Overview

overview

8

Static

static

3

e9f5788ba2...18.exe

windows7-x64

8

e9f5788ba2...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    09/04/2024, 12:10

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    e9f5788ba2b875d7debe7d398d0eb4b1_JaffaCakes118.exe

  • Size

    643KB

  • MD5

    e9f5788ba2b875d7debe7d398d0eb4b1

  • SHA1

    821bfe0ddd6384c02a8c5565a1689702d3d44a53

  • SHA256

    211f69de0184d66a4525463a4056932fb7fea95d96ebfce09930d295e95488cd

  • SHA512

    ac6d1e2882120e26ca1d99e77bb0c64923e086e697ae839f4e6b0ec237fb3880859f2e03d5729107685470068691353388fbd1adace9bd80894133d2cdc5bd5b

  • SSDEEP

    12288:VLG6JA70VxW6hSlLOQ0UCKO6H88DdMBLZoVjiIwaghvTDAsAuFekhX7xp/L6i6Y:VC6JK2hkLOhUCKO6cidw6jWaQ/FekhL1

Score
8/10
evasionpersistencespywarestealer

Malware Config

Signatures

  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 3 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 43 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs .reg file with regedit 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 12 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\e9f5788ba2b875d7debe7d398d0eb4b1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e9f5788ba2b875d7debe7d398d0eb4b1_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1328
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\web\printers\125.bat
      2⤵
      • Loads dropped DLL
      • Enumerates connected drives
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2788
      • \??\c:\windows\web\printers\rar.exe
        "c:\windows\web\printers\Rar.exe" e -y -ping c:\windows\web\printers\usbhard.rar c:\windows\web\printers\
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2364
      • C:\Windows\SysWOW64\attrib.exe
        attrib +R +A +S +H c:\windows\web\printers
        3⤵
        • Sets file to hidden
        • Drops file in Windows directory
        • Views/modifies file attributes
        PID:2780
      • C:\Windows\SysWOW64\regedit.exe
        regedit /s c:\windows\web\printers\1.reg
        3⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:1048
      • \??\c:\windows\web\printers\rar.exe
        "c:\windows\web\printers\Rar.exe" e -y -ping c:\windows\web\printers\zzz.rar c:\windows\dell\
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2484
      • \??\c:\windows\dell\lsess.exe
        c:\windows\dell\lsess.exe
        3⤵
        • Executes dropped EXE
        PID:1668
      • C:\Windows\SysWOW64\regedit.exe
        regedit /s c:\windows\web\printers\5.reg
        3⤵
        • Runs .reg file with regedit
        PID:1220
      • C:\Windows\SysWOW64\regedit.exe
        regedit /s c:\windows\web\printers\2.reg
        3⤵
        • Runs .reg file with regedit
        PID:1372
      • C:\Windows\SysWOW64\attrib.exe
        attrib -H -R d:\~1
        3⤵
        • Views/modifies file attributes
        PID:1920
      • C:\Windows\SysWOW64\attrib.exe
        attrib +H +R d:\setprter
        3⤵
        • Views/modifies file attributes
        PID:1916
      • C:\Windows\SysWOW64\attrib.exe
        attrib -H -R e:\~1
        3⤵
        • Views/modifies file attributes
        PID:2408
      • C:\Windows\SysWOW64\attrib.exe
        attrib +H +R e:\setprter
        3⤵
        • Views/modifies file attributes
        PID:2036
      • C:\Windows\SysWOW64\attrib.exe
        attrib -H -R f:\~1
        3⤵
        • Views/modifies file attributes
        PID:2492
      • C:\Windows\SysWOW64\attrib.exe
        attrib +H +R f:\setprter
        3⤵
        • Views/modifies file attributes
        PID:2740
      • C:\Windows\SysWOW64\attrib.exe
        attrib -H -R g:\~1
        3⤵
        • Views/modifies file attributes
        PID:1828
      • C:\Windows\SysWOW64\attrib.exe
        attrib +H +R g:\setprter
        3⤵
        • Views/modifies file attributes
        PID:3060
      • C:\Windows\SysWOW64\attrib.exe
        attrib -H -R h:\~1
        3⤵
        • Views/modifies file attributes
        PID:2784
      • C:\Windows\SysWOW64\attrib.exe
        attrib +H +R h:\setprter
        3⤵
        • Views/modifies file attributes
        PID:2732
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\11a.bat
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 1
        3⤵
        • Runs ping.exe
        PID:2892
      • C:\Windows\SysWOW64\attrib.exe
        attrib -S -H c:\ma.exe
        3⤵
        • Views/modifies file attributes
        PID:1912

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\11a.bat
          Filesize

          240B

          MD5

          33fd3c8efe8780270bffff10d338982d

          SHA1

          9f2e271aa3e8ba4e83cbcb9ba473f92507754721

          SHA256

          4979a52405a33302dcb3b0b6e66fb0b38f15708246406639293f8b2ad15514f8

          SHA512

          bb0e6ad1d26565cb5497caa7ee318c784091b6f187ac63f1b23ba8e6f5d9e1e6b311f3318bc87f363a948d065b6b7c678f8931b451fa04c20421e6f875cddbfa

          Download Submit

        • C:\Windows\Web\printers\125.bat
          Filesize

          1KB

          MD5

          1af018ff177dfbae562ac429cff786cb

          SHA1

          81f09865306d8c91d59bbec8a11ac874816f102c

          SHA256

          dda4aa27c7fd4b793bcadbd94c47dc997d66e293f910af3826de893b0381914a

          SHA512

          a76fba548576d2c99dac7e040bb140e29a68f55ee024174018345c4236e2a7ebda96d5ed1b66da85ae60d20485847e3cd38d34262be6c45475938f8d2182ab22

