Overview

overview

8

Static

static

7

fb2dcc045a...18.exe

windows7-x64

8

fb2dcc045a...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    19-04-2024 21:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fb2dcc045afd144b1b743efbed7b60ce_JaffaCakes118.exe

  • Size

    17KB

  • MD5

    fb2dcc045afd144b1b743efbed7b60ce

  • SHA1

    b0eb38604c9e5065f10cf35ffc8b88899c054567

  • SHA256

    4c5d464d2636c4e155fa51be824cbf2038824683c7778738d59dee5a2cd8ab69

  • SHA512

    3e025b8132d6457084c57267d08722c9945ec7bab4d336b9d62c23986fe104f28dcc133023b9fd7629100ae76a8b636369a2ab02cc5cf030af0beee12d9b3086

  • SSDEEP

    384:GtBXPIffR9PaRGeRcm+WiPMDQ2Q8+Wdvm8Gzg10jds:0x+vaNcXPcd+8ugyR

Score
8/10
persistenceupx

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 3 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 7 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fb2dcc045afd144b1b743efbed7b60ce_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fb2dcc045afd144b1b743efbed7b60ce_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\mfxixue.bat
      2⤵
      • Deletes itself
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2900
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig
        3⤵
        • Gathers network information
        PID:2564
      • C:\Windows\Tasks\alg.exe
        C:\Windows\Tasks\alg.exe
        3⤵
        • Drops file in Drivers directory
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Adds Run key to start application
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        PID:2620

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\WFeDSYy5cA.pif
    Filesize

    41KB

    MD5

    2565f1bfc8bd5e2a7f9c2c508635043a

    SHA1

    1204962603032e780240d15b24c52752ac4b1826

    SHA256

    4a1351fffeb0ba8f4aafb0958b1451124d84184f24c8742934e49ae5a43cae85

    SHA512

    7a6ad0446637a109241a5c0a93cf12b6d19c4f7fb328bb153f7b4c43c9d54a97ea27b2b69173eb778b43a2f5c0edcc782d8ad0f74827e2291ba1a5692695ff61

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    912B

    MD5

    48ec95bacc8186d72cce11b9584faeb7

    SHA1

    0a6900de60be125b545d36a55f56bd0f7db18d32

    SHA256

    402d34fd239a2ecdc35929964d2ba2b8094fc601cee519955734994c67d3d79c

    SHA512

    42115db0a178b8ff4f80d932b1c716724f52159c9e00cab154c6b984bbc1a726947c560cf74821a49876b7d9fa491791e5a5ce5a6e3545ee6fd7c5a0bfc6873d

    Download Submit

  • C:\Windows\Tasks\alg.exe
    Filesize

    17KB

    MD5

    6c9b20460dac897528114c7d843bb93b

    SHA1

    87ffd916d3f781417fffecd9f433409e56c94c6a

    SHA256

    2c399cee34cc1fb1d220018992ad10d11c2c9f02fdff1babf75870726665ebb7

    SHA512

    27ada1702a58cd1f3cb0c1b66ca7efd3807276a1e42bfb346b2765e8c3b294a8caafa48255bf8fa0d04d39d1e8d3127504e8f44c9a868c78240958ce3385470c

    Download Submit

  • C:\Windows\Tasks\killbase.vbs
    Filesize

    95B

    MD5

    b0e06ce37bba9450fb0241614a517141

    SHA1

    ab74f193a28e6a6eb75f171eb48e6d00f2015de3

    SHA256

    d19dd95ddd530c1e654f4c2b79829f5ac4b4321e94e08198b0cba7f2d9df9401

    SHA512

    c457bddc7c64cd8a20c6614180fba70f46f27b1c7d6229ab300e3755c5ca34e5da9b1822445e66658d8d73d124dbb6f6ed4f34f423f4bafd6f8a80f4481f99fc

    Download Submit

  • C:\Windows\Tasks\wsock32.dll
    Filesize

    17KB

    MD5

    bb27a68ebe877eba5dbbce06d131ee6a

    SHA1

    f4fc6b39338922d258012e8404a9cb56d8e4c846

    SHA256

    8821fa495a8d553eb91e0e346990e6fd422f099baa79a01be6975fc18659a669

    SHA512

    0424c004d43b4e4b7b88546d7f45b6cf03247bb2b6de8a50a77f35ec5ccd29f4be61d312ebca92ef6e9486e44f6e67080ffd218788a01e0526a58bb76c1a61ea

    Download Submit

  • C:\mfxixue.bat
    Filesize

    143B

    MD5

    7799ae90e02ff5feede2bd319919e6ff

    SHA1

    384ea24428cf4931d9876fc7619db3cc08747c3f

    SHA256

    cdabaa0483269e242e0bed8c3bfccfd3313ed9fd411dbed3405d653e4a1a5d96

    SHA512

    f47ebf984d18bf5d0a5ba468bd256d4dfb41e707f71d40ca541cce4206bf64ed0afee57b800f1931e1db685abc7ca2249107523ddd08fde60c853c59f0ba221a

    Download Submit

  • memory/1976-0-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1976-9-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2620-57-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2620-283-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2900-16-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2900-13-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download