Overview

overview

7

Static

static

7

2f25cbad07...18.exe

windows7-x64

7

2f25cbad07...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-07-2024 05:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2f25cbad07c3fe02e572a21514bb25ce_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    2f25cbad07c3fe02e572a21514bb25ce

  • SHA1

    e7fd2180e6a7da20b5ee9b0c5071f0e82d241bf6

  • SHA256

    8063ca1dc808a1cee7c276d7ac4c883a5b13387f9ddeeceea5edf930575fe007

  • SHA512

    d4250de5c6793205af299a890632f8f471f3cb2ed9894fa42442339b24eec2e1a0fd867a632217d59f14593226d51e003ff931e58f9068b188a1ae1950e3a99b

  • SSDEEP

    24576:WmYnXv5aoGJ5ZbXfn8Qg4O5ZMxp3JESywkjBDlj9vEqq1:8XvURZb/1jp3PywkFlj9vi

Score
7/10
persistenceupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Modifies system executable filetype association 2 TTPs 4 IoCs
    persistence
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2f25cbad07c3fe02e572a21514bb25ce_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2f25cbad07c3fe02e572a21514bb25ce_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4708
    • C:\Users\Admin\AppData\Local\Temp\Restorator 2006.exe
      "C:\Users\Admin\AppData\Local\Temp\Restorator 2006.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4748
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bt4801.bat "C:\Users\Admin\AppData\Local\Temp\Restorator 2006.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3456
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s setup.reg
          4⤵
          • Runs .reg file with regedit
          PID:1244
        • C:\Users\Admin\AppData\Local\Temp\Restorator.exe
          Restorator.exe
          4⤵
          • Executes dropped EXE
          • Modifies system executable filetype association
          • Modifies registry class
          PID:4000

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\FPE7D0.tmp
    Filesize

    184B

    MD5

    9708121c091ac1c06f677c5531836fac

    SHA1

    aa0099b4fe219981917d63314723246b5fb51505

    SHA256

    2f448f1a0303d94e87c5f4c87764b3cc909fff3e06b0c39b8a4f69e1f8baffd9

    SHA512

    ed38c9aa05f534105eb45e9348d113b10d54af26d71a2655ef3ad69def29c076b3b2b536147f52a29246fcd1a0c7757f4f0263e9aacb180344485b532a9b90fc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Restorator 2006.exe
    Filesize

    147KB

    MD5

    ff7eb09ee68bb57bcf4e562d2b4e7ee0

    SHA1

    f9349040d7672beaf9fb097a016f2fe692cf3b36

    SHA256

    86f5c07780ea7352c21e62df310dfb9bfee0b0fbf49c7c57ba49f02610df50eb

    SHA512

    ed6b87d373ecc90efe36456c45e82b60ce2b53a0b8f51fbdd404f5ca2770e7df2e55fbc245ef6f16a161e6d26ed88f0ead121b27ca436663565c28188c4dd66c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Restorator.exe
    Filesize

    2.1MB

    MD5

    ece34ddce9bb177476de69bcd6dee912

    SHA1

    75af55a55a6f79bed39ca8ece4426224faeebfc3

    SHA256

    c397cac86f72529ac747c72024800f44a1f605b10e7f96468e1aa909beb5153b

    SHA512

    f16fac4c7b93e3a7d5f3742f78e13477cb6c5c8fbace369a9435b1ea037ba726cf69d93a9456719abade3e7e94366031c958768a0190747c10c8c8b9dbc70bff

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\bt4801.bat
    Filesize

    80B

    MD5

    e90d06192a965ec1ecb1cb48f74ded3e

    SHA1

    5c697156894d71e84bd79bf67afcf57971f1e7d2

    SHA256

    7231872a6028bbeca738c5158219b2100fb24871278598c51b15f81e9f8ba3ac

    SHA512

    6a73f677607653ceb893e55129f31125eb5f28c40e9c16dfc4dee8777009837ef1886594c8a86bc8ec837bb4bac0f3ae03996f38bc4d14f0966639f6ecf4dff7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\setup.reg
    Filesize

    656B

    MD5

    86e88695bd1e76522761c853fe4ada0a

    SHA1

    72ffb5f6ac99de7fe0820d95b01e4f33bab09d82

    SHA256

    89f2897c27615606f4e7fe75297c75c118b04c6445eef461ea162742e93cf0fa

    SHA512

    c52f0726ea29d2d1b0b541320ef78ab50822213832ab4ce3557d9327f69d13a833b49098ca71fc5e96ef3888391bc234e096381f343fb462c636759f184b1b8c

    Download Submit

  • memory/4000-34-0x0000000002920000-0x0000000002921000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4000-37-0x0000000000400000-0x0000000000623000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/4000-41-0x0000000002920000-0x0000000002921000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4708-0-0x0000000000400000-0x000000000053F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4708-35-0x0000000000400000-0x000000000053F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4748-36-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download