Overview

overview

10

Static

static

7

36adbdb71e...18.exe

windows7-x64

10

36adbdb71e...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    10/07/2024, 22:38

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    36adbdb71ebab3834301b628f47c6ea9_JaffaCakes118.exe

  • Size

    32KB

  • MD5

    36adbdb71ebab3834301b628f47c6ea9

  • SHA1

    b905a7a5564382484c2f2a1257db4363ed9f4c37

  • SHA256

    c683f142faad47db9fcbaed2ce63aa670b711b6f5622b89ffa4263b7f7ac717e

  • SHA512

    7037f184e9869c457731534162b98b259f672194aab563ef59f5fadb4f884efe18878e18eda39b051b4015bb6594902147cd7873aac132a29910e9b23702c317

  • SSDEEP

    768:EEl6Ovnxd1HN1SZnpDoR89WIB825ykUPLfUMXW1F52SDV:EEkWB1SZ6RcB82chPAX1NDV

Score
10/10
evasionexecutionupx

Malware Config

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 8 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\36adbdb71ebab3834301b628f47c6ea9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\36adbdb71ebab3834301b628f47c6ea9_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2624
    • C:\Windows\SysWOW64\net.exe
      net stop cryptsvc
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3064
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop cryptsvc
        3⤵
          PID:2756
      • C:\Windows\SysWOW64\sc.exe
        sc config cryptsvc start= disabled
        2⤵
        • Launches sc.exe
        PID:2124
      • C:\Windows\SysWOW64\sc.exe
        sc delete cryptsvc
        2⤵
        • Launches sc.exe
        PID:1404
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Users\Admin\AppData\Local\Temp\1720651082.dat, ServerMain c:\users\admin\appdata\local\temp\36adbdb71ebab3834301b628f47c6ea9_jaffacakes118.exe
        2⤵
        • Deletes itself
        • Loads dropped DLL
        PID:3024

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\1720651082.dat
            Filesize

            31KB

            MD5

            549312358cf6e474c7c2594eb9d22592

            SHA1

            6216544e1b1d475971ee41077ec2c9e3f7e0f31a

            SHA256

            06c1a837e60a32dddf89c69a0cdb956e0366909522a36cc081eb2f09ecfd6103

            SHA512

            87fc7d0ea4f96f3092432bbd6a689127e3b1762bb8652575e20658a87585e4333d4c5bc5b098599076183d347b11a9d01abfe2a1e04e6080e510886085fb1a40

            Download Submit

          • memory/2624-0-0x0000000000400000-0x0000000000415000-memory.dmp

            Filesize

            84KB

            Download

          • memory/2624-10-0x0000000000400000-0x0000000000415000-memory.dmp

            Filesize

            84KB

            Download