Overview

overview

10

Static

static

5

b4ef92829a...18.exe

windows7-x64

10

b4ef92829a...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    21s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-11-2024 05:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b4ef92829a00ce4d5ad262a9728bfdb3_JaffaCakes118.exe

  • Size

    1.0MB

  • MD5

    b4ef92829a00ce4d5ad262a9728bfdb3

  • SHA1

    727e46a9b93a50cf9e8a884908790df06ce179d1

  • SHA256

    f5bba385e755195905d477c47dd344211e575172b68424aabe4e59bf17822561

  • SHA512

    46968507d7dd010728283e8cab07cf8fd616ae5ca96d7aad8febac1a754590684d9120878d5bf14df56cc07db424d1296a2e3fad18448c7be2d7de077c7e4c5f

  • SSDEEP

    12288:tGAjvKDelgGGnVAAtZMC12BXnh6ya+sNzaOvoJpaz/g/J/vVQT:wGyKlX8VAAtZp43u+sNH8az/g/J/NQ

Score
10/10
discoveryevasionexecutionupx

Malware Config

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Drops file in Drivers directory 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Kills process with taskkill 4 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b4ef92829a00ce4d5ad262a9728bfdb3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b4ef92829a00ce4d5ad262a9728bfdb3_JaffaCakes118.exe"
    1⤵
    • Drops file in Drivers directory
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2784
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c cacls C:\Windows\system32 /e /p everyone:f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4792
      • C:\Windows\SysWOW64\cacls.exe
        cacls C:\Windows\system32 /e /p everyone:f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5032
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2400
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4680
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c sc config ekrn start= disabled
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1492
      • C:\Windows\SysWOW64\sc.exe
        sc config ekrn start= disabled
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:3136
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /im ekrn.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3140
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im ekrn.exe /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2452
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /im egui.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:732
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im egui.exe /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4044
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /im ScanFrm.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1272
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im ScanFrm.exe /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4992
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Windows\system32\killkb.dll, droqp
      2⤵
      • Drops file in Drivers directory
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3320
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c sc config avp start= disabled
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1404
      • C:\Windows\SysWOW64\sc.exe
        sc config avp start= disabled
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:4852
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /im avp.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1508
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im avp.exe /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2000
    • C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      2⤵
      • System Location Discovery: System Language Discovery
      • Gathers network information
      PID:1800
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 548
      2⤵
      • Program crash
      PID:4064
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:1568
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2784 -ip 2784
      1⤵
        PID:2916
      • C:\Windows\system32\werfault.exe
        werfault.exe /hc /shared Global\1c0fa2d8a70d4b3ba412424bd486b048 /t 0 /p 3916
        1⤵
          PID:2976

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\killkb.dll
          Filesize

          25KB

          MD5

          10301fe19c1fdfc7aa4ead3b49f2b8f7

          SHA1

          6d03b253ce2c12bc5ae6c464c610db34687260bd

          SHA256

          18c70fb17ba4a479ac7ee030d999e5a34c91028575d83455346d028bc539fdda

          SHA512

          ff0efc5ccd0ad6a3b8f7a1967f6d75991aedb3f714a8853c742149559b193cdc740513da6a0673965191215a966d3cb9571c5df8bc74c085511c7aca3171f459

          Download Submit

        • C:\Windowsupdate.dll
          Filesize

          62KB

          MD5

          0142d8e5caec85e7bb5267744a6c9799

          SHA1

          7c1a88bba9a63139610a306aa0e8b31f0c135ebf

          SHA256

          5498d8e434000711935b88a43fd65a8c2821f072ab64eeabbebcc5cef2b0ea5c

          SHA512

          31c0f710e25a37edd764ed11b517e015f1ee3d66a5ae1b82c5e74b92b897a9a1a0523b97f5949a33413e2f3b5cf10c054c5047f5ebc42ebc074980dbfa341eab

          Download Submit

        • memory/2784-0-0x0000000000400000-0x000000000041D000-memory.dmp

          Filesize

          116KB

          Download

        • memory/2784-5-0x0000000000400000-0x000000000041D000-memory.dmp

          Filesize

          116KB

          Download

        • memory/3320-12-0x0000000000D00000-0x0000000000D14000-memory.dmp

          Filesize

          80KB

          Download