Overview

overview

8

Static

static

7

61c07b94aa...18.exe

windows7-x64

8

61c07b94aa...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    21/05/2024, 02:29

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    61c07b94aa1b119e673c69838173ec9b_JaffaCakes118.exe

  • Size

    2.0MB

  • MD5

    61c07b94aa1b119e673c69838173ec9b

  • SHA1

    fff5dc6b40eedc988c615538c1bf2b03bb187680

  • SHA256

    daeabb4f77670f7b24e89bf05e25bd5d17c5679fb6f3fa5baee1ba2d27ae9220

  • SHA512

    f3758568f3706bf9c89e74669b472f1853a5d0694af4e2bb466154f1a9ba0ce75b0ad1a0b9cb3c0a60a81b96a758e4a4c80e1f60d93982ee98d13ff7b3f1f988

  • SSDEEP

    49152:cUwT0VCJYbHkap4puMVV+cNOQTkcUK77ny+A+hAC/PjyOiPmYa/imLQbf:0WK+HfVUxOQTkRKXdA+JzyOYmFVQbf

Score
8/10
evasionexecutionupx

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\61c07b94aa1b119e673c69838173ec9b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\61c07b94aa1b119e673c69838173ec9b_JaffaCakes118.exe"
    1⤵
    • Identifies Wine through registry keys
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:840
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\HYD1353.tmp.1716258567\HTA\index.hta?utorrent" "C:\Users\Admin\AppData\Local\Temp\61c07b94aa1b119e673c69838173ec9b_JaffaCakes118.exe" /LOG "C:\Users\Admin\AppData\Local\Temp\HYD1353.tmp.1716258567\index.hta.log" /PID "840" /CID "Xk3KkPy_F6Ky7KXg" /VERSION "111850052" /BUCKET "0" /SSB "3" /COUNTRY "US" /OS "6.1" /BROWSERS "\"C:\Program Files\Mozilla Firefox\firefox.exe\",\"C:\Program Files\Google\Chrome\Application\chrome.exe\",C:\Program Files\Internet Explorer\iexplore.exe" /ARCHITECTURE "64" /LANG "en" /USERNAME "Admin" /SID "S-1-5-21-2721934792-624042501-2768869379-1000" /CLIENT "utorrent"
      2⤵
      • Blocklisted process makes network request
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:2448
      • C:\Windows\SysWOW64\cscript.exe
        "C:\Windows\System32\cscript.exe" "shell_scripts/check_if_cscript_is_working.js"
        3⤵
          PID:2688
        • C:\Windows\SysWOW64\PING.EXE
          "C:\Windows\System32\PING.EXE" 8.8.8.8 -n 2 -w 500
          3⤵
          • Runs ping.exe
          PID:1920
        • C:\Windows\SysWOW64\cscript.exe
          "C:\Windows\System32\cscript.exe" shell_scripts/shell_ping_after_close.js "http://i-50.b-000.XYZ.bench.utorrent.com/e?i=50&e=eyJldmVudE5hbWUiOiJoeWRyYTEiLCJhY3Rpb24iOiJodGFiZWdpbiIsInBpZCI6Ijg0MCIsImgiOiJYazNLa1B5X0Y2S3k3S1hnIiwidiI6IjExMTg1MDA1MiIsImIiOjQ1NjM2LCJjbCI6InVUb3JyZW50Iiwib3NhIjoiNjQiLCJzbG5nIjoiZW4iLCJkYiI6IkludGVybmV0IEV4cGxvcmVyIiwiZGJ2IjoiMTEuMCIsImliciI6W3sibmFtZSI6IkZpcmVmb3giLCJ2ZXJzaW9uIjoiMTA1LjAiLCJleGVOYW1lIjoiZmlyZWZveCJ9LHsibmFtZSI6Ikdvb2dsZSBDaHJvbWUiLCJ2ZXJzaW9uIjoiMTA2LjAiLCJleGVOYW1lIjoiY2hyb21lIn0seyJuYW1lIjoiSW50ZXJuZXQgRXhwbG9yZXIiLCJ2ZXJzaW9uIjoiMTEuMCIsImV4ZU5hbWUiOiJpZXhwbG9yZSJ9XSwiaXAiOiIxOTEuMTAxLjIwOS4zOSIsImNuIjoiVW5pdGVkIEtpbmdkb20iLCJwYWNraWQiOiJkZWZhdWx0In0="
          3⤵
          • Blocklisted process makes network request
          PID:1748

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\HYD1353.tmp.1716258567\HTA\i18n\en.json
            Filesize

            5KB

            MD5

            4417dbfa9fce94752a5a2dfdc823cb92

            SHA1

            12d2fd479d85b3f26c28351bbd0e44f06bc60597

            SHA256

            2381252b689d7ef2a8e1dcea6b7366c0436e70ff29e9b63f3ae34bcc5c60aaf5

            SHA512

            922c3e44db618cb2a77ad8ae6cceeaaecda3acf47034dcfe620cc5c352bededa6e4c983c74a05a797bcbed4f595d205f21829e3393b8994feb73f8179494a93c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\HYD1353.tmp.1716258567\HTA\images\loading.gif
            Filesize

