Analysis

  • max time kernel
    53s
  • max time network
    53s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    31/10/2024, 12:25

Errors

Reason
Machine shutdown

General

  • Target

    83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe

  • Size

    2.8MB

  • MD5

    83035d6f6c95bbee91cebfda3ce8e717

  • SHA1

    c276fb8f9c498adcbfcae06e87cf1ec63f9795cc

  • SHA256

    039f49f63a4173ed8451b471eef7fa40a3354fc6353213d59a51936dabfc6760

  • SHA512

    45ed62ce82c24914441b1bd69bff75b5b627895abf3a9bd29edcaca68f3a45ca80e87d78db293d6b681c5e4e40dda2dd5c0ce4234f5b4872a3d7f0b34978dbaf

  • SSDEEP

    49152:I7IU6ivGtlqaVwASOrfmrTEbTRjkek2FjufBaCOh5PaOcegDxpVodPgN2gh4E+gx:/+Y39mHqWN2K4E+gPdo

Malware Config

Signatures

  • Creates new service(s) 2 TTPs
  • Drops file in Drivers directory 1 IoCs
  • Stops running service(s) 4 TTPs
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in System32 directory 7 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe"
    1⤵
    • Drops file in Drivers directory
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2420
    • C:\Users\Admin\AppData\Local\Temp\dg82fqkt63.exe
      "C:\Users\Admin\AppData\Local\Temp\dg82fqkt63.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2244
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\lc4tilfa51.bat" "
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2844
      • C:\Windows\system32\reg.exe
        reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vgk\Security" /f
        3⤵
          PID:2764
        • C:\Windows\system32\reg.exe
          reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vgk" /f
          3⤵
            PID:3012
          • C:\Windows\system32\reg.exe
            reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vgc\Security" /f
            3⤵
              PID:2888
            • C:\Windows\system32\reg.exe
              reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vgc" /f
              3⤵
                PID:2884
              • C:\Windows\system32\reg.exe
                reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Riot Vangard" /f
                3⤵
                  PID:2824
                • C:\Windows\system32\reg.exe
                  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\VALORANT-Win64-Shipping.exe" /f
                  3⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  PID:1056
                • C:\Windows\system32\reg.exe
                  reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{FA99DFC7-6AC2-453A-A5E2-5E2AFF4507BD}\Count" /f
                  3⤵
                    PID:3008
                  • C:\Windows\system32\reg.exe
                    reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count" /f
                    3⤵
                      PID:2916
                    • C:\Windows\system32\reg.exe
                      reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F2A1CB5A-E3CC-4A2E-AF9D-505A7009D442}\Count" /f
                      3⤵
                        PID:2772
                      • C:\Windows\system32\reg.exe
                        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count" /f
                        3⤵
                          PID:2240
                        • C:\Windows\system32\reg.exe
                          reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CAA59E3C-4792-41A5-9909-6A6A8D32490E}\Count" /f
                          3⤵
                            PID:2640
                          • C:\Windows\system32\reg.exe
                            reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{BCB48336-4DDD-48FF-BB0B-D3190DACB3E2}\Count" /f
                            3⤵
                              PID:2816
                            • C:\Windows\system32\reg.exe
                              reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{B267E3AD-A825-4A09-82B9-EEC22AA3B847}\Count" /f
                              3⤵
                                PID:2652
                              • C:\Windows\system32\reg.exe
                                reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{A3D53349-6E61-4557-8FC7-0028EDCEEBF6}\Count" /f
                                3⤵
                                  PID:2784
                                • C:\Windows\system32\reg.exe
                                  reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{9E04CAB2-CC14-11DF-BB8C-A2F1DED72085}\Count" /f
                                  3⤵
                                    PID:2780
                                  • C:\Windows\system32\reg.exe
                                    reg delete "HKEY_CLASSES_ROOT\riotclient" /f
                                    3⤵
                                      PID:2724
                                    • C:\Windows\system32\reg.exe
                                      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f
                                      3⤵
                                        PID:2964
                                    • C:\Users\Admin\AppData\Local\Temp\l4fjq1orkk.exe
                                      "C:\Users\Admin\AppData\Local\Temp\l4fjq1orkk.exe"
                                      2⤵
                                      • Executes dropped EXE
                                      • Suspicious use of WriteProcessMemory
                                      PID:2436
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /c Color 97
                                        3⤵
                                          PID:2856
                                      • C:\Windows\system32\sc.exe
                                        sc stop appld
                                        2⤵
                                        • Launches sc.exe
                                        PID:1228
                                      • C:\Windows\system32\sc.exe
                                        sc delete appld
                                        2⤵
                                        • Launches sc.exe
                                        PID:2044
                                      • C:\Windows\system32\sc.exe
                                        sc create appld binpath= C:\windows\system32\drivers\appld.sys type= kernel start= boot
                                        2⤵
                                        • Launches sc.exe
                                        PID:1616
                                      • C:\Windows\System32\shutdown.exe
                                        C:\Windows\System32\shutdown /r /t 0
                                        2⤵
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:844
                                    • C:\Windows\system32\LogonUI.exe
                                      "LogonUI.exe" /flags:0x0
                                      1⤵
                                        PID:2412
                                      • C:\Windows\system32\LogonUI.exe
                                        "LogonUI.exe" /flags:0x1
                                        1⤵
                                          PID:948

                                        Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\Local\Temp\lc4tilfa51.bat

                                                Filesize

                                                8KB

                                                MD5

                                                ff773fbe0ab771b04b82316c89f20654

                                                SHA1

                                                d37bcca4ff0d80d5d02d4e5ab942a945edfb0fba

                                                SHA256

                                                f4907982695edaf608648b6e1984a0aea68057d428cbc82ebceba3d3074cfb7b

                                                SHA512

                                                528dc36c1e03650f57a8cf63e5d3c637290c5c450343065ab2cfc034d60114362953d144115e35956a8a34d2442ebfb4ca2c95943d8dd0f9f0eb58e563c7f313

                                              • \Users\Admin\AppData\Local\Temp\dg82fqkt63.exe

                                                Filesize

                                                126KB

                                                MD5

                                                8eded2a6dd7097e60abfa7292d3b23c0

                                                SHA1

                                                099688e74e257495636c96b34b2d59724c271a8c

                                                SHA256

                                                1b48f91b77fc85eec79786f908e0eaeff050cdaee49471ee0c2be92e05c972bd

                                                SHA512

                                                1733b6e583ad92a64ba2a561c7c5b333df2f59b1aec97d7627a9e257acdcb553e9907fe701a4bb094f4b4ec44b04f50f833ccfe11d5dbf171e9fd5fe1db7397d

                                              • \Users\Admin\AppData\Local\Temp\l4fjq1orkk.exe

                                                Filesize

                                                343KB

                                                MD5

                                                060f3da224758a17ba766353dccd4d82

                                                SHA1

                                                b58ba5133ecb4ed8968733b2207058505fbefdf3

                                                SHA256

                                                9ef5644ff3befc763b4ab7b8bf0ba7e8ebda43d98e5e8d753f95fe9cdaec7645

                                                SHA512

                                                af06364339814b4c9058f3acf2214842e381f988f87b4b694bcb06cb55cf749d76e117ef2fc4a0f80c530d0ef51e6ee3171045d37a260e6456c0f363b41baaa7