Overview

overview

10

Static

static

10

08e5352a24...18.exe

windows7-x64

8

08e5352a24...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    24-06-2024 13:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.exe

  • Size

    105KB

  • MD5

    08e5352a2416bd32a1c07f2d6c2f11fa

  • SHA1

    75a8054ee4939564fb90ccc654f0cfa9afe062c7

  • SHA256

    aceca16c33ae8a73b1fd7699a8317d70d164df9744cb7e494834b9c1e457a768

  • SHA512

    db1268b7f11726d9fae2d143757bec5c1497710cc97f3561cdf6dbd5cdd97aef7da2f1fbbbf6819b520e01a85e83775817d051812bcfcf5850dd534532ffc2af

  • SSDEEP

    1536:2FmExUd6hs8reTaBElUWasAYHx0OyZ206LM9YZALMwVw:2nohCWasXxb0T9YZ3we

Score
8/10
persistence

Malware Config

Signatures

  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 3 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2548
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c net.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1148
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatibility\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d C:\Windows\system32\FastUserSwitchingCompatibilityex.dll
        3⤵
        • Server Software Component: Terminal Services DLL
        PID:3056
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Checks processor information in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      2⤵
      • Gathers network information
      PID:1996

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Persistence

Server Software Component

1
T1505

Terminal Services DLL

1
T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\net.bat
    Filesize

    211B

    MD5

    dde99ab936da8cbda74ea779ef0b2e67

    SHA1

    1e27e432e0b7c81b990b92595daebdf0539efea4

    SHA256

    ab6da77270cb63c49d1d12e854850e882d03f41ce48782e98c81bcede0c9ad80

    SHA512

    62a124172d34dc56d00328b45ac13a029c847c2b7e2843ec38270a7c4d813b68b7d66b9a8ef80b8adfa7b1a894f36b5f8c6365fa5551c35939c0b76cd4439437

    Download Submit
  • C:\Windows\SysWOW64\dnlist.ini
    Filesize

    60B

    MD5

    c3bacb90e99eba817ab09df0d0ef20c6

    SHA1

    fe4e99571d73151583f7df9b38007324da49e2ef

    SHA256

    b99d78b6de211146fb5ab7786a873cc8429651c09e85b42ff78158219deaf79c

    SHA512

    5ca86a92927b7caf4b8d78c09f53a9fe2579f402140b38f42e47467e56a4156e4bf77bcae03fa626d75c1e274b9189a1d5e4da38836e601c0e602df075f61f12

    Download Submit
  • C:\Windows\SysWOW64\system_t.dll
    Filesize

    793B

    MD5

    979276ecec3adb586f8d16f3c0ad4428

    SHA1

    d169893974ecf4b3df8ea8fabfb89a6b7bb57abf

    SHA256

    14b14ad3b862040d24eec3d618a0d84ed46af6ec748eb2c404df2ec68fb66d3f

    SHA512

    4c7d744be072b8283d16eb26b5840a5c4348c72f0249709c5659a334770ee7cff574602c1ff42f1fe85df0e3aec49a36d0be58888b0ce49bc18497f5c19f1751

    Download Submit
  • C:\Windows\system\config_t.dat
    Filesize

    204B

    MD5

    a61b9e59164fb9d6e0f05e105e6fb9e4

    SHA1

    4dbfddb484c5a4bcd66ee75f06dfc0f4554d4e0d

    SHA256

    04c72340297fb4311263156c9923e170a577694d5d5dd3ff9ff39ea6077d0e36

    SHA512

    5a8f19a863c10182fffbcbfc3928c5b9867b1c21ef671483b835964923ace544a269ddb53a247cf4346716a48002436cff8fb56f853c59e7625948f1e9691178

    Download Submit
  • C:\Windows\system\config_t.dat
    Filesize

    142B

    MD5

    9ddb656796bb7d9ad7e3fdb19e50f4df

    SHA1

    3cbd7ed350a3b1a6d721355f3bf1987a7397c556

    SHA256

    91b75374e15df2be1b82e68b1fc303724cc30e6976aa2b6d0f75e59dfafc50f6

    SHA512

    210d5389ebc24449778c3801b304bc4759d5337570554cf782b045f11bd5e0bc54ce392d338416d1505385c28916b2c2c619d87aeb5787d5c5c10d02ec9bb04b

    Download Submit
  • \Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll
    Filesize

    53KB

    MD5

    bff5561677a647c314446e6daa509beb

    SHA1

    ea52a1a5b15a13bee44cdbfe97beb9c0a4cecc32

    SHA256

    91baeec8fa63fbfb7cc0b3e441b438edc6e156fc0ab18a56c7bb6c5df3045048

    SHA512

    470973e51649968a0298e46883f5bc9f38d440d7376b6f8b6f6e191f19c5af7f78544a80a90dd218fc6871d519ecdf1735499f3e209b8d103a1c981edf07787b

    Download Submit