Overview

overview

10

Static

static

3

fff7c1f775...18.exe

windows7-x64

10

fff7c1f775...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-04-2024 19:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fff7c1f77588105fc5a76b841983253f_JaffaCakes118.exe

  • Size

    1.9MB

  • MD5

    fff7c1f77588105fc5a76b841983253f

  • SHA1

    c87d3d2cf8d649d9e0cd045f28d6972fc1ab9edb

  • SHA256

    39ec80621b9b8fcefe89e543622c4263b7629a1207107bebd239a50124bb7fc7

  • SHA512

    a23e67eb352dc383e56ad422708ea74165d294925d57b08d24d937d7bf90f6e49d5768d18f3de2cf479b57c6bd710c786e3ea4f6dc0b77851d73aab021dce6c7

  • SSDEEP

    49152:xcBGvy10E+QMWcLctpCOOeWAbaW44EwJ84vLRaBtIl9mTRP+m+OJz:xb4MWcApaeW9FvCvLUBsKRPUkz

Score
10/10
nullmixeraspackv2dropperevasiontrojan

Malware Config

Extracted

Family

nullmixer

C2

http://wxkeww.xyz/

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
    evasiontrojan
  • NullMixer

    NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    droppernullmixer
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ASPack v2.12-2.42 4 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fff7c1f77588105fc5a76b841983253f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fff7c1f77588105fc5a76b841983253f_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4324
    • C:\Users\Admin\AppData\Local\Temp\7zS4E005237\setup_install.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS4E005237\setup_install.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2072
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c karotima_1.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2156
        • C:\Users\Admin\AppData\Local\Temp\7zS4E005237\karotima_1.exe
          karotima_1.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          PID:1140
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c karotima_2.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1132
        • C:\Users\Admin\AppData\Local\Temp\7zS4E005237\karotima_2.exe
          karotima_2.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2256
          • C:\Users\Admin\AppData\Local\Temp\7zS4E005237\karotima_2.exe
            "C:\Users\Admin\AppData\Local\Temp\7zS4E005237\karotima_2.exe" -a
            5⤵
            • Executes dropped EXE
            PID:2672
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 500
        3⤵
        • Program crash
        PID:3664
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2072 -ip 2072
    1⤵
      PID:2452
    • C:\Windows\system32\rUNdlL32.eXe
      rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:712
      • C:\Windows\SysWOW64\rundll32.exe
        rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
        2⤵
        • Loads dropped DLL
        PID:1192
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 600
          3⤵
          • Program crash
          PID:2876
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1192 -ip 1192
      1⤵
        PID:4684

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\7zS4E005237\karotima_1.txt
        Filesize

        1014KB

        MD5

        953230955b0863d81f382d5163a4badc

        SHA1

        9c3fd08863f631a2e8aa921ff4d299105e085460

        SHA256

        a1d82cc7d4af1c8584f909c36b8b2cc8bd5d68791a5c9af0940e36a9887538f6

        SHA512

        fcc922272315876cfb71ce3b949c7838c45c3aa97860c75e55e82a2ac93ea65993cf5e0327c39cafd7a226d3fd2c72df77f9bb6c28a9dbb634c8650670b6d355

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS4E005237\karotima_2.txt
        Filesize

        712KB

        MD5

        8da953a71f7d9811e648b7644f39c445

        SHA1

        c39fd05d024249bc8d63493026474e797fd1eeaf

        SHA256

        ac6143d8ef00d3008388f0c4606bbcf9672eddde1cf76ad102ffb2db26fa6e71

        SHA512

        d75c871c781344968676a2c47e8c2387624d9f9aef7652b7eb97a2aebf9d474fcfe8a6f811b79a76fa4be980ccdfa8646b911e40827324800e233d390f1bcad3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS4E005237\libcurl.dll
        Filesize