          Download Submit

        • \??\c:\Windows\Web\printers\1.reg
          Filesize

          45KB

          MD5

          4ad724ba8346d8556e6e884727c0523e

          SHA1

          b53e2ec83b5b8441667b980fe6a53d69987fca89

          SHA256

          48c52c0934097cdd0aea155be18a2006f2dd6884d623a51b00baf3e5de3e1412

          SHA512

          fde2fb90a19fa00d040ade516fef8ca5f4463aee1a8af2fc85f41c3e818365086ff12491c330c8598bf071270bdbd863bbcdb5a5dde3d2523fbd1f6182eb33f3

          Download Submit

        • \??\c:\Windows\Web\printers\5.reg
          Filesize

          22KB

          MD5

          3619b2192d1e0d4907f7d4702b4aa9e1

          SHA1

          1bb317bea13bb457d9ec71294e5c07c93cc9b8e6

          SHA256

          7da095327a1e11369d67d4f15d7c2e84cce9fb5d4cbac42d9b70bf0976300893

          SHA512

          8f2d8420dc2e92a4df42eab89bb612b2562ff6d152c4a6f651c64371089506673bf9f02a37ff1c3ad53a9ae0fe51aa9c47dcdb7e01a319df51306d58a601b7ff

          Download Submit

        • \??\c:\windows\dell\lsess.txt
          Filesize

          55.6MB

          MD5

          526db4284f602cb880424f9459a6ce53

          SHA1

          c0ec731ae5e22420e9532485aeacf2e5bf6fc9b6

          SHA256

          14458b0f2963bb894d620ef724de3820cd775e27a092075a784f98cbd46d36b6

          SHA512

          36d72cf3cbd229cf7b3105f86b8600b64cdd1faed02c659f4b1d4d89d9fa5c7eee55c2e0398b45e6ca2ffd1757f2a6abc11229056da8aaade2d193c245e20006

          Download Submit

        • \??\c:\windows\web\printers\360s.txt
          Filesize

          36.6MB

          MD5

          9db87afc027bcb06705b5c918c74c84e

          SHA1

          a8330688c6cf9797fd68769979e9676613b76a59

          SHA256

          41b6ec359169e544c31194277d918480f7cda3607d4dc00b035dab6858791039

          SHA512

          badd60d1fc5b646f324e249c096960174cfadef7c38ca8ba9bcaa5d0c10ae1b67fdfdc1719e3863c1446392e56bd505478c8e564517e5b61ccece10cb06c3666

          Download Submit

        • \??\c:\windows\web\printers\usbhard.rar
          Filesize

          235KB

          MD5

          f88fc7ec53733e37a823c1d6955afda5

          SHA1

          fff48a1387a612ff2aa012754a64d5534b5ac85e

          SHA256

          97ac32d6236176cf4bd52fe79bf7e9074e72918e6b0dd90062b672fdaeff16d2

          SHA512

          9df9bcd10269be12962bc8084581f529d0ac46f91fdc1c04d03fbbbfd8fd99c6938c7e72476cb41281bf07d6860d58bf39ffe2495a0c29e85ed10aad31cc45a6

          Download Submit

        • \??\c:\windows\web\printers\zzz.rar
          Filesize

          232KB

          MD5

          a4ef777a4dd805ff81d88e26bf2fce43

          SHA1

          74344e53549c128ad7450c85738fab2df2715555

          SHA256

          bb578ce033793937421fc323fed18b9dbfc6e3cdcb9344a11a20a0415c257d4f

          SHA512

          dba1f668c438bcf68b13c907be983c7d40f5bece7f1daecc212bb1cc8cd4adb5698e0cbd2d0bfba5cbb90f6e8a0b436312200227a1e9534da180c9f45dda117c

          Download Submit

        • \Windows\Web\printers\rar.exe
          Filesize

          310KB

          MD5

          0a5680183c0089a64621e211917664d8

          SHA1

          8525d73c99e28413e97a094c99950e1806786246

          SHA256

          c7d6bfe9d26d1ecdd9f2e7f3f892a4d32030949937f86938edcb1995655c2814

          SHA512

          b843b8994c764c3761bef8d34eefb312c9d9567b3f4aadc38008caf42d0cdb82c33276203e4210adcc1e8c567268ebdf01a0a1e839694811932889ac971bb051

          Download Submit

        • \Windows\dell\lsess.exe
          Filesize

          55.6MB

          MD5

          fc311e5226b49bc4d9c29e5e87437d3a

          SHA1

          f1f199e7c0ea389b50bdba0f6787d6638d254240

          SHA256

          43a31fcedaa15089e8c1b64b58212d1884f7578ca3a2d2c6d616036ee154c344

          SHA512

          b2ba7f02a86ef3702291c4945c37b9996a9740bd6151ae0979a38d8817c9db494afd905c07c5d48d76026011df97f7c3a8de2c959d18487d3a0520d11ef9f294

          Download Submit

        • memory/1328-0-0x0000000000400000-0x00000000004D5000-memory.dmp

          Filesize

          852KB

          Download

        • memory/1328-71-0x0000000000400000-0x00000000004D5000-memory.dmp

          Filesize

          852KB

          Download

        • memory/1328-1-0x0000000000020000-0x0000000000023000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1668-85-0x0000000000400000-0x00000000004EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1668-87-0x0000000000020000-0x0000000000023000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1668-86-0x0000000000020000-0x0000000000023000-memory.dmp

          Filesize

          12KB

          Download

        • memory/2364-51-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

          Download

        • memory/2484-62-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

          Download

        • memory/2788-84-0x0000000002370000-0x000000000245B000-memory.dmp

          Filesize

          940KB

          Download

        • memory/2788-81-0x0000000002370000-0x000000000245B000-memory.dmp

          Filesize

          940KB

          Download