Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/01/2025, 20:50

General

  • Target

    JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe

  • Size

    532KB

  • MD5

    43911114fe45fe2349eea1c3c5657bfd

  • SHA1

    3ce01eaf787a67fd84d31bee4eddbeaab0b239c9

  • SHA256

    371e7fce1fa40071ff8b99fa72a84f8697e26e8d43bc0932c9acc9ce4ba64a0d

  • SHA512

    e333fa0db5a206dcbe32e385905aa71b09d3f09fbff449a65a6e5ea607ed9ab424595666d8603a173987f257735620d92942a7b420fdee049b281c4261018d35

  • SSDEEP

    12288:D6onxOp8FySpE5zvIdtU+YmefStLpm1tT0:5wp8DozAdO9StLpwR0

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
  • UAC bypass 3 TTPs 13 IoCs
  • Adds policy Run key to start application 2 TTPs 26 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Executes dropped EXE 4 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 32 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 32 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • System policy modification 1 TTPs 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Users\Admin\AppData\Local\Temp\eujspiznoet.exe
      "C:\Users\Admin\AppData\Local\Temp\eujspiznoet.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_43911114fe45fe2349eea1c3c5657bfd.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2164
      • C:\Users\Admin\AppData\Local\Temp\zigsr.exe
        "C:\Users\Admin\AppData\Local\Temp\zigsr.exe" "-C:\Users\Admin\AppData\Local\Temp\wqzwgbmiuinicqsq.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Impair Defenses: Safe Mode Boot
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:2408
      • C:\Users\Admin\AppData\Local\Temp\zigsr.exe
        "C:\Users\Admin\AppData\Local\Temp\zigsr.exe" "-C:\Users\Admin\AppData\Local\Temp\wqzwgbmiuinicqsq.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:1372
    • C:\Users\Admin\AppData\Local\Temp\eujspiznoet.exe
      "C:\Users\Admin\AppData\Local\Temp\eujspiznoet.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_43911114fe45fe2349eea1c3c5657bfd.exe"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System policy modification
      PID:2932

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\bewcvztytqeilitafhjme.dhb

          Filesize

          272B

          MD5

          078286a0bec7cd8d765fd37b602f6af9

          SHA1

          1928d99b771c690beca7a433f88351c1a5d78be0

          SHA256

          87089d6dae145bba8146d36f30351b3f45a91abe3063794e919c92e2a33fad3e

          SHA512

          e8f5f8b20f785762db047c1eb26d2788009e94652404fedca7581b36ac41c015bbd4f8f2fdb651b180a4c53f1826f726d9c78404c84dabd98eaa9e67cfa06b24

        • C:\Program Files (x86)\bewcvztytqeilitafhjme.dhb

          Filesize

          272B

          MD5

          dbaad30372d8cc48e5d89b62e972639b

          SHA1

          c30c2f63c8aebd2522fb5166b60ecb20daeedf6d

          SHA256

          8ed1c6609645cc5070a60b1cd0e67dc3d89b27990e18c7877e3c15c6a8811aab

          SHA512

          bbf4ee046df007140061a8a552cd09914714675426e53a918c203a6cdd26a3e8d7092ff4040a216a157f1121eab5ec545caaa62422e09a48e30322e2770bde5c

        • C:\Program Files (x86)\bewcvztytqeilitafhjme.dhb

          Filesize

          272B

          MD5

          075cc3cb518044fd90aced98d7494361

          SHA1

          6d38dcb2c2fa6e6351cf24adbd71ac54e139f16e

          SHA256

          15843dca3a42072c74cf7ff9a912fbe2bd9fb8a6dd18ddb11e710b558a0a98c1

          SHA512

          761dcf6e55bab435e7c98bd450a3616f1f56e784bf75d257e4eb82cb4c1462d29b1bc8faa8e016152a01f91a5ef7c0b5a0b3c3ec2463d7d76bf36fa05748d95b

