Overview

overview

7

Static

static

3

f7dfdf82fa...18.exe

windows7-x64

7

f7dfdf82fa...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-04-2024 11:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f7dfdf82fa9bedf1442c446885fc8d6b_JaffaCakes118.exe

  • Size

    559KB

  • MD5

    f7dfdf82fa9bedf1442c446885fc8d6b

  • SHA1

    72aa690361cf1e7a8669f5b1c8e5f224877287c1

  • SHA256

    3fd2b975ad9fc6327f0c0a3b29789605931c1c14964d607754611183aff1ee61

  • SHA512

    162f97d671396328ca8d22dd8adbd9d963688b0107142826f60d2b17313eff7f2b1f17491e398c98a8a7e79c1414caba1fc0b397cd96df74601bae0b133caefb

  • SSDEEP

    6144:7BtLHIAXJrEG9w+z9f3vMv92loae4DmA8sIMLnWXAqM65n1Gl25Zk/yxvU5Qr6XY:fHIAXxEG9VfE9AVfDWX5Gc5ZUyObN

Score
7/10
collectionpersistenceupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f7dfdf82fa9bedf1442c446885fc8d6b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f7dfdf82fa9bedf1442c446885fc8d6b_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:4692
    • C:\Windows\SysWOW64\sinst.exe
      "C:\Windows\system32\sinst.exe"
      2⤵
      • Checks computer location settings
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3548
      • C:\Windows\SysWOW64\sin st\mail.exe
        "C:\Windows\SysWOW64\sin st\mail.exe" /stext "C:\Windows\SysWOW64\sin st/mail.txt"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook accounts
        • Drops file in System32 directory
        PID:2164
      • C:\Windows\SysWOW64\sin st\dial.exe
        "C:\Windows\SysWOW64\sin st\dial.exe" /stext "C:\Windows\SysWOW64\sin st/dial.txt"
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        PID:552

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\sin st\dial.exe
    Filesize

    39KB

    MD5

    d36cec48ea68809c3bc9b2649158e953

    SHA1

    6763c500e815907361a13707eb1b4129feef93a5

    SHA256

    e4e5e1e3b65f9532fff19402e8ff7d060db971da0a9fc11aa56f159f46ebbb41

    SHA512

    0c6307847de847edba13d2da37987844b9fa660aada67869c8b845523a8c6013aca6180d649f5b2e8ea6113cdfb5af8e625f66cdb08a6ab66bd0f0c865b87dc9

    Download Submit
  • C:\Windows\SysWOW64\sin st\mail.exe
    Filesize

    32KB

    MD5

    105f3bc196b09346bb002bd09ebba661

    SHA1

    d214f233b32beb1d72b402911ac0a6979ae5ad80

    SHA256

    57c16dc62641cb315373c6284a8027442432e58d900d6107fe453263a0adcfd1

    SHA512

    16805ebe7332f0b961ad4743242f76003294bf2f520e5b0b120a9bf5e784bd1c483a046fe301bf41e4682e9fdf59d37f3743d82ff445e58e0bc6903e2ea8ae4b

    Download Submit
  • memory/552-26-0x0000000000400000-0x000000000041A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/552-27-0x0000000000400000-0x000000000041A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2164-16-0x0000000000400000-0x0000000000416000-memory.dmp
    Filesize

    88KB

    Download
  • memory/2164-25-0x0000000000400000-0x0000000000416000-memory.dmp
    Filesize

    88KB

    Download
  • memory/3548-1-0x0000000000650000-0x0000000000651000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3548-28-0x0000000000400000-0x0000000000491000-memory.dmp
    Filesize

    580KB

    Download
  • memory/3548-29-0x0000000000650000-0x0000000000651000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3548-34-0x0000000000400000-0x0000000000491000-memory.dmp
    Filesize

    580KB

    Download
  • memory/3548-35-0x0000000000400000-0x0000000000491000-memory.dmp
    Filesize

    580KB

    Download
  • memory/4692-0-0x0000000002440000-0x0000000002441000-memory.dmp
    Filesize

    4KB

    Download