            5KB

            MD5

            c910e2a5db424644aead18e1758c5efd

            SHA1

            fa58fc1a0c17db6c0eb573a0d548e544604114da

            SHA256

            00c62ed42795f996b5f963c69ce918c2623d72896ebb628dfd9bc800514900ce

            SHA512

            66d87ba337fc672f3f2fac50e2b32774b3a470b32fe5ba1a0e887bf74465e3db1375eca3cab91367bf88b2c6fbf0301e11d6f64c90dddc0c972fabeaefd37b7e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\HYD1353.tmp.1716258567\HTA\images\main_icon.png
            Filesize

            3KB

            MD5

            e29ae2c3347790175085244651c40d6a

            SHA1

            0b9a15b6791439b319496950b85ab82dc2e3e5ae

            SHA256

            639bccb6ed0fce165cc979a2949d211ec8f1570133d644bf042a5400c3454c21

            SHA512

            53287d741b18275ee35eb4c4392c452e25846748ccaf3954a57f017a6e844b25ec4a39438c6ed7b24128138b8d7239cfacf69112f9803ab9d2ee981ea97a9808

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\HYD1353.tmp.1716258567\HTA\images\main_utorrent.ico
            Filesize

            104KB

            MD5

            44d122c9473107fc36412de81418c84a

            SHA1

            a0072c789a9cd50ba561683c69af8602927cf4a8

            SHA256

            7c7279daebd88f6a34246603db9c0ecf9bbfa35ef820edd3278e5bc53f9e7680

            SHA512

            b4294b80edc0566744dd98a5ab3e2ac64a4ce4851192d5610ee13f12dc24947f51b7d5b5629f7bff6004d74e5a2b728913cda1b3386cf878ab7fb365490d8067

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\HYD1353.tmp.1716258567\HTA\index.hta
            Filesize

            522B

            MD5

            76903930c0ade2285f1ab1bf54be660d

            SHA1

            0fdd5990ca58cf6c49985ffd2075baa09cd728ce

            SHA256

            61acd6e7405fad348433f8de4b12ed97b42caccbcf28fe0e4ba4b4a5d2ea707e

            SHA512

            c66c7f9f488a0ac58fc1b7c6560edb4bc6df71a3504c2567ac54f4f89aee40a7073865e67e508baf4e055555bbc2f461d5b558a427ab6ac602b9fe0b1f9f8c71

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\HYD1353.tmp.1716258567\HTA\install.1716258567.zip
            Filesize

            743KB

            MD5

            b95e97108189f7babf89539f08186890

            SHA1

            bf8e669ff37c68d86eafd239bd82684b0bce00a0

            SHA256

            52bd756b898a3e7dd1c0ec8d3ef76db5f68b9fc5953ca61c493df01eec61ca12

            SHA512

            cca151213d0062d529d267f31af39236527399b96b019f0c6a68b68bfbcb0bbd7fa747ad24b8d7db9c900e08ed47cfbe79fdd88e1ff97e0ab7eafc5fe228c649

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\HYD1353.tmp.1716258567\HTA\scripts\common.js
            Filesize

            337KB

            MD5

            78b4d4390bff0f011ebd271c9bebeec5

            SHA1

            12f0f137a8173be5791187a583256894d68bea26

            SHA256

            2f2edf2bd12ae6c6553042c30cb73b967e9066babad5f18f5ff054e708ffd19c

            SHA512

            a83f8133f26fca263070b278879582268d5bc02a4bad5028f5c80517c069bdc9915b21bcdea31f4f81df04ab891e9b5858109d80e2e4421812af64ae1c12a67b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\HYD1353.tmp.1716258567\HTA\scripts\initialize.js
            Filesize

            1005B

            MD5

            2a65c76b51a2c15eebeefa662d511af9

            SHA1

            3c5f93d39fdd573e43c7a451836d425bc1b07a5d

            SHA256

            31fc706ae4bd5093aecb6a0b7f9d3b686feb284076b1122aaff978779612dc06

            SHA512

            85b012dca5bbdbdd929de859ae41ed817c7f1e02eae70aaaf687f9ba381f696fa7751e3f2262d48c14f49c9090f106a6bb9652962d38bb7fab93214a2466e8ed

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\HYD1353.tmp.1716258567\HTA\scripts\install.js
            Filesize

            5KB

            MD5

            36f8dbcbdeed01079dcd0abdf481ffd7

            SHA1

            354d8fa00c37255d15a07a8b93f99ec2821ed1a2

            SHA256

            8d41b55c7626eccd4369418e4d0a1cfc2c7ca56b6424ac7b04e50ebc883837c9

            SHA512

            3a9ace6ed03f59599739bba74271aac5f4bdd589cbc2727285dd26fe390c8febebd9915c0d72e809e09c47f3d6ec12709acbd99c69796672775f5c0159c4a4d1

