Analysis

  • max time kernel
    143s
  • max time network
    51s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-06-2024 12:48

General

  • Target

    023005fb0f1eac24563f84180c659263_JaffaCakes118.exe

  • Size

    2.1MB

  • MD5

    023005fb0f1eac24563f84180c659263

  • SHA1

    e3255e1fdee14c848f26a8849667300164b6b101

  • SHA256

    7191e62ead1231701c2d050c13df42f11ff023a45c462ceb238404cd50aa6c7b

  • SHA512

    81c0763adafa7d6cad53ad5bccbdaaeb47678217df5846f5993565a79d796eebb33d4295b9a126d11f6a1201dc2faeef071e3749d8c8643ea142b45ec8fdbe54

  • SSDEEP

    49152:V1Wd46hen6dhZhOOtSkOI/WeP1g0Ztgd0gUigY6ukXO:adLk6dhXfSkOI/LXZta0prXO

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Modifies WinLogon 2 TTPs 13 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 23 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3472
      • C:\Users\Admin\AppData\Local\Temp\023005fb0f1eac24563f84180c659263_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\023005fb0f1eac24563f84180c659263_JaffaCakes118.exe"
        2⤵
        • Loads dropped DLL
        • Modifies WinLogon
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1360
        • C:\Users\Admin\AppData\Local\Temp\setup.exe
          C:\Users\Admin\AppData\Local\Temp\setup.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1596
          • C:\Users\Admin\AppData\Local\Temp\EEProSetup.exe
            C:\Users\Admin\AppData\Local\Temp\EEProSetup.exe
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3908
            • C:\Users\Admin\AppData\Local\Temp\is-8RP9T.tmp\is-7K97U.tmp
              "C:\Users\Admin\AppData\Local\Temp\is-8RP9T.tmp\is-7K97U.tmp" /SL4 $301DA "C:\Users\Admin\AppData\Local\Temp\EEProSetup.exe" 1393535 52224
              5⤵
              • Executes dropped EXE
              PID:4876
        • C:\Users\Admin\AppData\Local\Temp\~qwertyuiopa.exe
          C:\Users\Admin\AppData\Local\Temp\~qwertyuiopa.exe
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Installs/modifies Browser Helper Object
          • Modifies WinLogon
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3512

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\EEProSetup.exe

      Filesize

      1.6MB

      MD5

      251c34d11dd66e2c0b678c3af9813c4a

      SHA1

      3aa135742a05bf768e2e4410de0931586bd4a27d

      SHA256

      874912d8e3bd9369fee116ef6b72cde8f44c9be57259accff41ec3e62d2f039e

      SHA512

      966e6b5b8c96626d32d8726bca630de2092786b9fcb99a364a0e52880d66f5b7aa9feac256300a49535c2a5b2b41f232170623749a186e42a2f853182855fbfe

    • C:\Users\Admin\AppData\Local\Temp\is-8RP9T.tmp\is-7K97U.tmp

      Filesize

      643KB

      MD5

      036ef63e2f9b138a42d6adb54ec0cd1e

      SHA1

      353db5d438205a726a6d54beb62f9c62638f501d

      SHA256

      71b487f0523f213004766402b22bf86fa0ef9891e940d2a4cb12eba6627e7cc6

      SHA512

      31b8f6e76c8c4f5323f12384c41f6f2b04e58545c121da71e2a4da947a9c0aea9eb05df4f8199cc6dc89bc238577c4e2d5fb4b66e77e1130bc72b6c38f207cc9

    • C:\Users\Admin\AppData\Local\Temp\setup.exe

      Filesize

      1.6MB

      MD5

      2c131f0eaf3c74c05e0620a30848db74

      SHA1

      e1fd5f28a0ad5df9bb7ded2fccf3017d29d19e1e

      SHA256

      69d8ae1e9ea15adee88fa563e45a721f5d073799db2e64520ce19542757d38a0

      SHA512

      26ca32ae597ca74df495bf0a62b9c7beae91e4ac0509ea028808098e3b203343f5c6685d5ce4582bcd8e6b103f08881c3e9d8863c1a33638f4d5e6c439fa21ae

