Overview

overview

10

Static

static

3

d9fc3b8454...18.exe

windows7-x64

10

d9fc3b8454...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    144s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-12-2024 14:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d9fc3b845454f7588b0f48b017fb9a50_JaffaCakes118.exe

  • Size

    1.0MB

  • MD5

    d9fc3b845454f7588b0f48b017fb9a50

  • SHA1

    17de143a193969b85902fa54c1554410dcf72b06

  • SHA256

    1fe2341438aea4b0427f3f2808918b6ef00bf742bc903e94022c7f73df914ed4

  • SHA512

    bb11d7ad5d6f426b23c459d130c8962c66a70fa5d6df35ffbf2bc51ae619dc94bb9bccd990d0856a6a5ca40f0a3d5519b7f0dd075fc9e1a65f846a4a72a7449c

  • SSDEEP

    24576:m2g8AFUAEUM91zfwVPIl6Mw3C1tvIgOB9Af8P2rU:+FUB9wRMUYL8P2rU

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 23 IoCs
  • Modifies registry class 13 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:788
    • C:\Windows\system32\backgroundTaskHost.exe
      "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
      2⤵
        PID:2240
      • C:\Windows\system32\backgroundTaskHost.exe
        "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
        2⤵
          PID:2728
        • C:\Windows\System32\mousocoreworker.exe
          C:\Windows\System32\mousocoreworker.exe -Embedding
          2⤵
            PID:4352
          • C:\Windows\system32\backgroundTaskHost.exe
            "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
            2⤵
              PID:4516
            • C:\Windows\system32\backgroundTaskHost.exe
              "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
              2⤵
                PID:4452
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                2⤵
                  PID:4728
                • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
                  C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
                  2⤵
                    PID:3140
                • C:\Users\Admin\AppData\Local\Temp\d9fc3b845454f7588b0f48b017fb9a50_JaffaCakes118.exe
                  "C:\Users\Admin\AppData\Local\Temp\d9fc3b845454f7588b0f48b017fb9a50_JaffaCakes118.exe"
                  1⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1536
                • C:\Users\Admin\AppData\Local\Temp\kklgdje.exe
                  C:\Users\Admin\AppData\Local\Temp\kklgdje.exe
                  1⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:684
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 712
                    2⤵
                    • Program crash
                    PID:4844
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 720
                    2⤵
                    • Program crash
                    PID:3592
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 684 -ip 684
                  1⤵
                    PID:1196
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 684 -ip 684
                    1⤵
                      PID:4748

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\bwxpxog
                      Filesize

                      654B

                      MD5

                      3f89a6a9e526b04f947c2b88ef3f778c

                      SHA1

                      8255cd8eef6a75e020e581fa434cc8af8939f764

                      SHA256

                      65837c133452b53004c8859dfde9327f3da322828490efd72f00361caae761a5

                      SHA512

                      4ff746af8f4953545a4720f30701d0fbfd9599e12a7b53f92c1186b72536146fc73aa9be5cdcb1ebb876c1153cd7a78048dd315153af7599cda2642ab6a5d466

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\kklgdje.exe
                      Filesize

                      1.0MB

                      MD5

                      d9fc3b845454f7588b0f48b017fb9a50

                      SHA1

                      17de143a193969b85902fa54c1554410dcf72b06

                      SHA256

                      1fe2341438aea4b0427f3f2808918b6ef00bf742bc903e94022c7f73df914ed4

                      SHA512

                      bb11d7ad5d6f426b23c459d130c8962c66a70fa5d6df35ffbf2bc51ae619dc94bb9bccd990d0856a6a5ca40f0a3d5519b7f0dd075fc9e1a65f846a4a72a7449c

                      Download Submit

                    • memory/684-18-0x0000000000400000-0x000000000050B000-memory.dmp

                      Filesize

                      1.0MB

                      Download

                    • memory/684-21-0x0000000003010000-0x000000000325B000-memory.dmp

                      Filesize

                      2.3MB

                      Download

                    • memory/788-30-0x000000000B3C0000-0x000000000B437000-memory.dmp

                      Filesize

                      476KB

                      Download

                    • memory/788-46-0x000000000B3C0000-0x000000000B437000-memory.dmp

                      Filesize

                      476KB

                      Download

                    • memory/788-235-0x000000000B3C0000-0x000000000B437000-memory.dmp

                      Filesize

                      476KB

                      Download

                    • memory/788-32-0x000000000B3C0000-0x000000000B437000-memory.dmp

                      Filesize

                      476KB

                      Download

                    • memory/788-27-0x000000000B3C0000-0x000000000B437000-memory.dmp

                      Filesize

                      476KB

                      Download

                    • memory/788-26-0x000000000B3C0000-0x000000000B437000-memory.dmp

                      Filesize

                      476KB

                      Download

                    • memory/788-24-0x000000000B3C0000-0x000000000B437000-memory.dmp

                      Filesize

                      476KB

                      Download

                    • memory/788-237-0x000000000B3C0000-0x000000000B437000-memory.dmp

                      Filesize

                      476KB

                      Download

                    • memory/788-3399-0x000000000B3C0000-0x000000000B437000-memory.dmp

                      Filesize

                      476KB

                      Download

                    • memory/1536-6-0x0000000004580000-0x00000000045D5000-memory.dmp

                      Filesize

                      340KB

                      Download

                    • memory/1536-13-0x0000000004A00000-0x0000000004C4B000-memory.dmp

                      Filesize

                      2.3MB

                      Download

                    • memory/1536-10-0x0000000000400000-0x000000000050B000-memory.dmp

                      Filesize

                      1.0MB

                      Download

                    • memory/1536-12-0x00000000047E0000-0x00000000049FA000-memory.dmp

                      Filesize

                      2.1MB

                      Download

                    • memory/1536-9-0x0000000002280000-0x0000000002281000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/1536-8-0x0000000002280000-0x0000000002281000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/1536-7-0x0000000002280000-0x0000000002281000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/1536-0-0x0000000004580000-0x00000000045D5000-memory.dmp

                      Filesize

                      340KB

                      Download

                    • memory/1536-5-0x0000000002280000-0x0000000002281000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/1536-4-0x0000000002280000-0x0000000002281000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/1536-3-0x0000000002280000-0x0000000002281000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/1536-2-0x0000000002280000-0x0000000002281000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/1536-1-0x0000000002280000-0x0000000002281000-memory.dmp

                      Filesize

                      4KB

                      Download