Overview

overview

10

Static

static

5

b4ef92829a...18.exe

windows7-x64

10

b4ef92829a...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    20s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30-11-2024 05:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b4ef92829a00ce4d5ad262a9728bfdb3_JaffaCakes118.exe

  • Size

    1.0MB

  • MD5

    b4ef92829a00ce4d5ad262a9728bfdb3

  • SHA1

    727e46a9b93a50cf9e8a884908790df06ce179d1

  • SHA256

    f5bba385e755195905d477c47dd344211e575172b68424aabe4e59bf17822561

  • SHA512

    46968507d7dd010728283e8cab07cf8fd616ae5ca96d7aad8febac1a754590684d9120878d5bf14df56cc07db424d1296a2e3fad18448c7be2d7de077c7e4c5f

  • SSDEEP

    12288:tGAjvKDelgGGnVAAtZMC12BXnh6ya+sNzaOvoJpaz/g/J/vVQT:wGyKlX8VAAtZp43u+sNH8az/g/J/NQ

Score
10/10
discoveryevasionexecutionupx

Malware Config

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Drops file in Drivers directory 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Kills process with taskkill 4 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b4ef92829a00ce4d5ad262a9728bfdb3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b4ef92829a00ce4d5ad262a9728bfdb3_JaffaCakes118.exe"
    1⤵
    • Drops file in Drivers directory
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1964
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c cacls C:\Windows\system32 /e /p everyone:f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2228
      • C:\Windows\SysWOW64\cacls.exe
        cacls C:\Windows\system32 /e /p everyone:f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2300
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3044
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c sc config ekrn start= disabled
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2632
      • C:\Windows\SysWOW64\sc.exe
        sc config ekrn start= disabled
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2688
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /im ekrn.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im ekrn.exe /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2840
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /im egui.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im egui.exe /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2848
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /im ScanFrm.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im ScanFrm.exe /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2660
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Windows\system32\killkb.dll, droqp
      2⤵
      • Drops file in Drivers directory
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2152
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c sc config avp start= disabled
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:596
      • C:\Windows\SysWOW64\sc.exe
        sc config avp start= disabled
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2856
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /im avp.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1980
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im avp.exe /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2816
    • C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      2⤵
      • System Location Discovery: System Language Discovery
      • Gathers network information
      PID:332

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\killkb.dll
    Filesize

    25KB

    MD5

    10301fe19c1fdfc7aa4ead3b49f2b8f7

    SHA1

    6d03b253ce2c12bc5ae6c464c610db34687260bd

    SHA256

    18c70fb17ba4a479ac7ee030d999e5a34c91028575d83455346d028bc539fdda

    SHA512

    ff0efc5ccd0ad6a3b8f7a1967f6d75991aedb3f714a8853c742149559b193cdc740513da6a0673965191215a966d3cb9571c5df8bc74c085511c7aca3171f459

    Download Submit

  • memory/1964-0-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/1964-8-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/1964-13-0x0000000010000000-0x0000000010010000-memory.dmp

    Filesize

    64KB

    Download