Overview

overview

7

Static

static

3

2f3ebd8042...18.exe

windows7-x64

7

2f3ebd8042...18.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    10/05/2024, 13:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2f3ebd8042ab4c85721574a8daa1ab93_JaffaCakes118.exe

  • Size

    732KB

  • MD5

    2f3ebd8042ab4c85721574a8daa1ab93

  • SHA1

    b759e9226886bc6f9743ae81991468b011d6b88b

  • SHA256

    1e2bffa2672a47cdbfd0dfd9f4a531ef5e1c654ee3c262fd21b4fb22630c032e

  • SHA512

    245383d093551c31bab9c7517879aeaaac48080f7a16398aba0e9fcae3b7cc9a0a0f3aa496b84c8fbdc9aa613ec280a348ab1f2fee1db58c47cbc942810a4f2a

  • SSDEEP

    12288:mFTct0d32sPh2Z1QNK8QfvRyGYfgcYHYGBHiAREscEs6/6ALwXh47WKmI:mFTdR2spSQOXrJFFPREws6NLeK7sI

Score
7/10
persistenceupx

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2f3ebd8042ab4c85721574a8daa1ab93_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2f3ebd8042ab4c85721574a8daa1ab93_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2932
    • C:\Users\Admin\AppData\Local\Temp\2f3ebd8042ab4c85721574a8daa1ab93_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\2f3ebd8042ab4c85721574a8daa1ab93_JaffaCakes118.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2540
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XBYMY.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1988
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "turnon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\ace.exe" /f
          4⤵
          • Adds Run key to start application
          PID:1608
      • C:\Users\Admin\AppData\Roaming\ace.exe
        "C:\Users\Admin\AppData\Roaming\ace.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2452
        • C:\Users\Admin\AppData\Roaming\ace.exe
          "C:\Users\Admin\AppData\Roaming\ace.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2460
        • C:\Users\Admin\AppData\Roaming\ace.exe
          "C:\Users\Admin\AppData\Roaming\ace.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2216

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\XBYMY.bat
    Filesize

    131B

    MD5

    1e107377fe0ead2ac39679deb110fe24

    SHA1

    4f98e9887eddb7c2b4972becf09336682a91abc2

    SHA256

    2608f3470b1ad2327fe89ed58b47ef98f85135ab25a51ac81356d34682ccc1be

    SHA512

    aa61224f8efa1f8ff864f24cfb2f3dc7c5292b0918ae70d00686ef7a9d74f9bb2d20ab76ff9dcb0faa9a1af201371ef0838cd391dc5689f29d798260678ca19c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\ace.exe
    Filesize

    732KB

    MD5

    94f843700ca0215f09eeb267750f13e8

    SHA1

    5dfd68dd64edb7d57a82cf5dd196d3c685cd0a89

    SHA256

    6b854cbb64eea0470b23a4bf259d938442ccd591c6c299266b39eed308a49df2

    SHA512

    2ffefd0f49046115b636bb036f93c6ab6c10851cfe071c741bb0d1f992818506235fb508726e0db19d72e3161bbd680cb88a7dd8ab75c3183e0a906ce22ae7bd

    Download Submit

  • memory/2460-286-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2540-106-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2540-278-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2540-119-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2932-28-0x0000000000380000-0x0000000000381000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-22-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-64-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-58-0x00000000004C0000-0x0000000000578000-memory.dmp

    Filesize

    736KB

    Download

  • memory/2932-44-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-36-0x0000000002A30000-0x0000000002A31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-34-0x0000000002A30000-0x0000000002A31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-30-0x0000000002F70000-0x0000000002F71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-2-0x0000000002A50000-0x0000000002A51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-26-0x0000000000380000-0x0000000000381000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-24-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-65-0x0000000000290000-0x0000000000291000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-18-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-14-0x0000000002C10000-0x0000000002C11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-8-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-4-0x0000000002A50000-0x0000000002A51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-100-0x00000000003F0000-0x00000000003F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-105-0x00000000004D0000-0x00000000004D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-66-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-67-0x0000000000340000-0x0000000000341000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-32-0x0000000002F70000-0x0000000002F71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-20-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-12-0x0000000002C10000-0x0000000002C11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-6-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download