Overview

overview

7

Static

static

7

0bf6b46d65...18.exe

windows7-x64

7

0bf6b46d65...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    140s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    25/06/2024, 02:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0bf6b46d6516eadca0663fec90af45b3_JaffaCakes118.exe

  • Size

    28KB

  • MD5

    0bf6b46d6516eadca0663fec90af45b3

  • SHA1

    43fd774505e181b1629f23d9dfb7bef5ed2b284a

  • SHA256

    45f00f824e70b39b4f43e20f0ebb2fa81eb24394178ec99359ac3101f31285bf

  • SHA512

    11d81579509d0cc90aafedd80a8612797698a4ffdbde352d049228ad44135f050577a580b07c5d789e5353fd0568404c8c00c636636fcd61cf9ba392a45f34ce

  • SSDEEP

    768:eyX3LKew369lp2z3Sd4baFXLjwP/Tgj93b8NIoKvJ:egKcR4mjD9r82hJ

Score
7/10
persistencespywarestealerupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0bf6b46d6516eadca0663fec90af45b3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0bf6b46d6516eadca0663fec90af45b3_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1912

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\2yf1XY1a08gNP4K.exe
    Filesize

    28KB

    MD5

    4647d0111b5decb395766b0e2e860fb2

    SHA1

    562d650d6ddd605d56b5b41d4435e2d212e28a16

    SHA256

    d64ca8ec388152b292f9c5b7c0078155c545335afa78ffcd90193c51dcdbf766

    SHA512

    b6efadb860fcdc969a796a6716cfd8165581e88e309fcfa139cf92c7b05e5bfef0ac7818abe97f9cd99ba1d2f7a71610553e0a029e56ca7a441bfd53efaf1c5d

    Download Submit

  • C:\Windows\CTS.exe
    Filesize

    28KB

    MD5

    e6150447c894ade7b2b9ee88d5933922

    SHA1

    dc62f7f9ff1a492adadbc8b6321c0b7b9cd973d1

    SHA256

    b612d46644d0e4a3829c4d6715f71d979103aa487624805363b36f5b4f92b118

    SHA512

    d6db2b459723005662a646357bd60ab6e5cf77ab4f83868c91e725e45c32b44900c32724883df6aa4a0e85cbf7441bea159334f3080cfe8e7acec540aa996ff0

    Download Submit

  • memory/1912-11-0x00000000002E0000-0x00000000002F7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1912-16-0x00000000002E0000-0x00000000002F7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/3012-0-0x0000000000100000-0x0000000000117000-memory.dmp

    Filesize

    92KB

    Download

  • memory/3012-9-0x0000000000100000-0x0000000000117000-memory.dmp

    Filesize

    92KB

    Download