Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/11/2024, 01:49

General

  • Target

    8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe

  • Size

    644KB

  • MD5

    8e8d8dd457411eaf96c3e5f1cf646ec5

  • SHA1

    b03b741382822e3f012bc8d1c87331aaefeff1a4

  • SHA256

    b6b2b9e959b52d90742beac4f6b23a72e4c2cb5e802bbb9e7da138098d30cd24

  • SHA512

    e6cf6ea96fbc9befaf59e1b0a876e7afadc5439918ee294dbe584d474310cc79db4ff7091645e29e0f367561a7a3a71cd80ec4200ebbd7809fd5e738bc58878c

  • SSDEEP

    12288:/6bvdl0zCB8EDItMTzwg7lMQsvNuqZBRbZEYTwdD7IjLgmb4qtz4g:AvdezCByqTtlMQsFuqzRbzI7IXb46N

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
  • UAC bypass 3 TTPs 13 IoCs
  • Adds policy Run key to start application 2 TTPs 28 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Executes dropped EXE 4 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 32 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 32 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • System policy modification 1 TTPs 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe
      "C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe" "c:\users\admin\appdata\local\temp\8e8d8dd457411eaf96c3e5f1cf646ec5_jaffacakes118.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2368
      • C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe
        "C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe" "-C:\Users\Admin\AppData\Local\Temp\tizqhwobxyneiqqd.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Impair Defenses: Safe Mode Boot
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:2812
      • C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe
        "C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe" "-C:\Users\Admin\AppData\Local\Temp\tizqhwobxyneiqqd.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:2664
    • C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe
      "C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe" "c:\users\admin\appdata\local\temp\8e8d8dd457411eaf96c3e5f1cf646ec5_jaffacakes118.exe"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System policy modification
      PID:2628

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\nqvafiopzorwokyzkdglqvyefp.hme

          Filesize

          272B

          MD5

          bd39d78d7257cad3b57b0cf6852d2459

          SHA1

          b756bf07bf0fcc0cb8ddf7b6737df9141167e011

          SHA256

          fcb7a2258f089d9f5e46c4d3bceb4f5b35fcc16f59bed7dbcc41c6e5d34bd122

          SHA512

          80c6ee23826c6dbf5e00295656e0f355f96f742b8a73a85a334e0b6e9ac504ee44e923239d7c739b656827db66b201b18ac221275c045b663759343026302793

        • C:\Program Files (x86)\nqvafiopzorwokyzkdglqvyefp.hme

          Filesize

          272B

          MD5

          3fc0a394b24744c76b7b91a1c10d8216

          SHA1

          c5fda7b3b22e94d0cac838f81140fbf1bed64de2

          SHA256

          97be1d6f4501cccdd73226f047d64184481dd20916d9835d0ea42f728db8f42b

          SHA512

          5899959af2c785ea64b04f6a26627bcbd3cf9756fdf514de4f15ba9affe0917faa0f0851ede9d825929c3c7637a437779019e5d6e0293552b6f879637357edb8

        • C:\Program Files (x86)\nqvafiopzorwokyzkdglqvyefp.hme

          Filesize

          272B

          MD5

          866fe1afe131d8c1261d54666cf4461e

          SHA1

          ae9496f14e1c5125f19b972c69740a4fd99e92b5

          SHA256

          35eaf9bfc1f7baa4f54feec2ed0bf94f920d41499d87e60cee387f651f7549d1

          SHA512

          250726839b7acb471f24e96eea8b69682daeda1eb94c1d9f574877c947b0671938553a1716c7ec627d009438b71fde5ddd493ea465dd591c6ab0a51d5db9da77

        • C:\Program Files (x86)\nqvafiopzorwokyzkdglqvyefp.hme

          Filesize

          272B

          MD5

          afcfeda83189dface8078661956399f0

          SHA1

          70216e651ac58ca32855d7a361e2528a7663824f

          SHA256

          8562896a03298191bfae64441e7a7b9d1eb6b8fca82b9e56b056eaf6606ef789

          SHA512

          ebb646251eabe7345a4f26330f22914f064ccb9104384b6ddf71ce3dc45e0d08f9bec464b420ca3b55c4672708dc36c58c66e2a3100d422e7daf9e0cb57bec1f

