Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/11/2024, 01:49

General

  • Target

    8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe

  • Size

    644KB

  • MD5

    8e8d8dd457411eaf96c3e5f1cf646ec5

  • SHA1

    b03b741382822e3f012bc8d1c87331aaefeff1a4

  • SHA256

    b6b2b9e959b52d90742beac4f6b23a72e4c2cb5e802bbb9e7da138098d30cd24

  • SHA512

    e6cf6ea96fbc9befaf59e1b0a876e7afadc5439918ee294dbe584d474310cc79db4ff7091645e29e0f367561a7a3a71cd80ec4200ebbd7809fd5e738bc58878c

  • SSDEEP

    12288:/6bvdl0zCB8EDItMTzwg7lMQsvNuqZBRbZEYTwdD7IjLgmb4qtz4g:AvdezCByqTtlMQsFuqzRbzI7IXb46N

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
  • UAC bypass 3 TTPs 13 IoCs
  • Adds policy Run key to start application 2 TTPs 29 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

  • Looks up external IP address via web service 9 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 32 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 32 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1920
    • C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe
      "C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe" "c:\users\admin\appdata\local\temp\8e8d8dd457411eaf96c3e5f1cf646ec5_jaffacakes118.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1452
      • C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe
        "C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe" "-C:\Users\Admin\AppData\Local\Temp\yifohatdtkbbduqf.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Impair Defenses: Safe Mode Boot
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:4256
      • C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe
        "C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe" "-C:\Users\Admin\AppData\Local\Temp\yifohatdtkbbduqf.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:2088
    • C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe
      "C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe" "c:\users\admin\appdata\local\temp\8e8d8dd457411eaf96c3e5f1cf646ec5_jaffacakes118.exe"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System policy modification
      PID:1968

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\dygaeimhikmxkmttcupxrvz.yzb

          Filesize

          272B

          MD5

          061b0dcb3060d6ca66f10ccce7ab61be

          SHA1

          1153d1abe74369829ad1e7bd47af925db4e359ae

          SHA256

          309ee03438e0163a9e74641168c2f52aad0212d59fd113da0d866d12f99b2e88

          SHA512

          abcdfc97c5b271ef096aa5db38141edf267263ae6eba3d0d6fe1968362edc8963a6383135d55208510347e54febb505b922ad471a87a8640bf8b0a71885c174f

        • C:\Program Files (x86)\dygaeimhikmxkmttcupxrvz.yzb

          Filesize

          272B

          MD5

          090933cb1b985003f97868500747aef0

          SHA1

          7f9477a2d53eff62f6a372521bbbcca6c4a4dd4d

          SHA256

          11ca72a0d2aa6f1d5bf3c48929d560643bf0daf538737920267b258a2d1604f8

          SHA512

          6b5feed19871a7ee66cb821f9d57fb4b3dba4360358f154c87714994f9fea61e637c08fd9d9e586bf25c8d64a6d37c21f15cd7172af54b7a2acbe4ab9d6ce39b

        • C:\Program Files (x86)\dygaeimhikmxkmttcupxrvz.yzb

          Filesize

          272B

          MD5

          c360240777510807942609591f7898df

          SHA1

          371be61eb3c76ad30bf089a8cf5de0907fc0ff8b

          SHA256

          3631ffe7906d9cf7bfa7dacf3dee1d1ca889266d1da3b6437a8de3793f533332

          SHA512

          da8beaa0703ca360d7e943e449c38bd4a8169a296b7236906942c796b5b360b697e6c5b0dd8c8ec216d68d0913faed41964b8b7c8c78f11d6ef04352a5e80e96

        • C:\Program Files (x86)\dygaeimhikmxkmttcupxrvz.yzb

          Filesize

          272B

          MD5

          6e0e2d3217412caec52ea2c72bbe6c89

          SHA1

          0a507501387046e565ae2f5958cd02d37d1d9e1e

          SHA256

          7fa81602da215a8836f11b3dd1b57a0d1a0dff7e9adc641eea420a55692e0644

          SHA512

          661666bac8d46d08759216dcbb355039008d6e75b6b8118ea94e41fd59f708af1a3907930112fd73141973d24a17cc4f5999bf243e6ca07ae77feca824ce2fe4

