e9

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf
          Filesize

          1KB

          MD5

          48dd6cae43ce26b992c35799fcd76898

          SHA1

          8e600544df0250da7d634599ce6ee50da11c0355

          SHA256

          7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

          SHA512

          c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

          Download Submit

        • C:\Windows\SysWOW64\KHATRA.exe
          Filesize

          555KB

          MD5

          82762edbcceecc53d46d76988ae4d134

          SHA1

          5c170ede2eadf2003bba8c8bd519876e044ee542

          SHA256

          e10874ab420cb32cef248f4ba9a7074268597316d813d1176580a2677e344588

          SHA512

          7c61d74a6e25fcb10bc6e51f9417f77a20583115cf6965bd7578b67fa8101db0887e24b3283ba4f74e3d58652b4eafc9e2136c8150696e493ec2735150fa0508

          Download Submit

        • C:\Windows\inf\Autoplay.inF
          Filesize

          234B

          MD5

          7ae2f1a7ce729d91acfef43516e5a84c

          SHA1

          ebbc99c7e5ac5679de2881813257576ec980fb44

          SHA256

          43b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98

          SHA512

          915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9

          Download Submit

        • memory/316-228-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/316-211-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/316-234-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/316-237-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/316-197-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/316-227-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/316-220-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/316-215-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/316-59-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/316-231-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/316-240-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/316-202-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/316-208-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/316-243-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/316-246-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/316-205-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/1748-68-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2380-226-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/2380-233-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/2380-245-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/2380-242-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/2380-201-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/2380-239-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/2380-204-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/2380-236-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/2380-207-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/2380-150-0x0000000000020000-0x0000000000022000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2380-210-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/2380-196-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/2380-230-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/2380-214-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/2380-53-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/2380-219-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/2380-224-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/2772-194-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/2772-0-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/2772-198-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/2772-1-0x0000000000020000-0x0000000000022000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2772-54-0x0000000000020000-0x0000000000022000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2772-199-0x00000000040D0000-0x0000000004191000-memory.dmp

          Filesize

          772KB

          Download

        • memory/2772-57-0x00000000040D0000-0x0000000004195000-memory.dmp

          Filesize

          788KB

          Download

        • memory/2772-6-0x0000000000390000-0x00000000003A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2772-26-0x00000000040D0000-0x0000000004195000-memory.dmp

          Filesize

          788KB

          Download

        • memory/2848-60-0x0000000000020000-0x0000000000022000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2848-32-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/2848-33-0x0000000000020000-0x0000000000022000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2848-195-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/2848-222-0x0000000002540000-0x0000000002550000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2848-38-0x0000000002540000-0x0000000002550000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2848-51-0x0000000004070000-0x0000000004135000-memory.dmp

          Filesize

          788KB

          Download

        • memory/2848-221-0x0000000004070000-0x0000000004135000-memory.dmp

          Filesize

          788KB

          Download

        • memory/2848-223-0x0000000004070000-0x0000000004135000-memory.dmp

          Filesize

          788KB

          Download