Overview

overview

7

Static

static

7

fcac538414...18.exe

windows7-x64

7

fcac538414...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    20-04-2024 11:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fcac538414472fce973005b827db8952_JaffaCakes118.exe

  • Size

    93KB

  • MD5

    fcac538414472fce973005b827db8952

  • SHA1

    e15372c41f6c858864d29bfef6df0878c663b06d

  • SHA256

    ee369bea8c75728f8d76b70e303b461aa276622edbcbdf7abbff0c6f7cbf13f1

  • SHA512

    3252aeddf1b860af5aad958223fe82d2b1457f78360ebcd2207218d9445d806f0543dc9f994ae9065a64f0da5fb5023281e27c170d189b5803b041ea515cbb4b

  • SSDEEP

    1536:SKcR4mjD9r823FbWVFcNE7A2meC4aM7M8MUmXrwRmWAfto:SKcWmjRrz3tWVFJkeC4HTYkRhEK

Score
7/10
persistencespywarestealerupx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fcac538414472fce973005b827db8952_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fcac538414472fce973005b827db8952_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Users\Admin\AppData\Local\Temp\9fSB2MEvHrGacOq.exe
      C:\Users\Admin\AppData\Local\Temp\9fSB2MEvHrGacOq.exe
      2⤵
      • Executes dropped EXE
      PID:1668
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\9fSB2MEvHrGacOq.exe
    Filesize

    93KB

    MD5

    d13c44026191d2ed391ad314b910df5c

    SHA1

    ea456d90e338b57a3335db4c58a9d84808e1e58e

    SHA256

    24d78eb4d18b72a56876d09bc364293afed7c87bab06e3f7f241e263b3ea1d2c

    SHA512

    0ba813a7bb8b347b4f5ec2387b7d428a9c9578cbc957c08ae6d01d72a79d2bed48a13c532c980ee0409f2cdcc8c2c4610fa3a18945988c48fb47db0a9c967cda

    Download Submit

  • C:\Windows\CTS.exe
    Filesize

    29KB

    MD5

    70aa23c9229741a9b52e5ce388a883ac

    SHA1

    b42683e21e13de3f71db26635954d992ebe7119e

    SHA256

    9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2

    SHA512

    be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

    Download Submit

  • \Users\Admin\AppData\Local\Temp\9fSB2MEvHrGacOq.exe
    Filesize

    64KB

    MD5

    e97c622b03fb2a2598bf019fbbe29f2c

    SHA1

    32698bd1d3a0ff6cf441770d1b2b816285068d19

    SHA256

    5c1af46c7300e87a73dacf6cf41ce397e3f05df6bd9c7e227b4ac59f85769160

    SHA512

    db70c62fb35a8e5b005f13b57c1ebbf6c465f6ff0524422294c43e27fb4aa79379dc1e300ad11dc2354405c43b192ae06b91c0f525a1f2617e4d14673651a87d

    Download Submit

  • memory/2564-18-0x0000000000070000-0x0000000000087000-memory.dmp

    Filesize

    92KB

    Download

  • memory/3048-0-0x0000000000E00000-0x0000000000E17000-memory.dmp

    Filesize

    92KB

    Download

  • memory/3048-15-0x0000000000070000-0x0000000000087000-memory.dmp

    Filesize

    92KB

    Download

  • memory/3048-14-0x0000000000E00000-0x0000000000E17000-memory.dmp

    Filesize

    92KB

    Download