Overview

overview

8

Static

static

3

ecf875da7e...18.exe

windows7-x64

8

ecf875da7e...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    147s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-04-2024 08:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ecf875da7ed3cd354f1789ca56135d86_JaffaCakes118.exe

  • Size

    817KB

  • MD5

    ecf875da7ed3cd354f1789ca56135d86

  • SHA1

    d64473d5086c089257aead54a4d4da8570a2a06a

  • SHA256

    e977eebc9cc238ed3a54feab2b92d848bdfc493b9fb83739d0b86df96fc5f2ab

  • SHA512

    0f510d74021fd95df0117afd834a8807acf754c48767c36ef16bf51017e1028c5cbd1771bb09064875a87651474b536149143941335309797cd1cc7341fd09fa

  • SSDEEP

    24576:dCPas1XdMQYn9ZWQxYQIEDFwD3657oMk+fXo:dCPjXdPYn9ZWQxpIoWOUr

Score
8/10
persistencespywarestealerupx

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 37 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3420
      • C:\Users\Admin\AppData\Local\Temp\ecf875da7ed3cd354f1789ca56135d86_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\ecf875da7ed3cd354f1789ca56135d86_JaffaCakes118.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3912
        • C:\Users\Admin\AppData\Local\Temp\ecf875da7ed3cd354f1789ca56135d86_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\ecf875da7ed3cd354f1789ca56135d86_JaffaCakes118.exe"
          3⤵
          • Checks computer location settings
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2352
          • C:\Users\Admin\AppData\Local\Temp\dandik2.exe
            "C:\Users\Admin\AppData\Local\Temp\dandik2.exe" 0
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2708
            • C:\Users\Admin\AppData\Local\Temp\dandik2.exe
              "C:\Users\Admin\AppData\Local\Temp\dandik2.exe"
              5⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4580
          • C:\Program Files\Internet Explorer\iexplore.exe
            /scomma "C:\Users\Admin\AppData\Local\Temp\tmp.ini"
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2320
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2320 CREDAT:17410 /prefetch:2
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2960

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      471B

      MD5

      2d2887752c9c5a173ffb659c987ac49f

      SHA1

      eeaf9320a377a2c040e4b84cd53b2ccb8e6e0726

      SHA256

      b35e4fd0344d352e06b1377781ba325f7c85a461d12a02d0f4b692a22418869c

      SHA512

      db897836fab72d96bd7cba442d05fea6188e30f6b164f0cd3fc23c9c42b2dad5e187948cfea10a9b03bc5a5e12fe0109d1fb571c8051339d2e1aabbe39ddaa71

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      404B

      MD5

      61f3344b078de562492f419769353359

      SHA1

      87f67d00a777058a2023b3237d3774c583403135

      SHA256

      e4d2c7f47a7d2f5c0a20e0a229535d9b7be6d68d222462bcdac66b6b5c8e058f

      SHA512

      639facff923caca0df3d768a89425b8231a0b4e6299af9c02ed44fd9db14d1fbddc4d9f0e706b968274e30d27206057d484d984a0b154d906d8c1a3e4d6a7389

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TMWGKKVJ\suggestions[1].en-US
      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\dandik2.exe
      Filesize

      173KB

      MD5

      90e6107e0f617f0e0fbe274d9d485012

      SHA1

      7463d89901896652644969f0bed7d851d7d2a505

      SHA256

      46758d27474b57d6fa8c05274bb8cb8407b62f8b38eb736acd39985e9fc38630

      SHA512

      faf9e659ea0a7dc35e7fc020bd656c77fbd29a22d92b7c65e66243cf39b987ecc1410c64b7f34a22de74e3f9384a24dd4ffb6f9536e25095b5fcb6072df59a80

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\sqlite3.dll
      Filesize

      171KB

      MD5

      744dcc4cbbfbb18fe3878c4e769ec48f

      SHA1

      c1f2c56ee2d91203a01d3465f185295477a1217d

      SHA256

      33eb31a2a576e663474a895ff0190316c64a93d9ce05a55df0d53f9beeb61163

      SHA512

      706630be2ca09e574a7794e32e515a0a3f993643d034647b8cb976c1e7045e87e30362757cc65fcdb95f4a4327f0dcda3edc82ba84e5ed9115870a037e13af21

      Download Submit

    • memory/2320-36-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2352-35-0x0000000000400000-0x0000000000406000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2352-33-0x0000000010000000-0x000000001005A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/2352-42-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/2352-5-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/2352-3-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/2708-28-0x0000000000400000-0x0000000000426639-memory.dmp

      Filesize

      153KB

      Download

    • memory/2708-21-0x0000000000400000-0x0000000000426639-memory.dmp

      Filesize

      153KB

      Download

    • memory/3912-0-0x0000000000400000-0x0000000000426639-memory.dmp

      Filesize

      153KB

      Download

    • memory/3912-6-0x0000000000400000-0x0000000000426639-memory.dmp

      Filesize

      153KB

      Download

    • memory/4580-27-0x0000000000400000-0x0000000000406000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4580-29-0x0000000000400000-0x0000000000406000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4580-24-0x0000000000400000-0x0000000000406000-memory.dmp

      Filesize

      24KB

      Download