Overview

overview

10

Static

static

3

9f11e80b93...18.exe

windows7-x64

10

9f11e80b93...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2024 01:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9f11e80b937a80d10662272eecd3b5d6_JaffaCakes118.exe

  • Size

    720KB

  • MD5

    9f11e80b937a80d10662272eecd3b5d6

  • SHA1

    6beaf8431439e6ab8bc6e7e5362c34dac9a30c82

  • SHA256

    e40d738784e02c5c3e9528873d8ceb8737f51ddf29deac980ae01de06b10c95f

  • SHA512

    d22248a9004521f4ad45b130666bd1a4277bdcc951a9f08de6f838e47b53eb08e0b2beb239f6ff37e9775a051461524089f84abed92776e74b4b8f6f747a3d19

  • SSDEEP

    12288:nXgvmzFHi0mo5aH0qMzd5807FRPJQPDHvd:nXgvOHi0mGaH0qSdPFr4V

Score
10/10
defense_evasiondiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
    persistence
  • UAC bypass 3 TTPs 12 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 28 IoCs
    persistence
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
    defense_evasion
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

    defense_evasionpersistenceprivilege_escalation
  • Looks up external IP address via web service 8 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 36 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\9f11e80b937a80d10662272eecd3b5d6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\9f11e80b937a80d10662272eecd3b5d6_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds policy Run key to start application
    • Disables RegEdit via registry modification
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Hijack Execution Flow: Executable Installer File Permissions Weakness
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3272
    • C:\Users\Admin\AppData\Local\Temp\xalozem.exe
      "C:\Users\Admin\AppData\Local\Temp\xalozem.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Impair Defenses: Safe Mode Boot
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:4556
    • C:\Users\Admin\AppData\Local\Temp\xalozem.exe
      "C:\Users\Admin\AppData\Local\Temp\xalozem.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • System policy modification
      PID:3640
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:212

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    3
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Hijack Execution Flow

    1
    T1574

    Executable Installer File Permissions Weakness

    1
    T1574.005

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    3
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Hijack Execution Flow

    1
    T1574

    Executable Installer File Permissions Weakness

    1
    T1574.005

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Hijack Execution Flow

    1
    T1574

    Executable Installer File Permissions Weakness

    1
    T1574.005

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Safe Mode Boot

    1
    T1562.009

    Modify Registry

    5
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    3
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\ecigmmpwywzlzcklvmkqouux.geh
      Filesize

      280B

      MD5

      1d66b5a8c4579b943b502359547f9904

      SHA1

      d6aac85375dd5af4f4b47114980497319d66afae

      SHA256

      b0de9ad04fb61825e701427d2d8e36661cf96a23d2f90bb592fdfe05288705a9

      SHA512

      001dec82503db832b59df77028d762800d9a4172a918fdebdb1f2e27b80a5ef87dd4190e23a7322ba7fb4000c63968cd2825b72a6e570bece5ee2ad6d7010d54

      Download Submit

    • C:\Program Files (x86)\ecigmmpwywzlzcklvmkqouux.geh
      Filesize

      280B

      MD5

      b0780f8bf5ca82b52e2d8c26b442425e

      SHA1

      07ebc0e6c1b45df8a4442f5f11e134209fa399c4

      SHA256

      7bcb02483acacf4255a9ecc3b18d593bcbf287a44dbdafcac3ac64233a7e6e12

      SHA512

      2ad93e630d98d4489e0f9fee7ba643e1c1d265162e24482f5eee29840b5cb72fec7e8b7b6396da59f8c400bd815ac007c6d6c73ca0ec1263ab1f5bb37a0c1748

      Download Submit

    • C:\Program Files (x86)\ecigmmpwywzlzcklvmkqouux.geh
      Filesize

      280B

      MD5

      3b4946de1b9c476c6e5bf7c7be179a91

      SHA1

      c9b66381c240283362a3ded01f4ea709f9004aeb

      SHA256

      154861132218612ad4563dd097eab7d26bfb0c3a19edd176df61f7aecb06bee6

      SHA512

      4070d4481654d8c8424052feb05bada2e19de22d75213c215e7ecc7956c98a285620d42d950f24ac264be6ab8c8819c08ef0686cf76aa65fae4e148af07cdba4

      Download Submit

    • C:\Program Files (x86)\ecigmmpwywzlzcklvmkqouux.geh
      Filesize

      280B

      MD5

      2e881b5c97d677cf33b8216c1edc4c33

      SHA1

      370c9b82802202a8cbb0c58a4452e1ca376d8f0b

      SHA256

      15fb5d7df61a76bdbcbbf56671dab0b3b32c5bc23a4a7b0464c8321d019098c9

      SHA512

      8c554496ce71c033a9ec235c7eeb224930827ba2c40ce20a0fa3bb1bd5ae3eaff87cb40cd3bc78446da759bdf4e8f261710358b7437ab35e9d1f49bae5a983d1

