Overview

overview

7

Static

static

7

272bc288e7...18.exe

windows7-x64

7

272bc288e7...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    05-07-2024 22:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    272bc288e7c5b8618a066374b0bf91de_JaffaCakes118.exe

  • Size

    23KB

  • MD5

    272bc288e7c5b8618a066374b0bf91de

  • SHA1

    dd56835581b228278328166b622dbf7ae619b61a

  • SHA256

    a618329f6b174908f4ff84dc7f92d78d6567ccd69c73471b302844850f848848

  • SHA512

    d7fcdecfed8512736b0eeddca62d6c13b0ca93826643a9c67e6d7e96f150a9b81bb1a3c51fea48a0f104efb1eaa25e374fb0706b5089ab7ace170ae6bcd7a88a

  • SSDEEP

    384:FuOKnFwJHaFveG1AVG6ecLaRyKNrd3JCpjbGiKXXwsl7Qvp5W8nmP9h2J9R:UO6w9QcUV74QrCp3Wgsl7QBU8nmP+J7

Score
7/10
upx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\272bc288e7c5b8618a066374b0bf91de_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\272bc288e7c5b8618a066374b0bf91de_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\272BC2~1.EXE >> NUL
      2⤵
      • Deletes itself
      PID:2628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Windows\SysWOW64\704C3595.dll
    Filesize

    17KB

    MD5

    55a555d300d4c4fd79018cd740cb5ba6

    SHA1

    ccc6c23614f0e086bed3e16abb98b2e97744b4ce

    SHA256

    14e309b68b28c1b376611385624d81b7ba5547f0ab72c589d597c53341652228

    SHA512

    95f4c48355d59a3037f69b0d93a04106cb2aa36b0b7d017769e35c70d3bfd69a19eca3a862f7e2df06c11a423b4b13ebd93dd6a5a48e6d1959602f35f6156086

    Download Submit

  • memory/2368-1-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2368-6-0x0000000010000000-0x0000000010011000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2368-9-0x0000000010000000-0x0000000010011000-memory.dmp

    Filesize

    68KB

    Download