Overview

overview

10

Static

static

7

349d5bcfcb...18.exe

windows7-x64

10

349d5bcfcb...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-07-2024 11:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    349d5bcfcb53b074d9029d881e008b9f_JaffaCakes118.exe

  • Size

    6.3MB

  • MD5

    349d5bcfcb53b074d9029d881e008b9f

  • SHA1

    ccfbc3c523694e7a8262bcda653a976669007218

  • SHA256

    8d43d000eba2f6c86d79fab3b347495ab145f7949e686168ac586ed3b85ec4d8

  • SHA512

    5ff2063363ced9551fcb407454b90f0070e0fefaa66a0d70425871a7bac1c05416f305bcdbf869ba7c517c8436d51635189925a020775d494377431c7e03b06c

  • SSDEEP

    196608:i7effIPEsy58doQaTzwZ8Jq3QKnqVtxQw818dmXEQl1llLmiwIRq8doQKKMfyWv/:i7effIPEsy58doQaTzwZ8Jq3QKnqVtxT

Score
10/10
adwarepersistencestealerupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Drops file in Drivers directory 4 IoCs
  • Sets service image path in registry 2 TTPs 3 IoCs
    persistence
  • ACProtect 1.3x - 1.4x DLL software 7 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 3 IoCs
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Modifies WinLogon 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\349d5bcfcb53b074d9029d881e008b9f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\349d5bcfcb53b074d9029d881e008b9f_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops file in Drivers directory
    • Sets service image path in registry
    • Loads dropped DLL
    • Adds Run key to start application
    • Enumerates connected drives
    • Modifies WinLogon
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1576
    • C:\Users\Admin\AppData\Local\Temp\349d5bcfcb53b074d9029d881e008b9f_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\349d5bcfcb53b074d9029d881e008b9f_JaffaCakes118.exe
      2⤵
      • Enumerates connected drives
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3100
      • C:\Users\Admin\AppData\Local\Temp\349d5bcfcb53b074d9029d881e008b9f_JaffaCakes118.exe
        C:\Users\Admin\AppData\Local\Temp\349d5bcfcb53b074d9029d881e008b9f_JaffaCakes118.exe
        3⤵
        • Enumerates connected drives
        • Suspicious use of WriteProcessMemory
        PID:1904
        • C:\Users\Admin\AppData\Local\Temp\349d5bcfcb53b074d9029d881e008b9f_JaffaCakes118.exe
          C:\Users\Admin\AppData\Local\Temp\349d5bcfcb53b074d9029d881e008b9f_JaffaCakes118.exe
          4⤵
          • Enumerates connected drives
          PID:4820
      • C:\Users\Admin\AppData\Local\Temp\349d5bcfcb53b074d9029d881e008b9f_JaffaCakes118.exe
        C:\Users\Admin\AppData\Local\Temp\349d5bcfcb53b074d9029d881e008b9f_JaffaCakes118.exe
        3⤵
        • Drops file in Drivers directory
        • Sets service image path in registry
        • Loads dropped DLL
        • Adds Run key to start application
        • Enumerates connected drives
        • Drops file in System32 directory
        • Suspicious use of SetWindowsHookEx
        PID:2744
    • C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
      2⤵
      • Installs/modifies Browser Helper Object
      PID:2740
    • C:\Users\Admin\AppData\Local\Temp\349d5bcfcb53b074d9029d881e008b9f_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\349d5bcfcb53b074d9029d881e008b9f_JaffaCakes118.exe
      2⤵
      • Drops file in Drivers directory
      • Sets service image path in registry
      • Loads dropped DLL
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Suspicious use of SetWindowsHookEx
      PID:4320

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\cftmon.exe
    Filesize

    6.3MB

    MD5

    0f17b8d7e87660f5a7e4171978e6ea45

    SHA1

    fd19a88b2380e38c238dab9fbd90ee3f32601e51

    SHA256

    166eebb91e459e9a90fdfac946a23900ae45111fa6f2021238ed83775c7ca0ad

    SHA512

    e8fc19ccb877b41d392242d58e788bf9ea5d8b4fa2c15566ecc93414763eae8cdd64456a644db203085a7175ec6073010203d87cc52bd781104dcadaf0a2e4db

    Download Submit

  • C:\Windows\SysWOW64\drivers\spools.exe
    Filesize

    6.3MB

    MD5

    3046e1fa8634ab8bf0ffd390afb5d135

    SHA1

    23d7f29f4ca66aeab77f246630099b536694c038

    SHA256

    1a6e0f3ceed4175b28ebaa10fe33728971c2eedf38c4e27172470f56ea5571f8

    SHA512

    9a4d658fc6d3f5a79bc81c12bafbce9186dacb33fde37867955cb8bbbb36fd97e6130a7d4ea454f6ade6f80981006588302be4ba3d4df4dce80a05aa367ba487

    Download Submit

  • C:\Windows\SysWOW64\ftpdll.dll
    Filesize

    5KB

    MD5

    d807aa04480d1d149f7a4cac22984188

    SHA1

    ffd5be65fd10017e34c11cecd105ebf4aa6c0cd9

    SHA256

    eddf092d901afe128322910c3ff41a3f242d33d6b4cdf91ece327076b324ccbb

    SHA512

    875543583c20ab164f37a4fb2587d234ce0a15d649d22b0d1dae5933f0a7683db170578746ea4458c51fec26e2243c6ec00dc10db8d4289789e50d5800cf863e

    Download Submit

  • memory/1576-0-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1576-13-0x0000000010000000-0x000000001010B000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1576-15-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1576-16-0x0000000010000000-0x000000001010B000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1904-45-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2744-42-0x0000000010000000-0x000000001010B000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2744-29-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2744-44-0x0000000010000000-0x000000001010B000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2744-47-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/3100-43-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/4320-27-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/4320-28-0x0000000010000000-0x000000001010B000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4320-25-0x0000000010000000-0x000000001010B000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4320-7-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/4820-48-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download