    • C:\Users\Admin\AppData\Local\Temp\~qwertyuiopa.exe

      Filesize

      201KB

      MD5

      5bcfb909d7b9377f249e7c2a41c16490

      SHA1

      c6353932216f3fb1976fe6b362ba5a373eafb842

      SHA256

      cafa0fd6de888d191d65a35bc1ddfcc85c665c50e7fe835a42d5d0f6e335a012

      SHA512

      2d325c1f39bb9eac5c4816255be9b44c76a90f6fb7253691ef138e7697d1df5ff85e2d09616d81784b83de3835cb49d31e0a5a0d84e6d5b00d23e2773306e526

    • C:\Windows\Fonts\javaftp.dll

      Filesize

      163KB

      MD5

      a00286212e09124078c937614be400d3

      SHA1

      d18b980423ef3b695002a5be256aace6a7140396

      SHA256

      3b3eacf2e68464e1a6cde21bc42a3a2c5dede0bf1c6a22bd592f6a77a3ff45ca

      SHA512

      caf4313a0ad5076d6fdec9e92f71e7555531b7ca9ab32b334ee246a95c4f9a32329d59788f14e19a6033651367c23ed64994dd16e55b726a5f821daa21381c01

    • C:\Windows\Microsoft.NET\Framework64\ftpsys.dll

      Filesize

      248KB

      MD5

      aeeb64067a87e8e46e522c2eeaf45535

      SHA1

      7a31869b5a66182eb16e0b52ac8168ad9a1bb27c

      SHA256

      3761ff04e5e9be07a206e1292c4c6d83f7fccec65f793ddb630637bd18982c7f

      SHA512

      221d82b94814b9d9e526a19576b8424a174e88f9b46388d42fdbb1e7798bc46bcd906e61273f2b7e2e4942c85c46228201d94ffa9632964e966bdd5c182d0c35

    • memory/1360-34-0x0000000000400000-0x0000000000842500-memory.dmp

      Filesize

      4.3MB

    • memory/1360-1-0x0000000000400000-0x0000000000842500-memory.dmp

      Filesize

      4.3MB

    • memory/1360-44-0x0000000000400000-0x0000000000842500-memory.dmp

      Filesize

      4.3MB

    • memory/1360-0-0x0000000000400000-0x0000000000842500-memory.dmp

      Filesize

      4.3MB

    • memory/1360-42-0x0000000010000000-0x00000000100A0000-memory.dmp

      Filesize

      640KB

    • memory/1360-36-0x0000000010000000-0x00000000100A0000-memory.dmp

      Filesize

      640KB

    • memory/3512-46-0x0000000000400000-0x000000000043D500-memory.dmp

      Filesize

      245KB

    • memory/3512-53-0x0000000010000000-0x0000000010064000-memory.dmp

      Filesize

      400KB

    • memory/3512-56-0x0000000000400000-0x000000000043D500-memory.dmp

      Filesize

      245KB

    • memory/3512-58-0x0000000010000000-0x0000000010064000-memory.dmp

      Filesize

      400KB

    • memory/3908-26-0x0000000000400000-0x0000000000413000-memory.dmp

      Filesize

      76KB

    • memory/3908-15-0x0000000000401000-0x000000000040A000-memory.dmp

      Filesize

      36KB

    • memory/3908-13-0x0000000000400000-0x0000000000413000-memory.dmp

      Filesize

      76KB

    • memory/4876-27-0x0000000000400000-0x00000000004CF000-memory.dmp

      Filesize

      828KB

    • memory/4876-24-0x0000000000400000-0x00000000004CF000-memory.dmp

      Filesize

      828KB