Overview

overview

7

Static

static

3

177eb68cc4...18.exe

windows7-x64

7

177eb68cc4...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-06-2024 20:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    177eb68cc4f405e5a89c4a0867b738fb_JaffaCakes118.exe

  • Size

    390KB

  • MD5

    177eb68cc4f405e5a89c4a0867b738fb

  • SHA1

    fa0daae7e6db8a56aca0d9bcd0e9673b45946186

  • SHA256

    ba83afde097acfbcf72a83c12fd8c58639ddf165ab0134f194e70549b1cdf891

  • SHA512

    f27297df6c8cd4dc587461623e1faa34dc183162d3b5681c25d7ccd650fd46bdd64f512e4537acb01cbb01c3fc72fa1e2692bf8f55e5fbf39775da89068310d7

  • SSDEEP

    3072:1oWoaYMS7k7YS+OZVsrKmrBAf7qcbPmNfq/b3hDHAwE4aJaMkynQssssssDssssY:1O6wOZVYWD7PmRq/Bw55

Score
7/10
persistenceupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3564
      • C:\Users\Admin\AppData\Local\Temp\177eb68cc4f405e5a89c4a0867b738fb_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\177eb68cc4f405e5a89c4a0867b738fb_JaffaCakes118.exe"
        2⤵
        • Checks computer location settings
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:792
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240605750.bat" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3560
          • C:\Windows\SysWOW64\reg.exe
            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Microsoft" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\service.exe" /f
            4⤵
            • Adds Run key to start application
            PID:4496
        • C:\Users\Admin\AppData\Roaming\Microsoft\service.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\service.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:552
          • C:\Users\Admin\AppData\Roaming\Microsoft\service.exe
            C:\Users\Admin\AppData\Roaming\Microsoft\service.exe
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4936
            • C:\Users\Admin\AppData\Roaming\Microsoft\service.exe
              5⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:4852

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\240605750.bat
      Filesize

      146B

      MD5

      7eee65b102f30fd1ead48a8cd3b99827

      SHA1

      2f74a754019f280c6186c11531d460006814952e

      SHA256

      5748c60056db288b67e61148b339778816279e36907977f4fe03b5df04f6b57f

      SHA512

      a06de9e35ada579a95b2ba399e4c65b074d642788d456e10e0ae967896ac729c552f715261d9dc8c17fffca8d6b9144a6155ff11ab8569a82bdbd9d26109bd85

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\service.exe
      Filesize

      390KB

      MD5

      1fcf9e0a07bca953372b2b6e23a916e1

      SHA1

      64bef037a77c13f7146ce297b5716a573cf6206b

      SHA256

      ce99ebeab8fdd9d0258bda074206014e29f6233d4309b7c6b835a47db8798be2

      SHA512

      13cdaa6e9ef3ba2b0871dda52191f4c58753b263d88d3466ea5906a67af986b58a7e37a8a898138ca7f994d9d0ded805c0846a05da582e982d0585c63677fb01

      Download Submit

    • memory/3564-35-0x00000000010C0000-0x00000000010CE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4852-27-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4852-30-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4852-34-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4852-39-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4852-38-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4852-37-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4852-40-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4936-24-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4936-23-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4936-33-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4936-20-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

      Download