        • C:\Program Files (x86)\dygaeimhikmxkmttcupxrvz.yzb

          Filesize

          272B

          MD5

          5ab2d671d5424fe84386eaa59176c574

          SHA1

          78698bbf4c8abc06830ee09ee5001232c2293b5c

          SHA256

          c988d04e54a3510aedc4a357a5354ffb12e2a1632d7c6fb0cb32d8114120b9f3

          SHA512

          33e8029479b29729f6acaa8a089808042b8e8c5f28c8babe68447adfa78373dcf9891c7b8743f769f006c5de2ec9583ab508d21ef2eb0c485e06b8bb8fdcfbeb

        • C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe

          Filesize

          704KB

          MD5

          9427724fbec4c66729e704d4b0a10e7e

          SHA1

          b08d9b608e9d36a0d7f9e895e2b191a9b879cf8b

          SHA256

          ca1861c8eccbcbc9fe74d2b0ce8eab88f6119cd2ce18d89eec5204961a996c25

          SHA512

          5616761f8d2398148d7970d2071137692d8feb7271d15d79cacdc32ac0f7abd0e219a4255d5ce4b7c00c179e568d9c069c3f60669a4ea5bcc37249873a53284b

        • C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe

          Filesize

          320KB

          MD5

          89ec3461ef4a893428c32f89de78b396

          SHA1

          8067cdc0901f0dc5bc1bb67a1c9037f502ea85f9

          SHA256

          1849989ee704cda3b552b5021f3165012978d26d0daf7d22a09805deb6be2d0b

          SHA512

          7804fa36e1f050115b00d21a9a94cf92436260a385da67106b0c73eb350abafca53f2dec42d377d4eccc095dd75ac92e841fb66e874e656e412cd71ed7909fe8

        • C:\Users\Admin\AppData\Local\dygaeimhikmxkmttcupxrvz.yzb

          Filesize

          272B

          MD5

          05190f09ee38a61772bb23e86c5be4a0

          SHA1

          240c1b4963ab189b6b5f4782958cc61b99fef669

          SHA256

          e572ee95628466ef878889dc10af8f16d221eede47bc31fa890da94d13836947

          SHA512

          75b25cf204118a8bb3935b826424aa1b8b4f243b380e66f2ae3edb6528534d89e3cb3da53467949454aa5fcd09dc9a2d14d8c9ae0949ddcdb34110d24be2e486

        • C:\Users\Admin\AppData\Local\dygaeimhikmxkmttcupxrvz.yzb

          Filesize

          272B

          MD5

          fc5d0ecde43e2d21db42ab95d4329073

          SHA1

          e1f3856c0ddf8738626f40f9dce852410bab7aaa

          SHA256

          2ab7ed12d4b9748ffb1b56be1d5c56183299138b86903ece2f07cab5ebfa3b46

          SHA512

          7cb612f9c80619df2c80d9d138d6e5e6bf8d008d38c62c465cc98e708d1f409855a2aef9cf12f35c2cf3b6e652d9472d1f9dace1494bf09eefa23fe182a0beae

        • C:\Users\Admin\AppData\Local\qwpujyntfsfbzmepjmslqfujpbobxvialf.ohm

          Filesize

          3KB

          MD5

          a3cebc39acf1b5b58d65c58da405dd75

          SHA1

          2d491a1e3cfe8901f9f935a7dcd743f010512003

          SHA256

          fc4635cd23f148139340f9f18d2b376fc1114f88fb14cd6907799d62a097a450

          SHA512

          fb82f12c4b83b556629808035c60a50d8b7f0f4f35906d630e0463c3ddcf1973af30cf8018c9382ec0bcda7c5e08792e09ae5d3bbaf0a77b6d5d46aacfd66354

        • C:\Windows\SysWOW64\oazkfavhzslnrkizzi.exe

          Filesize

          644KB

          MD5

          8e8d8dd457411eaf96c3e5f1cf646ec5

          SHA1

          b03b741382822e3f012bc8d1c87331aaefeff1a4

          SHA256

          b6b2b9e959b52d90742beac4f6b23a72e4c2cb5e802bbb9e7da138098d30cd24

          SHA512

          e6cf6ea96fbc9befaf59e1b0a876e7afadc5439918ee294dbe584d474310cc79db4ff7091645e29e0f367561a7a3a71cd80ec4200ebbd7809fd5e738bc58878c