Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    15-04-2024 18:04

General

  • Target

    f1a975daccfd84ebf20e77751368d101_JaffaCakes118.exe

  • Size

    27KB

  • MD5

    f1a975daccfd84ebf20e77751368d101

  • SHA1

    5abcfa8d2de58600533ba27c14c939aecfefa253

  • SHA256

    43af8f2d468de283b69a3cff8f1cf5387674431bbb9e5ca7a914758215c7220a

  • SHA512

    f134c842f82604eac10bf734ecf67e42365177e2d292afbafcc84bdb1e7d93cbe447ed8c578ef5313caa18d886022d195b2f3d25c09e4b2cd222b89b37b7bd46

  • SSDEEP

    768:3ayfa1kd67H7e9syJWOlKki+OZ8BnbcuyD7U:qy4K9syJB0onouy8

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Modifies Internet Explorer settings 1 TTPs 11 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f1a975daccfd84ebf20e77751368d101_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f1a975daccfd84ebf20e77751368d101_JaffaCakes118.exe"
    1⤵
    • Adds policy Run key to start application
    • Loads dropped DLL
    • Installs/modifies Browser Helper Object
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\Users\Admin\AppData\Local\Temp\sbsm.exe
      C:\Users\Admin\AppData\Local\Temp\sbsm.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\sbmdl.dll

    Filesize

    9KB

    MD5

    e3bc72a87f2cfed90582ddc5b37b007b

    SHA1

    a5c7f17996a1661f86f60f35737deb8b4dd022cc

    SHA256

    1f1c1c2c9a2807894b84ddcaa8a0ec5dc2ea36a9342fb9500a37620c51993f1d

    SHA512

    2a82490827a12b39832c0dd769b2cbe94776d8e170942541b2bf615c40f1150d3aed899ff684214b276d4328deb7afc8043b3c492eee9a0c53e831f390b8c0d0

  • \Users\Admin\AppData\Local\Temp\sbsm.exe

    Filesize

    7KB

    MD5

    4194c2c96108b31e5b2c228fd9541843

    SHA1

    237fe7361cc82fa4caf744ac38324fdbed0106d4

    SHA256

    890aac4be2bb83ded3e771d9da943367932eaf4feaf6fa81b3a143766c0fb530

    SHA512

    8d6c10e36cfe350b9bf6b0b25a07b60643e9a08715363109690fbd02133d079f0b5719b8a13c7b7ffa228d3b0d62927de964cba924536ca1fa88fb6ccc7ecf5f

  • memory/2244-3-0x0000000010000000-0x0000000010009000-memory.dmp

    Filesize

    36KB

  • memory/2244-12-0x0000000010000000-0x0000000010009000-memory.dmp

    Filesize

    36KB