Overview

overview

7

Static

static

7

f8ed5820bd...18.exe

windows7-x64

7

f8ed5820bd...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    140s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    18/04/2024, 22:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f8ed5820bd9a54f2f523fca8c182df29_JaffaCakes118.exe

  • Size

    59KB

  • MD5

    f8ed5820bd9a54f2f523fca8c182df29

  • SHA1

    249eed1205439dbe16dbd9df31aac97a80769ac3

  • SHA256

    7fccea4f94ec3e65bed45a9220b33b4d9bfa609eee08fd92bbc3d896d143b66a

  • SHA512

    3aee4a895c1572f95b7114c3f3749350df38a1e14e893835b56999d5cffb54ba3782e5ddcb6b347a8cb3000b93ff58426a9c5352cf7cf4f0f3d305503f488f4b

  • SSDEEP

    768:XocAX3LKew369lp2z3Sd4baFXLjwP/Tgj93b8NIocVSEFGocAX3LKew369lp2z32:SKcR4mjD9r823FHKcR4mjD9r823FRXh

Score
7/10
persistencespywarestealerupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f8ed5820bd9a54f2f523fca8c182df29_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f8ed5820bd9a54f2f523fca8c182df29_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2268
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1884

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\xwhapI6W8IhBkQn.exe
    Filesize

    59KB

    MD5

    a91527ab479874fdb217eecf7253dbb1

    SHA1

    98e6ce23ae5beb2f857fb8d476cf2cf9eaf3598b

    SHA256

    3f3f368b8f7c6325f4c8ea645422fa2ce308eeb553b8bf3eae9410ad10923963

    SHA512

    efd23b0aab8bb60bdc6e44c99242f792cde6e057a632cf2188064179d3717d55be6cc6421f9cfb8821aff9aeb6879ddf4cc5b60d2c716ceeea15ddd2c350e736

    Download Submit

  • C:\Windows\CTS.exe
    Filesize

    59KB

    MD5

    5efd390d5f95c8191f5ac33c4db4b143

    SHA1

    42d81b118815361daa3007f1a40f1576e9a9e0bc

    SHA256

    6028434636f349d801465f77af3a1e387a9c5032942ca6cadb6506d0800f2a74

    SHA512

    720fbe253483dc034307a57a2860c8629a760f883603198d1213f5290b7f236bf0f5f237728ebed50962be83dc7dc4abe61a1e9a55218778495fc6580eb20b3d

    Download Submit

  • memory/1884-12-0x00000000001E0000-0x00000000001F7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2268-0-0x00000000008D0000-0x00000000008E7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2268-11-0x00000000000C0000-0x00000000000D7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2268-8-0x00000000008D0000-0x00000000008E7000-memory.dmp

    Filesize

    92KB

    Download