Overview

overview

7

Static

static

3

37e360bc65...18.exe

windows7-x64

7

37e360bc65...18.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    11/07/2024, 05:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    37e360bc659f2c392604cd8be5298e87_JaffaCakes118.exe

  • Size

    174KB

  • MD5

    37e360bc659f2c392604cd8be5298e87

  • SHA1

    45a3b841ad520f1901479ab41ca2ace34b4dcaf7

  • SHA256

    cedccdc60e3274be00187b8bb7cc33c8fb9e244f09b4822bbd2c64dc6f1a9c63

  • SHA512

    593dfac216471ace7af9972de0046101e910b0ca3d89a61c825dff1c0da71d6a339d0730d499748786d4db69bb8cba22a3e7366443a68b36eaef1ccf3cd6b891

  • SSDEEP

    3072:W0s00T8LBb3NIGbVcnk4TGIS1nvxONJdvdxUHe8kroN7TbLFh6Pqg1EDvoDU:jszT8t7bcZ1SRxOhMeJO7XLbwqKEDvoY

Score
7/10
discoverypersistencespywarestealer

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1108
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1172
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1220
          • C:\Users\Admin\AppData\Local\Temp\37e360bc659f2c392604cd8be5298e87_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\37e360bc659f2c392604cd8be5298e87_JaffaCakes118.exe"
            2⤵
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Modifies Internet Explorer settings
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3040
            • C:\Users\Admin\AppData\Roaming\Usizu\emivd.exe
              "C:\Users\Admin\AppData\Roaming\Usizu\emivd.exe"
              3⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of WriteProcessMemory
              PID:1216
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp853150e3.bat"
              3⤵
                PID:2372
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
            1⤵
              PID:1920
            • C:\Program Files\Windows Mail\WinMail.exe
              "C:\Program Files\Windows Mail\WinMail.exe" -Embedding
              1⤵
              • NTFS ADS
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of SetWindowsHookEx
              PID:296
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
              1⤵
                PID:2780
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                1⤵
                  PID:1156

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log
                  Filesize

                  2.0MB

                  MD5

                  ed3a2f57520f8b6103ab06ce419c190a

                  SHA1

                  1d7c2eb083af802c31162100b0e42a33079a49c5

                  SHA256

                  8019d92bb141a4d5faeedc8b84950f10345efce20c11e64d8756cb052d65d491

                  SHA512

                  089aac8c1d9f7b4050c2c93572deb135ee5df0455faa6c0f1d2126cf45bbbe47b60f63294d66db9b567a0be64005a2194c0cf17b2ea0175efc513e707c8624f7

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Siky\ytfoe.tyg
                  Filesize

                  4KB

                  MD5

                  e981bd95e6383af56bfc7adb65bf7939

                  SHA1

                  9a380a2429ee0b5a76558625e78a3728f145a3ce

                  SHA256

                  2bfefbb739ca91e190b8209db40738e0fb65924d67b300548d0125d167b91102

                  SHA512

                  8cd48d579700bb84c83585fc2c5e2777f955c7632e5cf73b57be640eab8bfa9063cef0cea59e564a588f1c51f1f0cb52d45e32c2be2a8b53849440a5f6f387bd

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Usizu\emivd.exe
                  Filesize

                  174KB

                  MD5

                  0b0d1a71ce9462d89f8d70c0f140dc7f

                  SHA1

                  5517170d9015bbc4bbca0d17b8d7990123b82772

                  SHA256

                  937febe39fea6e84cea004dd82ef40ba78ce6cb7680e059ae86014da414433fc

                  SHA512

                  cc0804bfc426d6c797e0021be201e5811402a556a3166e457d9a79e8032ca6f57d8a2c816380cf9359fbf683d2bac98bf7a3480ca485d3fc2fd8be3875dfd114

