Analysis

  • max time kernel
    141s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17-06-2024 11:11

General

  • Target

    b84cb1bf75e472973bed157bab410f04_JaffaCakes118.exe

  • Size

    300KB

  • MD5

    b84cb1bf75e472973bed157bab410f04

  • SHA1

    fe4d97e9fd68677ae1e1b459885b3979eabba445

  • SHA256

    69377f70dc61fe37d51443a5ce8a312aa7b682c61574b8ff02fef4e9d798133a

  • SHA512

    266128f62ef53d596196bed76ef94c9aef135f248a2c0a9b44a909bdff4613a048875d9a8debf7082e50eea29acb32891fd7edc535d085558a9250a5f402c9a8

  • SSDEEP

    6144:IXTq8tcMqCZuCkGZGXOGrmtiwJpIS3tJ0dNaVcW+VoImI8EDQGXI/:38cMq8uepPrSNamDT98EdI

Score
10/10

Malware Config

Extracted

Family

buer

C2

https://officewestunionbank.com/

Signatures

  • Buer

    Buer is a new modular loader first seen in August 2019.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Buer Loader 9 IoCs

    Detects Buer loader in memory or disk.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b84cb1bf75e472973bed157bab410f04_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b84cb1bf75e472973bed157bab410f04_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1652
    • C:\ProgramData\656f82acb09c236f5a68\AutoReg.exe
      C:\ProgramData\656f82acb09c236f5a68\AutoReg.exe "C:\Users\Admin\AppData\Local\Temp\b84cb1bf75e472973bed157bab410f04_JaffaCakes118.exe" ensgJJ
      2⤵
      • Modifies WinLogon for persistence
      • Deletes itself
      • Executes dropped EXE
      • Enumerates connected drives
      PID:1988

Network

  • flag-us
    DNS
    officewestunionbank.com
    AutoReg.exe
    Remote address:
    8.8.8.8:53
    Request
    officewestunionbank.com
    IN A
    Response
No results found
  • 8.8.8.8:53
    officewestunionbank.com
    dns
    AutoReg.exe
    69 B
    142 B
    1
    1

    DNS Request

    officewestunionbank.com

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \ProgramData\656f82acb09c236f5a68\AutoReg.exe

    Filesize

    300KB

    MD5

    b84cb1bf75e472973bed157bab410f04

    SHA1

    fe4d97e9fd68677ae1e1b459885b3979eabba445

    SHA256

    69377f70dc61fe37d51443a5ce8a312aa7b682c61574b8ff02fef4e9d798133a

    SHA512

    266128f62ef53d596196bed76ef94c9aef135f248a2c0a9b44a909bdff4613a048875d9a8debf7082e50eea29acb32891fd7edc535d085558a9250a5f402c9a8

  • memory/1652-1-0x0000000000530000-0x0000000000630000-memory.dmp

    Filesize

    1024KB

  • memory/1652-2-0x0000000000220000-0x000000000027C000-memory.dmp

    Filesize

    368KB

  • memory/1652-4-0x0000000040000000-0x000000004005D000-memory.dmp

    Filesize

    372KB

  • memory/1652-13-0x0000000000220000-0x000000000027C000-memory.dmp

    Filesize

    368KB

  • memory/1652-12-0x0000000040000000-0x0000000040BA8000-memory.dmp

    Filesize

    11.7MB

  • memory/1988-15-0x0000000040000000-0x0000000040BA8000-memory.dmp

    Filesize

    11.7MB

  • memory/1988-16-0x0000000040000000-0x0000000040BA8000-memory.dmp

    Filesize

    11.7MB

  • memory/1988-18-0x0000000040000000-0x0000000040BA8000-memory.dmp

    Filesize

    11.7MB

  • memory/1988-19-0x0000000040000000-0x0000000040BA8000-memory.dmp

    Filesize

    11.7MB

  • memory/1988-32-0x0000000040000000-0x0000000040BA8000-memory.dmp

    Filesize

    11.7MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.