Overview

overview

7

Static

static

7

eb5549f180...18.exe

windows7-x64

7

eb5549f180...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/04/2024, 14:59

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    eb5549f180da6b08680735ece585ba53_JaffaCakes118.exe

  • Size

    99KB

  • MD5

    eb5549f180da6b08680735ece585ba53

  • SHA1

    ee279ea751758e583f2aa7a33685a206253d1288

  • SHA256

    824ecf0986784c13813a760409a47d759537d48ff3a0ba0d7e9ac38e0248d006

  • SHA512

    100ed7667529c35fffa9376e392126b5b7d17d3c26a5b5fd774c2ca82875ea29ae5320558eb06ec843aa1038ae83c5a631a51a65efc55ccc8b667148cea8d247

  • SSDEEP

    3072:sr3KcWmjRrzSUXCMXnFjYrXSg76TulX8ZR5uRk:/qnAXSgmQ8ZRgm

Score
7/10
persistencespywarestealerupx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb5549f180da6b08680735ece585ba53_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eb5549f180da6b08680735ece585ba53_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5072
    • C:\Users\Admin\AppData\Local\Temp\HgodQ6EEgbyfl6N.exe
      C:\Users\Admin\AppData\Local\Temp\HgodQ6EEgbyfl6N.exe
      2⤵
      • Executes dropped EXE
      PID:2020
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:116

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
          Filesize

          357KB

          MD5

          bc914f5bec1955ec3451daeca7f889df

          SHA1

          891e4230ba87724168ae92de61bd95b752e03e21

          SHA256

          074312069db266d48002076d432b0063c5b75aa11695aeb89d932970fb08d124

          SHA512

          277ff5051ef8c47bc74ab88345d01685e6fda82b8ca9880513af0022323037d723f117ebefab5883e6330a7d7cfaa6ebe3176ec9e4ea352cdabd84db5d069278

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\HgodQ6EEgbyfl6N.exe
          Filesize

          64KB

          MD5

          a32a382b8a5a906e03a83b4f3e5b7a9b

          SHA1

          11e2bdd0798761f93cce363329996af6c17ed796

          SHA256

          75f12ea2f30d9c0d872dade345f30f562e6d93847b6a509ba53beec6d0b2c346

          SHA512

          ec87dd957be21b135212454646dcabdd7ef9442cf714e2c1f6b42b81f0c3fa3b1875bde9a8b538e8a0aa2190225649c29e9ed0f25176e7659e55e422dd4efe4c

          Download Submit

        • C:\Windows\CTS.exe
          Filesize

          35KB

          MD5

          93e5f18caebd8d4a2c893e40e5f38232

          SHA1

          fd55c4e6bcd108bce60ea719c06dc9c4d0adafa6

          SHA256

          a66c4b98becac2f69cb107cd087d7a2ca9ef511bc3b83367b1f440f11dd159a8

          SHA512

          986583610d27caae2080834301d072557c5d2c85e33f0d19ab1245d7eae8db146397461572ddb3d491be16f3af210720d54267dac838fdad8fe34afa3d6b7f54

          Download Submit

        • memory/116-9-0x0000000000790000-0x00000000007A7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/5072-0-0x00000000008A0000-0x00000000008B7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/5072-7-0x00000000008A0000-0x00000000008B7000-memory.dmp

          Filesize

          92KB

          Download