Overview

overview

10

Static

static

3

18e2ee2251...18.exe

windows7-x64

10

18e2ee2251...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/06/2024, 05:08

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    18e2ee22515383ab71d88a514b75e194_JaffaCakes118.exe

  • Size

    2.1MB

  • MD5

    18e2ee22515383ab71d88a514b75e194

  • SHA1

    bcc90302763fcb83af8c162a9e7b1482769ba981

  • SHA256

    155a64eb70fb341ff15673b9d7d781dbbdafba0e70bc655ba56cbd8e2c5b15c3

  • SHA512

    8955fe3022877c500fdcc616482c6acc94adfe9d962ea83de1ffe7a39b19d8685dc11eab40bb2f4622d957c01ccfff123538b830461ecb970122a24b41cbc056

  • SSDEEP

    24576:VlPE7KG8nmak4jqelV6zAaDA5Y/tLt+nj6bm:kYPXsD2+SjW

Score
10/10
persistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: LoadsDriver 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18e2ee22515383ab71d88a514b75e194_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\18e2ee22515383ab71d88a514b75e194_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3524
    • C:\Users\Admin\AppData\Roaming\meocondethuong70.exe
      "C:\Users\Admin\AppData\Roaming\meocondethuong70.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3660
    • C:\Users\Admin\AppData\Roaming\Sender2.exe
      "C:\Users\Admin\AppData\Roaming\Sender2.exe"
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:3288
    • C:\Users\Admin\AppData\Roaming\YingJie Killer.exe
      "C:\Users\Admin\AppData\Roaming\YingJie Killer.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2056
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa39aa855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:4144

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Sender2.exe
          Filesize

          45KB

          MD5

          a5df875dc607d50d7039448fa427667d

          SHA1

          d8277d14efc10f7a944a7dd6d14212e8feb4f98b

          SHA256

          94c0d728920ceaadd592c42ea89d3daa3576ff0151b5fb9633d9001808dfb3e1

          SHA512

          a61d14c2e2cdecd5e0c7bd3d42a830dc9f2d006d5a0209c6415a12adcd0608109639f5f76e1e8a9dcd612d20cea1543a722d18e83a0173a577f059466d46db5e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\YingJie Killer.exe
          Filesize

          544KB

          MD5

          144b7347ac756854c38d2a19384d6cd2

          SHA1

          80effd8c17194b6b22869f9b7195ab57f44a3e68

          SHA256

          76d400c55c84b6272578b8c095ca584d0f19593bcaa95a6ec275640d4e75d02a

          SHA512

          aca5db42dd117af8680463a1ba0993d8859dae6993db589938e2fe13ba3583c143aa3aef3aa017e42fbc2f134f5a7e0b8691265bd8076cfba493b92e66340df4

          Download Submit

        • C:\Users\Admin\AppData\Roaming\meocondethuong70.exe
          Filesize

          35KB

          MD5

          134443f7f65aff85df22a8324ac25884

          SHA1

          54136f14801df7682f63ebb83d2eeb91b735ff94

          SHA256

          c85b5284e8531eb6765e6aeba7bdf6f75250ad1792c0d6171dd2a0e58bb78eea

          SHA512

          5d4bbe6b77d263c446a34f516a2a8db2938fcf01f88b8b0875fa9facb4d3c610ef5519883d3c0a41c55c6ea5b47b5b6e651ea564136125d9bc131c5004cca0c0

          Download Submit

        • C:\Windows\SysWOW64\OLE32Init.exe
          Filesize

          45KB

          MD5

          ab929b9b95092b19fcb79593dc6d4e6c

          SHA1

          62fd281db913e917a677ec59ca5fb340686bb610

          SHA256

          c2bb87dcf7f963d5c0494778e423dcd4e7b1bba905f2a0c785346c4960d3da7c

          SHA512

          7ecd77b79a13b6b728ef5b93039ba9cb8f1e78d52e86a50f9477beedc5167d47eff1b53d2dff8f69d1833294683108b69a22db7bc466ccefdf7d89ef8e8b9570

          Download Submit

        • memory/2056-49-0x0000000000400000-0x0000000000536000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3288-52-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

          Download

        • memory/3288-53-0x00000000001C0000-0x00000000001C2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3524-37-0x00007FFAC4580000-0x00007FFAC4F21000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/3524-5-0x00007FFAC4580000-0x00007FFAC4F21000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/3524-3-0x000000001C1E0000-0x000000001C6AE000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/3524-0-0x00007FFAC4835000-0x00007FFAC4836000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3524-2-0x00007FFAC4580000-0x00007FFAC4F21000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/3524-1-0x000000001BC60000-0x000000001BD06000-memory.dmp

          Filesize

          664KB

          Download

        • memory/3660-47-0x00007FFAC4580000-0x00007FFAC4F21000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/3660-50-0x00007FFAC4580000-0x00007FFAC4F21000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/3660-51-0x00007FFAC4580000-0x00007FFAC4F21000-memory.dmp

          Filesize

          9.6MB

          Download