Overview

overview

7

Static

static

7

e2abbf30e7...18.exe

windows7-x64

7

e2abbf30e7...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    152s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-04-2024 13:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e2abbf30e779a5f8931222f7398e2ee1_JaffaCakes118.exe

  • Size

    23KB

  • MD5

    e2abbf30e779a5f8931222f7398e2ee1

  • SHA1

    ce71ed03848d2f908237c397fe17b539c969e6a4

  • SHA256

    9e8f48eb767fcc815e52b001490086397079986a8389ae9d239097128546024f

  • SHA512

    e683298bd2adbe042489116a6f01dd58491f661cb9604baab700f4f5c192e71caa6f0300552e6ce0d7a7596c336b2d28b0e26ef5e94fea0d3fcf5280c5a5a84e

  • SSDEEP

    384:bOiObYq5/pvqLyqSbSq0eK5zM+4P/8JI3ryKOxZ9J9m/D6TXPhPf+fF6b2pO7:cbN5hSZBNzJEX3rf6XPh+4H

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e2abbf30e779a5f8931222f7398e2ee1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e2abbf30e779a5f8931222f7398e2ee1_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:4512
    • C:\Windows\SysWOW64\MW6K73g7.exe
      "C:\Windows\system32\MW6K73g7.exe" C:\Users\Admin\AppData\Local\Temp\e2abbf30e779a5f8931222f7398e2ee1_JaffaCakes118.exe -firstrun
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2908
      • C:\Windows\SysWOW64\OV3S4IE6.exe
        "C:\Windows\system32\OV3S4IE6.exe" C:\Windows\SysWOW64\MW6K73g7.exe -firstrun
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:3772
        • C:\Windows\SysWOW64\eY852eYn.exe
          "C:\Windows\system32\eY852eYn.exe" C:\Windows\SysWOW64\OV3S4IE6.exe -firstrun
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:816
          • C:\Windows\SysWOW64\1SOr7OS5.exe
            "C:\Windows\system32\1SOr7OS5.exe" C:\Windows\SysWOW64\eY852eYn.exe -firstrun
            5⤵
            • Executes dropped EXE
            PID:2644

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\MW6K73g7.exe
    Filesize

    23KB

    MD5

    e2abbf30e779a5f8931222f7398e2ee1

    SHA1

    ce71ed03848d2f908237c397fe17b539c969e6a4

    SHA256

    9e8f48eb767fcc815e52b001490086397079986a8389ae9d239097128546024f

    SHA512

    e683298bd2adbe042489116a6f01dd58491f661cb9604baab700f4f5c192e71caa6f0300552e6ce0d7a7596c336b2d28b0e26ef5e94fea0d3fcf5280c5a5a84e

    Download Submit

  • memory/816-46-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/816-61-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2644-64-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2908-13-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2908-24-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2908-54-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3772-28-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3772-37-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4512-43-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4512-0-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4512-12-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4512-1-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download