        218KB

        MD5

        d09be1f47fd6b827c81a4812b4f7296f

        SHA1

        028ae3596c0790e6d7f9f2f3c8e9591527d267f7

        SHA256

        0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

        SHA512

        857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS4E005237\libcurlpp.dll
        Filesize

        54KB

        MD5

        e6e578373c2e416289a8da55f1dc5e8e

        SHA1

        b601a229b66ec3d19c2369b36216c6f6eb1c063e

        SHA256

        43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

        SHA512

        9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS4E005237\libgcc_s_dw2-1.dll
        Filesize

        113KB

        MD5

        9aec524b616618b0d3d00b27b6f51da1

        SHA1

        64264300801a353db324d11738ffed876550e1d3

        SHA256

        59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

        SHA512

        0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS4E005237\libstdc++-6.dll
        Filesize

        647KB

        MD5

        5e279950775baae5fea04d2cc4526bcc

        SHA1

        8aef1e10031c3629512c43dd8b0b5d9060878453

        SHA256

        97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

        SHA512

        666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS4E005237\libwinpthread-1.dll
        Filesize

        69KB

        MD5

        1e0d62c34ff2e649ebc5c372065732ee

        SHA1

        fcfaa36ba456159b26140a43e80fbd7e9d9af2de

        SHA256

        509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

        SHA512

        3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS4E005237\setup_install.exe
        Filesize

        290KB

        MD5

        4cb1e9abef374ec0a5276b394d1162ba

        SHA1

        1c7f909d77a4adc1f5a0c6badcd06c2de2b07bba

        SHA256

        ad427a15485ff30869db848aacceb35e49220ff21c5f894c2f775a06758bf2da

        SHA512

        07d0763eabb90fdbd9f065f1ace27021d3ad82305aa55513575e07a0fff45a5849ce97ca05bc10ab1bd7b30dfb7f8e8b722f464cb0da4dba7850d98bf9268cb7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\axhub.dat
        Filesize

        552KB

        MD5

        c5c411ddf0d0dd87bc6fdb84975fc292

        SHA1

        e04d41c06a12d46c5ba8220509d89d2a66140892

        SHA256

        dc16f2dadacfad74d074a70c060bafc95d49a7d08a1cbe24f35ddb1769fb56da

        SHA512

        9ed2af8bef3a1873efefb048c3e2733e994bf6300bdfb06ea12939450e65abfa19b4753a1e0755a755a8aed10398982c737d33b9fa79f91ffa356ef4ce20109b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\axhub.dll
        Filesize

        73KB

        MD5

        1c7be730bdc4833afb7117d48c3fd513

        SHA1

        dc7e38cfe2ae4a117922306aead5a7544af646b8

        SHA256

        8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

        SHA512

        7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

        Download Submit

      • memory/2072-43-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2072-52-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2072-38-0x000000006B440000-0x000000006B4CF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2072-45-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2072-44-0x0000000064940000-0x0000000064959000-memory.dmp

        Filesize

        100KB

        Download

      • memory/2072-42-0x00000000007A0000-0x000000000082F000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2072-47-0x000000006B280000-0x000000006B2A6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/2072-46-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2072-40-0x000000006B440000-0x000000006B4CF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2072-48-0x000000006B280000-0x000000006B2A6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/2072-49-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2072-50-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2072-51-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2072-41-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2072-53-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2072-54-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2072-36-0x000000006B440000-0x000000006B4CF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2072-22-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2072-64-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2072-65-0x000000006B280000-0x000000006B2A6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/2072-66-0x0000000064940000-0x0000000064959000-memory.dmp

        Filesize

        100KB

        Download

      • memory/2072-67-0x000000006B440000-0x000000006B4CF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2072-68-0x000000006EB40000-0x000000006EB63000-memory.dmp

        Filesize

        140KB

        Download

      • memory/2072-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2072-39-0x000000006B280000-0x000000006B2A6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/2072-37-0x000000006B440000-0x000000006B4CF000-memory.dmp

        Filesize

        572KB

        Download