                  Download Submit

                • memory/1108-24-0x0000000002100000-0x0000000002137000-memory.dmp

                  Filesize

                  220KB

                  Download

                • memory/1108-32-0x0000000002100000-0x0000000002137000-memory.dmp

                  Filesize

                  220KB

                  Download

                • memory/1108-30-0x0000000002100000-0x0000000002137000-memory.dmp

                  Filesize

                  220KB

                  Download

                • memory/1108-28-0x0000000002100000-0x0000000002137000-memory.dmp

                  Filesize

                  220KB

                  Download

                • memory/1108-26-0x0000000002100000-0x0000000002137000-memory.dmp

                  Filesize

                  220KB

                  Download

                • memory/1172-38-0x0000000001EE0000-0x0000000001F17000-memory.dmp

                  Filesize

                  220KB

                  Download

                • memory/1172-42-0x0000000001EE0000-0x0000000001F17000-memory.dmp

                  Filesize

                  220KB

                  Download

                • memory/1172-37-0x0000000001EE0000-0x0000000001F17000-memory.dmp

                  Filesize

                  220KB

                  Download

                • memory/1172-40-0x0000000001EE0000-0x0000000001F17000-memory.dmp

                  Filesize

                  220KB

                  Download

                • memory/1216-17-0x0000000000400000-0x000000000045D000-memory.dmp

                  Filesize

                  372KB

                  Download

                • memory/1216-16-0x0000000000400000-0x000000000045D000-memory.dmp

                  Filesize

                  372KB

                  Download

                • memory/1216-329-0x0000000000400000-0x000000000045D000-memory.dmp

                  Filesize

                  372KB

                  Download

                • memory/1216-23-0x0000000000400000-0x000000000045D000-memory.dmp

                  Filesize

                  372KB

                  Download

                • memory/1220-52-0x0000000002470000-0x00000000024A7000-memory.dmp

                  Filesize

                  220KB

                  Download

                • memory/1220-48-0x0000000002470000-0x00000000024A7000-memory.dmp

                  Filesize

                  220KB

                  Download

                • memory/1220-50-0x0000000002470000-0x00000000024A7000-memory.dmp

                  Filesize

                  220KB

                  Download

                • memory/1220-46-0x0000000002470000-0x00000000024A7000-memory.dmp

                  Filesize

                  220KB

                  Download

                • memory/1920-57-0x0000000001DC0000-0x0000000001DF7000-memory.dmp

                  Filesize

                  220KB

                  Download

                • memory/1920-55-0x0000000001DC0000-0x0000000001DF7000-memory.dmp

                  Filesize

                  220KB

                  Download

                • memory/1920-56-0x0000000001DC0000-0x0000000001DF7000-memory.dmp

                  Filesize

                  220KB

                  Download

                • memory/1920-58-0x0000000001DC0000-0x0000000001DF7000-memory.dmp

                  Filesize

                  220KB

                  Download

                • memory/3040-60-0x00000000003B0000-0x00000000003E7000-memory.dmp

                  Filesize

                  220KB

                  Download

                • memory/3040-0-0x0000000000403000-0x0000000000407000-memory.dmp

                  Filesize

                  16KB

                  Download

                • memory/3040-62-0x00000000003B0000-0x00000000003E7000-memory.dmp

                  Filesize

                  220KB

                  Download

                • memory/3040-71-0x00000000003B0000-0x00000000003E7000-memory.dmp

                  Filesize

                  220KB

                  Download

                • memory/3040-80-0x00000000003B0000-0x00000000003E7000-memory.dmp

                  Filesize

                  220KB

                  Download

                • memory/3040-78-0x00000000003F0000-0x00000000003F1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3040-77-0x0000000000400000-0x000000000045D000-memory.dmp

                  Filesize

                  372KB

                  Download

                • memory/3040-75-0x00000000003B0000-0x00000000003E7000-memory.dmp

                  Filesize

                  220KB

                  Download

                • memory/3040-73-0x00000000003F0000-0x00000000003F1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3040-69-0x00000000003F0000-0x00000000003F1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3040-67-0x00000000003F0000-0x00000000003F1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3040-63-0x00000000003B0000-0x00000000003E7000-memory.dmp

                  Filesize

                  220KB

                  Download

                • memory/3040-64-0x00000000003B0000-0x00000000003E7000-memory.dmp

                  Filesize

                  220KB

                  Download

                • memory/3040-61-0x00000000003B0000-0x00000000003E7000-memory.dmp

                  Filesize

                  220KB

                  Download

                • memory/3040-6-0x0000000000400000-0x000000000045D000-memory.dmp

                  Filesize

                  372KB

                  Download

                • memory/3040-2-0x00000000003A0000-0x00000000003A1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3040-4-0x00000000003A0000-0x00000000003A1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3040-315-0x0000000000400000-0x000000000045D000-memory.dmp

                  Filesize

                  372KB

                  Download

                • memory/3040-314-0x0000000000403000-0x0000000000407000-memory.dmp

                  Filesize

                  16KB

                  Download

                • memory/3040-1-0x0000000000400000-0x000000000045D000-memory.dmp

                  Filesize

                  372KB

                  Download