Overview

overview

10

Static

static

10

1a70e1e36e...18.exe

windows7-x64

8

1a70e1e36e...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    122s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    28-06-2024 14:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1a70e1e36e6afa454f6457140ac3d2ec_JaffaCakes118.exe

  • Size

    95KB

  • MD5

    1a70e1e36e6afa454f6457140ac3d2ec

  • SHA1

    853c94da9a70900281a4345dab7c43812a467609

  • SHA256

    4d3a0ba910024c6ca1ca9e915eb43fff7f9610406105750383f716069e7dfb91

  • SHA512

    7ed173915292f8986cedfc4111ae644be0b497ba2d9e57a31d90699c5d8843b09646a94788f9644ddb732dc5ec6d6ee747e2de1fc4b0e852a64428d4398f1413

  • SSDEEP

    1536:yL6aduLanddV3DKTNKmeQAaswB18GF7ECWYevGwyvHYBAwnW4i9:yLFdPyjAaswzjVFOBA3

Score
8/10
persistence

Malware Config

Signatures

  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 9 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a70e1e36e6afa454f6457140ac3d2ec_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1a70e1e36e6afa454f6457140ac3d2ec_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c temp.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2788
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatibility\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d C:\Windows\system32\FastUserSwitchingCompatibilityex.dll
        3⤵
        • Server Software Component: Terminal Services DLL
        PID:2112
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    PID:2604

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Server Software Component

1
T1505

Terminal Services DLL

1
T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\temp.bat
    Filesize

    211B

    MD5

    dde99ab936da8cbda74ea779ef0b2e67

    SHA1

    1e27e432e0b7c81b990b92595daebdf0539efea4

    SHA256

    ab6da77270cb63c49d1d12e854850e882d03f41ce48782e98c81bcede0c9ad80

    SHA512

    62a124172d34dc56d00328b45ac13a029c847c2b7e2843ec38270a7c4d813b68b7d66b9a8ef80b8adfa7b1a894f36b5f8c6365fa5551c35939c0b76cd4439437

    Download Submit
  • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit
  • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    1KB

    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    Download Submit
  • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    242B

    MD5

    70cf4b2d24efb18155567ceef9a5c62a

    SHA1

    5605714555b2a767044477576900e7317a63a70e

    SHA256

    a0642c0ca17f57b77b3075cde28c0b71bf0bc3acf579f1e7a78c04e63d91b255

    SHA512

    95c643774136101863ea5e2ee3adc0bf7f63894e0d6ccdc7544e6fd36b925eb4bbcca62de5fcc6bf671f6ce37ece9731fb3ba59a85c40b532864dd174fea1818

    Download Submit
  • C:\Windows\SysWOW64\svchost.log
    Filesize

    993B

    MD5

    5cda55d0e518c590ee3f58e3f554cddb

    SHA1

    4585739cfdd9f118ef4a46b549cfebedadd4d258

    SHA256

    663cd00bb681c9613724eb8438d6d3b258870ac724bcd5cbe561dd35b56f8452

    SHA512

    2eacb2f0900bdee707235a71e49d4d536515c9bde07754e0fb554e26f7eba96c867e78eb1bc0e2a51e5cfbcac2677d0d581bed4502f13910d83a3f694363b2b0

    Download Submit
  • C:\Windows\SysWOW64\svchost.log
    Filesize

    782B

    MD5

    7047003338531d4a8ab9fd14ec2b6eaf

    SHA1

    a5f73a3b02ec48c5c5327de2636f0fc52dc1027d

    SHA256

    eee1429b6f5c99474c2a570ae992cce39364f93eac67eb40ad6c1c66d9a6629a

    SHA512

    4d040b291f5bde09d45a1f60782af0d36b72adb2a5575cf6a6fa195623039a92e327f43b16bede24a8b100448ed49e201473236745f3e78d7866ff085446a587

    Download Submit
  • C:\Windows\SysWOW64\svchost.log
    Filesize

    1KB

    MD5

    da51be846c0f901ae0b40d1668eba86d

    SHA1

    873b01535d9d34fb4411859eabe712ef15bb35b5

    SHA256

    3408d12aaadc7d6e536e84d3b256d784fffea0c595816762d9a367d50570871b

    SHA512

    1d6056d2ee15602817d729fa9db1989ac3395fe28b994a2ad51531d989d8f8fa03f114f81d9ba66b09f3592909259b0793a0ec07c5c48da435809f2acec572b3

    Download Submit
  • C:\Windows\Temp\Tar83A6.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit
  • C:\Windows\system\config_t.dat
    Filesize

    138B

    MD5

    ada008f2bbc8bf17b0a0287a289c688a

    SHA1

    61b609261c81c511aff48b9cd24ee1307c225a56

    SHA256

    97a7d664f16b924996af78d2ea84f336d8395c8db5829761ad02bf223e88f689

    SHA512

    08bf0e452c3182a18f427ba861a641922a17a7f7ac2b21b2d04af2e496ab5afacd5c6f44c685b0cf3ca9ed471434af2536a3ce1d13c48eed427368b0de388ffb

    Download Submit
  • C:\Windows\system\config_t.dat
    Filesize

    182B

    MD5

    ea72bea48bcb1dcad5a66609b5a1e81e

    SHA1

    f14a1bfe3d208c3d9d617484b122c779d50a10a6

    SHA256

    ec3eba5f4e5d72cf0bb6697a6eacc9f73a0eb0e89f0d9e498f48007689c46fb6

    SHA512

    255e0dae11114231a78773354fe9edbe2fa357fb47d2a5e11d1eec96655ee124356841929d3a27faf9f53bcd140bc855ebe88d8b53289c7cafe7dcc77a49c033

    Download Submit
  • \??\c:\windows\SysWOW64\fastuserswitchingcompatibilityex.dll
    Filesize

    45KB

    MD5

    452660884ebe3e88ddabe2b340113c8a

    SHA1

    b80d436afcf2f0493f2317ff1a38c9ba329f24b1

    SHA256

    ed6ad64dad85fe11f3cc786c8de1f5b239115b94e30420860f02e820ffc53924

    SHA512

    11c0bc211da6e083015d98cde3c34ce7f36fb492a9859936b1294e730f420f6ac8a68ceacb4367977d930b26ee8f99a0fd08eba59b895de23ac3b4d32ddfaa1c

    Download Submit