      Download Submit

    • C:\Program Files (x86)\ecigmmpwywzlzcklvmkqouux.geh
      Filesize

      280B

      MD5

      6ac462da991dd97ee236c28ebb24802b

      SHA1

      338b74240e264239d80be94670884864898564bd

      SHA256

      8e188bb30cbb469bb2cc0d606384c4896abec11d7b879295105daa0522f92390

      SHA512

      56b7a062c4e25909960f08339f6325337adb67d958d6e5a9149ddc04f9f932d5f56434cbe16f53d120add8553827a0375bce7e4a2a29b16bb9825bd4fe462ee4

      Download Submit

    • C:\Program Files (x86)\ecigmmpwywzlzcklvmkqouux.geh
      Filesize

      280B

      MD5

      bc0aa6abb7b967975a98ff2d0a2da9c9

      SHA1

      40f87bda3ecd3aa6f2674916b58b9edeefaa3f86

      SHA256

      ac79444be24b8c4a57e309ad805735178d8279190801d799954433887dc8ac9b

      SHA512

      e8553786b14f8ba21edb4398ecef9755fce7b7b58443799995e143ca24008a0d478d3d158d29fa9d52cdbbf301601b381a2d851ec6fa5a39c3a29732120bbf28

      Download Submit

    • C:\Program Files (x86)\ecigmmpwywzlzcklvmkqouux.geh
      Filesize

      280B

      MD5

      3c0ef2c0b4fb5a21a4be10f695ab33b2

      SHA1

      8e3c2e2f85233c0ba2b287b9d5a9d1b67dca29e7

      SHA256

      cef16d5017ea021a6e8c4eb77d23f0017294a1011516051156e53208515c2c8e

      SHA512

      ac9da4ebbdcab3d3bc3e4e872d193c9938257ead1d80a040a92a65f4e8cfc7e85dedc93afcbeb5de933156fd7275eb226e9c758ec01a7c27fc35b61c5ca259aa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\xalozem.exe
      Filesize

      64KB

      MD5

      840df1a9b391e4e40d83fdbccb2604aa

      SHA1

      3214546663265a237e89482d593932b5e69e719c

      SHA256

      1f09314035b1b2f2be2fbfe92b39196505c3764a7a6dc6274fb5952cb3490714

      SHA512

      a2d97328e0a304324803b503abce9edddc4d56d71ceb188b17f1d5da90e93dc22c82c7c1fa18ecbbfa8817af048b320b3332e2fb7923a18a085290215480e461

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\xalozem.exe
      Filesize

      1.3MB

      MD5

      2e270ec7ae89c89976b1767c173873e4

      SHA1

      63d81efb2c4ae653e1f7251fa3208169e2eeb6d5

      SHA256

      94f5a3d6b19ea6b470ffd67196a0b50d76405553d85bc3dd902d6960ef36d803

      SHA512

      e60afc318fab7b2f4b68604f68f3f023a44b09435f8a6cf64c319cb435a096f8cffecf56c0d268a6af9d16adcfbc35ae2af36506ca0d7d4a840904d9e7aba54f

      Download Submit

    • C:\Users\Admin\AppData\Local\ecigmmpwywzlzcklvmkqouux.geh
      Filesize

      280B

      MD5

      e0a8dd72267b0ce3975e8662ab12a514

      SHA1

      38d98ee3ca100ed3638bfb41d69a800416e41682

      SHA256

      265a862645ed4511cba50e2bdf172b2efcd4a5d5cb8c6e674bdc25724aaf8feb

      SHA512

      1e41f1e5eca9c88e9cc8155958308a4a9c7c8761b2238d0ea3c3d00c2a3855002383e95336a5d4188f3000d4d693b4e56182ca0c517949a3b5ebce3e2e65a037

      Download Submit

    • C:\Users\Admin\AppData\Local\nwnwnymeraolkyrdyajajalzrenbyxleqln.nwn
      Filesize

      4KB

      MD5

      c8cae26423ce982c13a4664c6b9f7cfc

      SHA1

      ac28bb2244b96162c987d548e1ec72ba7e74ec0a

      SHA256

      c6a4535b1f608c01f00e680283978490a5751e18ebba675c7c59bfcd322dbc09

      SHA512

      16d1617ec3ca379d829e07ad00653e20986fdadf3de6fa10acbff898bf85b26df9d68d3b9e73d380fd98b8bd77db69c7f84ddc10f5d347eb53b7470eabd3db00

      Download Submit