Overview

overview

7

Static

static

7

ec299fa49a...18.exe

windows7-x64

7

ec299fa49a...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/04/2024, 22:52

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    ec299fa49af887b8048fffe0c7ff7d81_JaffaCakes118.exe

  • Size

    1.0MB

  • MD5

    ec299fa49af887b8048fffe0c7ff7d81

  • SHA1

    1cb8dea56ccf3217ded89686ef2bde37d4ef4521

  • SHA256

    37c843ef0e40cdbd97720c992bed22a44b9a193727d9b2be81df6519e194cb51

  • SHA512

    20e9e1425b3620c350f56fb983b0cf12aff9348a4a5ff2a57e27ebc4c6fb48119a9f5b96bf348d0927af4332a93c635e02aeec89eaa10d9bae25bf0a465daca2

  • SSDEEP

    24576:NFE//Tct4bOsCVyyY3V8ZlxTUrMoPBtTODouN8my+:HSVCMHOZmMOYou7d

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 16 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • AutoIT Executable 15 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ec299fa49af887b8048fffe0c7ff7d81_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ec299fa49af887b8048fffe0c7ff7d81_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4300
    • C:\Users\Admin\AppData\Local\Temp\InstantSupport_Temp_Files_460242\InstantSupportVNC.exe
      "C:\Users\Admin\AppData\Local\Temp\InstantSupport_Temp_Files_460242\InstantSupportVNC.exe" -autoreconnect ID:585452 -connect tech-express.ca:5500 -run
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1352
    • C:\Users\Admin\AppData\Local\Temp\InstantSupport_Temp_Files_460242\InstantSupportVNC.exe
      "C:\Users\Admin\AppData\Local\Temp\InstantSupport_Temp_Files_460242\InstantSupportVNC.exe" -autoreconnect ID:585452 -connect 192.168.6.60:5500 -run
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:836
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2660 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4720

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\InstantSupport_Temp_Files_460242\InstantSupportVNC.exe
            Filesize

            915KB

            MD5

            99fc0b786809bf0034201495d3dbea54

            SHA1

            ecb365637cfe183f2f59904aedaf2687866aaf8b

            SHA256

            ce8815ae10eedf0bc2321810969fe2370a6efa84ddd13fa079b22bf08be4a611

            SHA512

            92098d328360c5c3efabfe9910548d0803169ba03fd85186572abfbdccd9fdbc7002dd97305d2bd60a9c2f6598c81a67f5c940438e26957386100c69f4ba1fec

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\InstantSupport_Temp_Files_460242\SecureVNCPlugin.dsm
            Filesize

            402KB

            MD5

            6acaf371ac78035b26bff56d10268bed

            SHA1

            68c650a72403f594c68bd1c1a245f6681c373107

            SHA256

            9c82604139d25d182810035d55959284037cf8e3d8b03740f9fc16be1d3f697c

            SHA512

            1a35f6b4e01f9785fb441e85e74e319ac34321eb6e440b3f641eefc323775646e5c9fbc69dc6de0e51b94e12948d8491f8a12ecc3254fd00747bf49a1b35c27a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\InstantSupport_Temp_Files_460242\logo.jpg
            Filesize

            20KB

            MD5

            a4b4ec61c8d5630def565a4dbd244a97

            SHA1

            784aebfd90a2838baadf8fe7cf4f428cf4fc210e

            SHA256

            58a766671decc633731ca53b5f25c8ec5cd1665c0b8b13949a64d5e6b5e4f70f

            SHA512

            193c1cb8d698d39ae4265db0064bda5e63696eba98405a63374f38ce69ec93edfdd6f2b7284bf3177729d319bfabe8c3ed4edd1edbb5e1b0761feff89615c9e9

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\InstantSupport_Temp_Files_460242\ultravnc.ini
            Filesize

            1KB

            MD5

            7543fed045fa795df20d641ae7464b69

            SHA1

            51e21c0e5573a76d4716617d8007d47a664b1b27

            SHA256

            e359ed58c137a8c8814996c846496798bc999845b0608c9c9a71a19985bb3664

            SHA512

            c4f65ad662dbd7dc824074ab8aa4a92ffbac33dc8696df2d233647df46ab7d3841ef1fa1380dc8e1da4812dde218fdef0403548852d1b7dd2f3e2b94938c354d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\autE186.tmp
            Filesize

            126B

            MD5

            7c7f378a2c66a140ea662fb22f958f6a

            SHA1

            cc2e9faca01810d381a35c1e098531572becaaa4

            SHA256

            e508d210361abee36bfdbdd3e1c2aedb2c45b3c9cc87ea9fa86b6860e064ba05

            SHA512

            aec32909a7374ba2072bfdd0f43589f26edce95eb19b38ba7b9db63bc85d26ad6684765a37bc35e3362ea1c28caf005cda53c022e09cbb1b82914d35784d456c

            Download Submit

          • memory/4300-52-0x0000000000400000-0x00000000004D5000-memory.dmp

            Filesize

            852KB

            Download

          • memory/4300-48-0x0000000000400000-0x00000000004D5000-memory.dmp

            Filesize

            852KB

            Download

          • memory/4300-49-0x0000000000400000-0x00000000004D5000-memory.dmp

            Filesize

            852KB

            Download

          • memory/4300-50-0x0000000000400000-0x00000000004D5000-memory.dmp

            Filesize

            852KB

            Download

          • memory/4300-51-0x0000000000400000-0x00000000004D5000-memory.dmp

            Filesize

            852KB

            Download

          • memory/4300-0-0x0000000000400000-0x00000000004D5000-memory.dmp

            Filesize

            852KB

            Download

          • memory/4300-54-0x0000000000400000-0x00000000004D5000-memory.dmp

            Filesize

            852KB

            Download

          • memory/4300-57-0x0000000000400000-0x00000000004D5000-memory.dmp

            Filesize

            852KB

            Download

          • memory/4300-58-0x0000000000400000-0x00000000004D5000-memory.dmp

            Filesize

            852KB

            Download

          • memory/4300-59-0x0000000000400000-0x00000000004D5000-memory.dmp

            Filesize

            852KB

            Download

          • memory/4300-60-0x0000000000400000-0x00000000004D5000-memory.dmp

            Filesize

            852KB

            Download

          • memory/4300-61-0x0000000000400000-0x00000000004D5000-memory.dmp

            Filesize

            852KB

            Download

          • memory/4300-62-0x0000000000400000-0x00000000004D5000-memory.dmp

            Filesize

            852KB

            Download

          • memory/4300-63-0x0000000000400000-0x00000000004D5000-memory.dmp

            Filesize

            852KB

            Download

          • memory/4300-64-0x0000000000400000-0x00000000004D5000-memory.dmp

            Filesize

            852KB

            Download

          • memory/4300-65-0x0000000000400000-0x00000000004D5000-memory.dmp

            Filesize

            852KB

            Download