Overview

overview

7

Static

static

3

2e48f61bd7...18.exe

windows7-x64

7

2e48f61bd7...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    124s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    08-07-2024 23:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2e48f61bd78caf3a2de38dc8331248fd_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    2e48f61bd78caf3a2de38dc8331248fd

  • SHA1

    8840502cfedf4089d1eb003ca69d8e16e5f3c348

  • SHA256

    5ac5604a6add0f9cf37dd038503fded1a9a6db9ccf7505485364c4f107d96c2f

  • SHA512

    15b6199a7412f96c10cee42d65e3442e68d99f8a39fa65f96e0e31780437787fb2aedcef324765299c2926ffce7f73d1a9dd99a9b3423732f2e342fe0c33b002

  • SSDEEP

    24576:pD4JkT/O9lt/2bgRBapVQImnrFJ97YOIUd:E4G9lt/SgRIpVQIIFJxnIq

Score
7/10
adwarediscoverypersistencestealer

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 25 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2e48f61bd78caf3a2de38dc8331248fd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2e48f61bd78caf3a2de38dc8331248fd_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2708
    • C:\Windows\SysWOW64\mextenmgrinst.exe
      C:\Windows\system32\mextenmgrinst.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1868
      • C:\Program Files (x86)\mextenmgr\installwin.exe
        "C:\Program Files (x86)\mextenmgr\installwin.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2580
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Program Files (x86)\mextenmgr\unst.bat""
          4⤵
            PID:1252
        • C:\Program Files (x86)\mextenmgr\quicktimesh.exe
          "C:\Program Files (x86)\mextenmgr\quicktimesh.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:2544
      • C:\Windows\SysWOW64\nvset.exe
        C:\Windows\system32\nvset.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2480
        • C:\Users\Admin\Documents\Default User\nvu.exe
          "C:\Users\Admin\Documents\Default User\nvu.exe" -op
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2340
          • C:\Users\Admin\Documents\Default User\nvovd.exe
            "C:\Users\Admin\Documents\Default User\nvovd.exe" -fx
            4⤵
            • Executes dropped EXE
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1072

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\mextenmgr\installwin.exe
      Filesize

      36KB

      MD5

      54d1fe90f49c180c8282feb82b5ddc56

      SHA1

      f7a4af4690aaf83e361492150c4bf7a664feac3d

      SHA256

      8376c75a7f4a149400db4db4213f7197f11a052af7c58e1edc6c0ca2958eabb8

      SHA512

      f26ba271858733cbecdcb9ba23e6d2f400f8c669400179e9aca2a0f7d7add97f403954ccce981bb003f993e56c607116cd0d142e9afa98025153822bc297326d

      Download Submit

    • C:\Program Files (x86)\mextenmgr\quicktimesh.dll
      Filesize

      92KB

      MD5

      3f69ed582313fd64a4ad2d0dc7ec6113

      SHA1

      99470eefd7f55858a0eed8d76c7f571bd2471891

      SHA256

      c94dd31acd0a762d887a2fb1d6a0f9dfb51040049f116edd3a10e02a19807b4a

      SHA512

      852e7e10d1de37a17ad75f32438f074f0d768275f1d701b269969081bb19bb6aab618e4353205fc5d8bf2157c5959126999c3a9e5bd01315187cb5e7ffd2295f

      Download Submit

    • C:\Program Files (x86)\mextenmgr\unst.bat
      Filesize

      194B

      MD5

      27aa38993caa6ca4ca75652e36874ed2

      SHA1

      6c75a1e8951060489cf7bac28f36966374058a0b

      SHA256

      c0e5bf0a0cacbec413934d3d8f5951e6a785778c99bc75798230060bdc3a72b6

      SHA512

      d903a07b88ae49dfc45f615b18a8fbf7ff41e43f48ac739d924e7c5a02a789f99905683ec9723c49ff410e6a5e69c253c1c26ea76f9f4f029efecbff86df07d6

      Download Submit

    • C:\Users\Admin\Documents\Default User\nvovd.exe
      Filesize

      44KB

      MD5

      7a39b5cac356411f2f68d0e936473a70

      SHA1

      d0804bd190a0a7cc8302c8786d4fea58aef96806

      SHA256

      7e898b486f1c0a1f5a450f343b5f04633dbccb2793ed4c59f7f388acc4410140

      SHA512

      79eba047844c8b51c696e3c93a1afb2c4404916acea6d0988544c00849c98172a549fc08b9d1875cfc3e37ee278688bd903a58badfa7139f43e8db90963b7dfb

