Overview

overview

7

Static

static

7

d0662614f5...18.exe

windows7-x64

7

d0662614f5...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/04/2024, 09:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d0662614f5e16db952e76910d1cc305e_JaffaCakes118.exe

  • Size

    692KB

  • MD5

    d0662614f5e16db952e76910d1cc305e

  • SHA1

    959b9a35fd871eb91c76da3133c20fe6023b0418

  • SHA256

    3bf8c5076c5c4b62a88a5ea7dfccd4bc7874abc187a68135c1287c6203895ef6

  • SHA512

    0d94daa0673929d02fba197a3ff056811b07a7895b9b4d7c4b22cff18316338c35a426303e125f79df673abae3b205b1265138a19fe6b26830a21d982dc383db

  • SSDEEP

    12288:smJyVADu7+UY7eaPAGjY6Wz8/lHKmH8QyAaVunCM094qGoBhkFGd+pg:hpH73AG8r8/lqmH8QyAggg4qGmhkVpg

Score
7/10
persistencespywarestealerupx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d0662614f5e16db952e76910d1cc305e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d0662614f5e16db952e76910d1cc305e_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1596
    • C:\Users\Admin\AppData\Local\Temp\JFFLd5G7JZiSzCT.exe
      C:\Users\Admin\AppData\Local\Temp\JFFLd5G7JZiSzCT.exe
      2⤵
      • Executes dropped EXE
      PID:4336
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1124

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
    Filesize

    439KB

    MD5

    b08742f63edcb6883a4f4b39c49d36d5

    SHA1

    27794336ed264d47a170c7f07dbd7c8fc1882590

    SHA256

    655d7514299adaa876451da86690e14838bc49366cf7801c4a0ac0d2a9584a83

    SHA512

    49a4fab14b71ca96a00f4d58c96798c03adb15ec7da6b6a06f8a5894251af0154c0bc4548d1cc56baac8ad4346e2a9b6e969357ec85e3e30b4dc514df40bf113

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\JFFLd5G7JZiSzCT.exe
    Filesize

    574KB

    MD5

    6503efe0a01c2d50c97be27f3cb10a43

    SHA1

    a0cb3708603a18f02352d01ec672020e5bad5073

    SHA256

    0cf9864ae3a8679ed503f954a453452c93fa44f99ca6f39bbc5860abde7fd35e

    SHA512

    ebdbc553ba4348676fd3f2ca12e48af53a229b449a36e653dbfca90efb34d21033e41d1157dcca28c2b1e5f91368c0839298992247cf7d2e8feca5feab8ecea4

    Download Submit

  • C:\Windows\CTS.exe
    Filesize

    118KB

    MD5

    f3a5f1a9498a80d37ad51a465a73bbbe

    SHA1

    cf0373fb9837de6a67e18f1896258cb99005037b

    SHA256

    c77cd8b176021d3c9c3c2822691ed40dbda40a9cecb64b4db0cf3630af6cbbc0

    SHA512

    bdbd9334784577ac625375c1a5f1974ae68040b42d5b09e399c58bc531112d272a9d799747183e9d5704b5a59c2e39e37c3ed887ad84b73f89c51835afecb7cc

    Download Submit

  • memory/1124-10-0x0000000000BA0000-0x0000000000BB9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/1596-0-0x0000000000BA0000-0x0000000000BB9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/1596-9-0x0000000000BA0000-0x0000000000BB9000-memory.dmp

    Filesize

    100KB

    Download