Overview

overview

10

Static

static

3

9f11e80b93...18.exe

windows7-x64

10

9f11e80b93...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2024 01:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9f11e80b937a80d10662272eecd3b5d6_JaffaCakes118.exe

  • Size

    720KB

  • MD5

    9f11e80b937a80d10662272eecd3b5d6

  • SHA1

    6beaf8431439e6ab8bc6e7e5362c34dac9a30c82

  • SHA256

    e40d738784e02c5c3e9528873d8ceb8737f51ddf29deac980ae01de06b10c95f

  • SHA512

    d22248a9004521f4ad45b130666bd1a4277bdcc951a9f08de6f838e47b53eb08e0b2beb239f6ff37e9775a051461524089f84abed92776e74b4b8f6f747a3d19

  • SSDEEP

    12288:nXgvmzFHi0mo5aH0qMzd5807FRPJQPDHvd:nXgvOHi0mGaH0qSdPFr4V

Score
10/10
defense_evasiondiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
    persistence
  • UAC bypass 3 TTPs 12 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 27 IoCs
    persistence
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
    defense_evasion
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

    defense_evasionpersistenceprivilege_escalation
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 36 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\9f11e80b937a80d10662272eecd3b5d6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\9f11e80b937a80d10662272eecd3b5d6_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds policy Run key to start application
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Hijack Execution Flow: Executable Installer File Permissions Weakness
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2100
    • C:\Users\Admin\AppData\Local\Temp\bakmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bakmy.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Impair Defenses: Safe Mode Boot
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:2756
    • C:\Users\Admin\AppData\Local\Temp\bakmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bakmy.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • System Location Discovery: System Language Discovery
      • System policy modification
      PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Safe Mode Boot

1
T1562.009

Modify Registry

5
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\bakmyxzerrzggcwlxinmwykjlqd.lss
    Filesize

    280B

    MD5

    f35bfc5371b3dbdc271e9270480682f8

    SHA1

    cc52fefdddc12293fffe2cfeb585e89660017e62

    SHA256

    b21228eff85e5b5f2396829f67dbe56543fb77b97d85b680902f2ed0153e0f0d

    SHA512

    f8b66b0974efc87ad8d451d6da033f95a8be2e86d649382a5bbc642ec57f047e6490fc31b0553075ecae5ea1bacd5da667ba7862d5f8d397990cf2c1d734c66e

    Download Submit

  • C:\Program Files (x86)\bakmyxzerrzggcwlxinmwykjlqd.lss
    Filesize

    280B

    MD5

    4496b3135215f606f646fea50ba19ecb

    SHA1

    122f531d960c35581544c96db70a82104b0770cf

    SHA256

    2b3902edd8230f74e1aec05b9353b55d84a74081bd568d0108040f5022e517a2

    SHA512

    67ccc67b8749feacfa3633cde65d8edc7d0a57756b0789e3778fe9f95063b2f73e10844e6e9c51b8ed304b2b8edaa19eb09217e6d3d85ba23265877326316a08

    Download Submit

  • C:\Program Files (x86)\bakmyxzerrzggcwlxinmwykjlqd.lss
    Filesize

    280B

    MD5

    e0710017061cea687bcef12dbee80967

    SHA1

    1ccb63565ce8d0db51634ef94fe694492c44d8e7

    SHA256

    090b9789cd317e06b57349206c173681e9c4058efa6593f11664edfd4def672d

    SHA512

    ec671b9a937d645b4717a4b0d6cdcf16837300e48ca888933c340cf450c664e45d9333c9b3335443c666a5c39f1bb6daf21a04d5b65aff63552aab66fa86911a

    Download Submit

  • C:\Program Files (x86)\bakmyxzerrzggcwlxinmwykjlqd.lss
    Filesize

    280B

    MD5

    5f9cea684f0de2c26f7fa97eb305840d

    SHA1

    dc46fb3f96c109cd385099ccb27f586e7fdf6957

    SHA256

    b7f8cee63b0ad14e4d5ddbfe34771476b09a86aa9d89ce3e7af7ccc01a5528eb

    SHA512

    e987c3079cbe06bf0908a5283f468001b3f42028560622a41919c22ece092e77ba2bb5e47d5fa2c460f31a517c6c875864377e4a40591e971bca74caa8f5db32

