Overview

overview

10

Static

static

3

9f00532b68...18.exe

windows7-x64

10

9f00532b68...18.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    23s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2024 01:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9f00532b6824512f8f245cb789c71161_JaffaCakes118.exe

  • Size

    175KB

  • MD5

    9f00532b6824512f8f245cb789c71161

  • SHA1

    829de6891ca10c638c9ac075a77b1bf06ca63646

  • SHA256

    a22940dcfdf7cf05b6afc69d3fe6441761c96555fbcaed9d8cf006a400435101

  • SHA512

    80e79a4ff68bd35bd73bf338410a021787f839ddf8de51f417b88ff0862d30d4b20e3605b53119af933c6cad888a78e4f0016e31202679d9f3f538d417dea30b

  • SSDEEP

    3072:wup2r6y7Mz/Ovm0JqoX+GfKfNFIv/b0y4kohJJR0zspPYG4Z+iN60v:wuU2lCmlm+GYNev/b0y5qJJR0zspT0v

Score
10/10
discoveryevasion

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 18 IoCs
    evasion
  • Modifies security service 2 TTPs 26 IoCs
    evasion
  • Deletes itself 1 IoCs
  • Unexpected DNS network traffic destination 6 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
    • Modifies firewall policy service
    • Modifies security service
    • Drops desktop.ini file(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:476
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\9f00532b6824512f8f245cb789c71161_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\9f00532b6824512f8f245cb789c71161_JaffaCakes118.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2148
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe"
          3⤵
          • Deletes itself
          • System Location Discovery: System Language Discovery
          PID:2816

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \systemroot\Installer\{57cf9f1c-10e4-d51d-031e-0c1efe3adba7}\@
      Filesize

      2KB

      MD5

      1c7868922d86cf9ee43ab82e4d47b33f

      SHA1

      a9acb231147540443a4a7a4e99df525dc8aa747b

      SHA256

      adc4c99cfacfe72955e91135dc341ad303557c46a4e0561a03f09871f3600dca

      SHA512

      8ac171cbce4507b0ae0bf8fb783d6ad66dbd70c06ee92f3c3593d97de8655961b76c5cff718b388dec95ce081925e4099b309cb9b7084c1c90e16045d8636e9a

      Download Submit

    • memory/476-16-0x0000000000050000-0x000000000005B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/476-12-0x0000000000060000-0x000000000006F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/476-8-0x0000000000060000-0x000000000006F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/476-18-0x0000000000070000-0x000000000007F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/476-17-0x0000000000060000-0x000000000006F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/476-19-0x0000000000070000-0x000000000007F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/476-27-0x0000000000070000-0x000000000007F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1196-25-0x0000000002E40000-0x0000000002E41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1196-5-0x0000000002E40000-0x0000000002E41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2148-4-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2148-0-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2148-1-0x0000000000020000-0x0000000000021000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2148-23-0x0000000000427000-0x000000000042E000-memory.dmp

      Filesize

      28KB

      Download

    • memory/2148-24-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2148-2-0x0000000000427000-0x000000000042E000-memory.dmp

      Filesize

      28KB

      Download

    • memory/2148-3-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2148-30-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download