      Download Submit

    • C:\Windows\SysWOW64\MSINET.OCX
      Filesize

      113KB

      MD5

      40d81470a19269d88bf44e766be7f84a

      SHA1

      4030e8e94297bc0aa5139fe241e8cf8f8142d8d4

      SHA256

      dd1215f01b484e7842763302d42749d516963d9ac74e2fe8825a5eaba34f6229

      SHA512

      e4a39613cc32885b67f6219281fbf99f50018b5fd2886b5389cfa04dc9dc4ebfc46fca2b9e89586116094fa3a7600c20b2ca0fa3535dd2615739621856506864

      Download Submit

    • C:\Windows\SysWOW64\vb6ko.dll
      Filesize

      99KB

      MD5

      84742b5754690ed667372be561cf518d

      SHA1

      ef97aa43f804f447498568fc33704800b91a7381

      SHA256

      52b64e2bfc9ee0b807f2095726ace9e911bcd907054ac15686a4e7d2fd4dc751

      SHA512

      72ac19a3665a01519dac2ad43eb6178a66ad7f4e167f2a882cbca242978f8debe3e15d0e210c3b0391590699999f33a1fd5de4ca6559ff894b4e6cb4ac1415a0

      Download Submit

    • \Program Files (x86)\mextenmgr\mextenmgr.dll
      Filesize

      116KB

      MD5

      1acdc20bd5b3fea1daf653ad3d441e4c

      SHA1

      afc42a7eff685f86e6709a5e7003f4f9bec6f333

      SHA256

      e0aa63a84871ac0ce9a939023eba3ebfcb9521792e9232627860ca482b61d01d

      SHA512

      cee59f90ea69d3300efddb47c4285dccff664076214e637603bd6605560c072cd45d7fb2f6493aa1471de74b68626e2f50bbc60abbb56d1f1db1b6f6a4c0e760

      Download Submit

    • \Program Files (x86)\mextenmgr\quicktimesh.exe
      Filesize

      116KB

      MD5

      81092cc77f8cecadc14eb304bfb62475

      SHA1

      ffffaaf31be77c65c2316b81fb3c54c7fc940b75

      SHA256

      c3d9f3f0431b310c19cbe4976b65d585f028bc869bee363ce53236cf4c9f0e7b

      SHA512

      51c3977ae3e43e2539b2fa089ee25d6218c6fa1e68ef4ec9c197fb70bfb9a9870122f99ae73e5d9b93783fd4c36bfffd3a345715a7a845380fbd264fc274cc49

      Download Submit

    • \Users\Admin\Documents\Default User\nvu.exe
      Filesize

      88KB

      MD5

      e0360c9d843c365f82ca3c43b4f88f95

      SHA1

      ba802ce4be38c2814c94fb0c68de5717369250c1

      SHA256

      8f2a203adb4f91b4302ea5cfc36933fd0010684a5d161cb6ae5bb84afa0b56e3

      SHA512

      cd91ff8136283b316b949b1010b2536f249d53cf58611e89b73c2b65cc0bafa955d10102a5a9c2ba118fcb4e265308cdfdb1ff7775fe38ce27478dea722585cb

      Download Submit

    • \Windows\SysWOW64\mextenmgrinst.exe
      Filesize

      898KB

      MD5

      ec36cb7823ebe864382dff14563e6211

      SHA1

      6e1e331214ae932cda9d776b7b1e9b95d192e417

      SHA256

      0a9832929404b111e231adede2fd4c62ca44dd49c741f8e961f1e9d31cfba7fd

      SHA512

      1088300f4f62473c6a210c8397e06e906655b91994722e9257b564233633dd68a4704911024bc694bb08faa2cf734c426ccfdf25803853d60f7e1b19e80cd584

      Download Submit

    • \Windows\SysWOW64\nvset.exe
      Filesize

      164KB

      MD5

      85790794634d96e775e31057d411388e

      SHA1

      4e61f6a556496f36ae71585c0e493673ae846ff5

      SHA256

      1673ab46b39a53769ce8d96edd8dbf6b134968e0a49d29d0614981e3c6fd0abe

      SHA512

      56cb92c442286a93513b9f8edc77d25fe276313802a34de7896e5b204a604188e5a895c5093b710be921e68cd3c234dfded64eeffcf5bcd6e16a8ca824b0ced3

      Download Submit

    • memory/1868-66-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download