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\HYD1353.tmp.1716258567\HTA\shell_scripts\check_if_cscript_is_working.js
            Filesize

            18B

            MD5

            401b092610275ba2a62376598bfd9c6b

            SHA1

            da1173bc19dd51759f06ac21237a1e8af19d96e7

            SHA256

            d1b9d32702d7d7a184ab4654c204e6d385a9499fde63e0b06bda60f8077a7862

            SHA512

            4a6b34a572864c8648ae1d3e2fe7b3ae2caada78cac726fafe4fe840afdeac1b53ea161ef27abe82ed6843e61bf853901a2d1bdf2ec255de0c395423d1b2e865

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\HYD1353.tmp.1716258567\HTA\shell_scripts\shell_ping_after_close.js
            Filesize

            312B

            MD5

            3ba92505f8af34e948f97360767d4f8a

            SHA1

            997a36be9f9f5262195b24c8c99c0688086c80ee

            SHA256

            5e872715109b381c99aa19e2435628640505794e09a1998de7b92c2a5aea38e1

            SHA512

            b33d3519684e3b54e582e401c7144d4d3783ac44ee73e8d9ce2d92b2e0a091758d330d966ab7db19f7d22fe18335d3e8effc0961ff9d9c4ac147d0ec2c91e626

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\HYD1353.tmp.1716258567\HTA\styles\common.css
            Filesize

            99KB

            MD5

            8a94d780401556cceabf35058bbd4b5a

            SHA1

            19ee91b1629f4ccf0fca1f664405a1eee9dacc5a

            SHA256

            086a7e44de35a235bc258bf1107e22a7dc27932cb4d7e3ebcd1f368acc000caa

            SHA512

            b02fdc9b46f6fa8424660f462bb290c60c0635ad5cb9fa1b386a55d85d4368d06ae5611d355f8dc0db76477c2e332b0501e70cbbba77c45aa027e1cac59ca182

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\HYD1353.tmp.1716258567\index.hta.log
            Filesize

            57B

            MD5

            30f78cc367774fb75b3291ff2907c2f1

            SHA1

            46c38225a8bab93c6209ebf69ec0aba32a05e95b

            SHA256

            b5b5e8e6473e566821429be6a48c4d44420a8762fed2ea4db5ccd15810a8fb82

            SHA512

            602698492dda50c6d8b7ed4a5676599e56a5b872ffb9bff35b5a66bd70013961bb0a1b58aae34176cc09abaf4a9e09ecaf69a32a6457c15c9744a8199e117ab5

            Download Submit

          • memory/840-116-0x0000000000400000-0x0000000000956000-memory.dmp

            Filesize

            5.3MB

            Download

          • memory/840-122-0x0000000000400000-0x0000000000956000-memory.dmp

            Filesize

            5.3MB

            Download

          • memory/840-110-0x0000000000400000-0x0000000000956000-memory.dmp

            Filesize

            5.3MB

            Download

          • memory/840-111-0x0000000000400000-0x0000000000956000-memory.dmp

            Filesize

            5.3MB

            Download

          • memory/840-127-0x0000000000400000-0x0000000000956000-memory.dmp

            Filesize

            5.3MB

            Download

          • memory/840-126-0x0000000000400000-0x0000000000956000-memory.dmp

            Filesize

            5.3MB

            Download

          • memory/840-114-0x0000000000400000-0x0000000000956000-memory.dmp

            Filesize

            5.3MB

            Download

          • memory/840-115-0x0000000000400000-0x0000000000956000-memory.dmp

            Filesize

            5.3MB

            Download

          • memory/840-125-0x0000000000400000-0x0000000000956000-memory.dmp

            Filesize

            5.3MB

            Download

          • memory/840-117-0x0000000000400000-0x0000000000956000-memory.dmp

            Filesize

            5.3MB

            Download

          • memory/840-119-0x0000000000400000-0x0000000000956000-memory.dmp

            Filesize

            5.3MB

            Download

          • memory/840-120-0x0000000000400000-0x0000000000956000-memory.dmp

            Filesize

            5.3MB

            Download

          • memory/840-121-0x0000000000400000-0x0000000000956000-memory.dmp

            Filesize

            5.3MB

            Download

          • memory/840-0-0x0000000000400000-0x0000000000956000-memory.dmp

            Filesize

            5.3MB

            Download

          • memory/840-123-0x0000000000400000-0x0000000000956000-memory.dmp

            Filesize

            5.3MB

            Download

          • memory/2448-78-0x0000000006A10000-0x0000000006F66000-memory.dmp

            Filesize

            5.3MB

            Download

          • memory/2448-113-0x0000000006A10000-0x0000000006F66000-memory.dmp

            Filesize

            5.3MB

            Download

          • memory/2448-112-0x0000000006A10000-0x0000000006F66000-memory.dmp

            Filesize

            5.3MB

            Download