        • C:\Users\Admin\AppData\Local\Temp\eujspiznoet.exe

          Filesize

          320KB

          MD5

          5203b6ea0901877fbf2d8d6f6d8d338e

          SHA1

          c803e92561921b38abe13239c1fd85605b570936

          SHA256

          0cc02d34d5fd4cf892fed282f98c1ad3e7dd6159a8877ae5c46d3f834ed36060

          SHA512

          d48a41b4fc4c38a6473f789c02918fb7353a4b4199768a3624f3b685d91d38519887a1ccd3616e0d2b079a346afaec5a0f2ef2c46d72d3097ef561cedb476471

        • C:\Users\Admin\AppData\Local\bewcvztytqeilitafhjme.dhb

          Filesize

          272B

          MD5

          1b4fcd262cf00dde543aa96dd99ff4a9

          SHA1

          4babe6960ccbd7b216a11fead77e2ffe0df7bd73

          SHA256

          cf81873f56689e5f2a6d894e987e8c7bfbeeee652fb85ec5dd695420fa43b7bc

          SHA512

          4eef355ea378c130d357d6bcea6cc81f2b2d9eee5348e1820164f23c1f186b852baa6b7117ce6d86ae5777f5886d1e21df724e7f752224774280ec014c9a223f

        • C:\Users\Admin\AppData\Local\bewcvztytqeilitafhjme.dhb

          Filesize

          272B

          MD5

          805bca1f5fb9d0d5adffe0208043a98a

          SHA1

          e8df72c3313eec052f79861b6cf53862fefd0559

          SHA256

          0599e38f6fb234e6cff25183e774e7c48bfc6ebd4a7e180aeaf880723a6df3fb

          SHA512

          4e4bf7ad9bf7ccf5fe0348729775137f8081682e8d400211186d5ede37688051e499bdddbf27b2d84dbaef7fb8a6e672b5cbc71b2c5a72bc10b1b3985e5160dc

        • C:\Users\Admin\AppData\Local\bewcvztytqeilitafhjme.dhb

          Filesize

          272B

          MD5

          4853facadbc1ef276dd693dfca6d21e5

          SHA1

          ac5c1455f2d45293345c8c31155cdd6a04264a3d

          SHA256

          4d983afa766a60b448d32585176464d4022a8f1ff60b14e5ed75c8d04fab666f

          SHA512

          c88e09c3ae853ef89c1800fb71a36b70be279d2398ddb358fb7b65ee0f0cea5d30d3abfb64f5310448ecfc242838e0ca277b1f47516e72d9537f2464df31918a

        • C:\Users\Admin\AppData\Local\wkneixcsygfuiqmeuhuilcgvaqwedsgo.csf

          Filesize

          3KB

          MD5

          d473bc33d2cd07a9a0ffb7cc001d6a19

          SHA1

          a72f447edbf63bd63cac3867ddfa2386085128db

          SHA256

          7d0b4bb9e39b5cca7c42cdbc199c3365c6a763191ee1caf1a63a7548ce6bd9c4

          SHA512

          415bd92227cb0a36d2b5bc0bfc765c4bf3b89c4baf7a778cb8c32af58d0a589ea601fd3b5d6c8dba349ed4048ebe4c48289080ed5f2ba17ec607bba91d91b1fb

        • C:\Windows\SysWOW64\mitsebomaqxuqgkkid.exe

          Filesize

          532KB

          MD5

          43911114fe45fe2349eea1c3c5657bfd

          SHA1

          3ce01eaf787a67fd84d31bee4eddbeaab0b239c9

          SHA256

          371e7fce1fa40071ff8b99fa72a84f8697e26e8d43bc0932c9acc9ce4ba64a0d

          SHA512

          e333fa0db5a206dcbe32e385905aa71b09d3f09fbff449a65a6e5ea607ed9ab424595666d8603a173987f257735620d92942a7b420fdee049b281c4261018d35

        • \Users\Admin\AppData\Local\Temp\zigsr.exe

          Filesize

          720KB

          MD5

          4fed162de72a3aaaabcc7a1141308eee

          SHA1

          327060a6c942868d75bb76ea9618c9a89356cdce

          SHA256

          fa50aa2e49ddb840cc7fde875495169944ecf30e37bc60d812f9431f5038c683

          SHA512

          24004176eb4dc5fe91f46ad68d2f46c8584b527cfd1e73834dafbd039a5acbbb190430f02dd122624939e7c964adca8bc3a34c5b3752a893c574dd256b8340b0