        • C:\Program Files (x86)\nqvafiopzorwokyzkdglqvyefp.hme

          Filesize

          272B

          MD5

          1899d28db807e607993661504212d169

          SHA1

          e9c8ac80b89d14963ec923fb8aa71c667a5154e6

          SHA256

          36f0306064b4a8debcee15fe9cb1a936aafa2168c31362433caf71e610b7be8b

          SHA512

          39e8864d1a28b5ec8637569d18426261f8ad3a5aa9f389f0af73e9897a437a919d84aba5dc92b0a3998a7be7f7893ff53fcf7258d0b2f596a3f2b0b957c66f55

        • C:\Program Files (x86)\nqvafiopzorwokyzkdglqvyefp.hme

          Filesize

          272B

          MD5

          44acbf916ee6657437ea243c6157ae69

          SHA1

          0dce3dc316cfd0ad192a81e70f1b987616389203

          SHA256

          102d6d89480a5555a0102ca85dd3b3a24a8fbcdf947f0b3c2c76dffc1da614c3

          SHA512

          eeead8db0c51d0b9ccdccddc218ac83b65852045c352f8567ae225e34bf4af16ebaf997b21862492dc62d28cb972fbe0f308ff0a946dc0bfc9fc9a73a44ab5e2

        • C:\Users\Admin\AppData\Local\nqvafiopzorwokyzkdglqvyefp.hme

          Filesize

          272B

          MD5

          1b87b226dcd3c7aff0bdad467faa0d18

          SHA1

          4d22da62b305839fe384af9b6cc0578b004f5f91

          SHA256

          be256f4662ad980ffa475ab489785ca70cfbfbff3cdb0df554fd316a7e5cf560

          SHA512

          6b265d736f94ecfe0ab3245e3aa4721015ba5c5dc9c21b1893ce2f6e4809324a9b5880feb6fe8cc882569f2dca7a074f99d5996d3deb70a696cab7fe5230d757

        • C:\Users\Admin\AppData\Local\ocsiymdpkkyoryxjfjxndthykfftjmtseaesi.oct

          Filesize

          3KB

          MD5

          fdb045e2e1dcc48616e29bc3025ce190

          SHA1

          0fc9224af1fcedd19e0148449e764fded354f4eb

          SHA256

          11ce6bb298e9cb10b90438860c781a2f7c505f698c9fd44ad660c6d376bf3338

          SHA512

          d61382f07e34bc2234001ab4fbcfa85ed3a158c3ef3764e8a01e3e5c69edc82e044a5b030839760d44f1bcfbc80a13fa375da7763c7264e73fa67e0425ff92e6

        • C:\Windows\SysWOW64\jatmfwqfdgxqwgixwd.exe

          Filesize

          644KB

          MD5

          8e8d8dd457411eaf96c3e5f1cf646ec5

          SHA1

          b03b741382822e3f012bc8d1c87331aaefeff1a4

          SHA256

          b6b2b9e959b52d90742beac4f6b23a72e4c2cb5e802bbb9e7da138098d30cd24

          SHA512

          e6cf6ea96fbc9befaf59e1b0a876e7afadc5439918ee294dbe584d474310cc79db4ff7091645e29e0f367561a7a3a71cd80ec4200ebbd7809fd5e738bc58878c

        • \Users\Admin\AppData\Local\Temp\fpbadygypzl.exe

          Filesize

          320KB

          MD5

          89ec3461ef4a893428c32f89de78b396

          SHA1

          8067cdc0901f0dc5bc1bb67a1c9037f502ea85f9

          SHA256

          1849989ee704cda3b552b5021f3165012978d26d0daf7d22a09805deb6be2d0b

          SHA512

          7804fa36e1f050115b00d21a9a94cf92436260a385da67106b0c73eb350abafca53f2dec42d377d4eccc095dd75ac92e841fb66e874e656e412cd71ed7909fe8

        • \Users\Admin\AppData\Local\Temp\uaiqyen.exe

          Filesize

          684KB

          MD5

          fc013097dbb4c255478016b15df67f97

          SHA1

          5b48b446353bb1df09b143e07901442cf18c0662

          SHA256

          4e6799862185f6bd77a9715a3748b0cc6a7594d730fecedd5e3736bbf58b7f61

          SHA512

          c366f94fcd5340cc6308c535c19dd470eb7b79a3909de8daacd8ac1fc67f3c1ea38c6fdeee750046ced6ecfb552a934088585f1bcc3e6772185205c1be873013