    Download Submit

  • C:\Program Files (x86)\bakmyxzerrzggcwlxinmwykjlqd.lss
    Filesize

    280B

    MD5

    7069e553b46cb11586539ac82e1e2280

    SHA1

    180c536bce7c8f8a2b8850202541228c8ac82d03

    SHA256

    0d12be98ba4fd033fddec8d74aa94e86385f33082589332296be9b1ea2dd2fff

    SHA512

    8cd66e140d97e3d8a55a8863a1dfdf9b22be5f9587e07d166f7e9a1ce5492df4907d8deb7db594ecce20eeb478a587cfa03cf39498dd73dce24485d5ea21ed88

    Download Submit

  • C:\Program Files (x86)\bakmyxzerrzggcwlxinmwykjlqd.lss
    Filesize

    280B

    MD5

    1648484c3a0d76fb9f6dae85b0b79de8

    SHA1

    3d36d9472fbae5670f34c68fe469d8bcc06cb0c3

    SHA256

    0db737c24b2671891bcc707375cf27aaee6218482dcf251fc4a38e055da11a3b

    SHA512

    55f7bf9f6aa367d8d75bd0c9893fe2b6c90c33b2d82806c9d6ea897ad4c4d2aea049e51509a46509c1e1273365ef01346cb03710f82e0fb3ae7b25fb8ea39ce4

    Download Submit

  • C:\Users\Admin\AppData\Local\bakmyxzerrzggcwlxinmwykjlqd.lss
    Filesize

    280B

    MD5

    c8372c15e74efddc96bcd113b649bd2d

    SHA1

    2ece05dd55692e47819ddf1b6bbbca640355b01a

    SHA256

    0626fe3522fd6f568af062c2662c071a5e15a5cdb79aa8b2276158c65cd8afe0

    SHA512

    f968ccf322945ea5e681f29359403d5cbc551360a9ecfbf66b651b21c1880d537bd543a68bb7a72f7b257b0f54d8d0fa9b0303ca82bcea5734b76a891270ff9e

    Download Submit

  • C:\Users\Admin\AppData\Local\bakmyxzerrzggcwlxinmwykjlqd.lss
    Filesize

    280B

    MD5

    826509f4b815382e3329d997dece6878

    SHA1

    61382fbf16a30c9caf921c528ef2cb9f64d8fcec

    SHA256

    12a705fe16d2c767f05e69512b649f8615eb4d5e3d51ede86a9c10e4946f7c4e

    SHA512

    fc6c7519533b0060ca4a5c8dd737f95f549a49f2646dc96df7f3dc67fdb41030a039d36ed9f0250204272c35df3fe7300e1a55ca172cdb2c663cefc35ae865fa

    Download Submit

  • C:\Users\Admin\AppData\Local\yidqnxkayjcufmrrokakfspzmcalewhottqmcm.urb
    Filesize

    4KB

    MD5

    4424277cae16c5a1396d87cbddceb30f

    SHA1

    9086e10cbbdc4e0721832fef070db81d6a250c6d

    SHA256

    b38a4dc1348fcf2694c3e5244539ad074ffda20c084747ce4f8407fdabc1c2de

    SHA512

    c244ff7f0a212fe74eebfefe29063d88d55e425ee783e5215df223bcec34c2e53c3a2aaff07e30eb597643af21ea050723232599b8e85105e6dff1cc4aa1ba80

    Download Submit

  • \Users\Admin\AppData\Local\Temp\bakmy.exe
    Filesize

    1.3MB

    MD5

    4205f77209d297f6c8de63eade250d56

    SHA1

    154b58fe0dc8e32591128b92d436956ae948b521

    SHA256

    9a83f77a3f4e4f06dc44a75d73908b6dc3633473c9230590d4c0a8b5fb82a458

    SHA512

    37ecb16ed7b564e1d2552fd0d0e03968611ef5b87574830b5e74b7b91a213d3871752aa50b2306b80e027c4be037dd21fc3c9d54956f3d1adb4b1012cfe64780

    Download Submit