Overview

overview

10

Static

static

7

3880ca7706...18.exe

windows7-x64

10

3880ca7706...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-07-2024 09:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3880ca7706869ac27a222cd9999264af_JaffaCakes118.exe

  • Size

    410KB

  • MD5

    3880ca7706869ac27a222cd9999264af

  • SHA1

    0159759add921aae85ef21d57ee6c4201017fe16

  • SHA256

    9a3498f594d05341417167964592c6b1935c7969009728bd22b481e0167c9d63

  • SHA512

    051e144770adb0b773454008e5e551133c7592a30705847b3cafa1531a9b8168f125be092151fef4214e7259eb06543dbc8c74164c7da7eb460766a37f308bb6

  • SSDEEP

    12288:qnNhuBoY8SorxgmA+nlvVloVks0ZoTFR4U:qPatCg7EPOVZmooU

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3880ca7706869ac27a222cd9999264af_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3880ca7706869ac27a222cd9999264af_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visiblity of hidden/system files in Explorer
    • Adds policy Run key to start application
    • Checks computer location settings
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1776
    • C:\Windows\SysWOW64\csrcs.exe
      "C:\Windows\System32\csrcs.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1372
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\suicide.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:716
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 5 -w 250 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:2692
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 5 -w 250 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:2900
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\suicide.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4520
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 5 -w 250 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:4440

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\kcqlcde
    Filesize

    85KB

    MD5

    4ecd5d8bc840d6823aed1ea7aced3a25

    SHA1

    991beedfe806d3ffc66272b81f6b2c69feb747fb

    SHA256

    a9ee7221d901f93b3ef51b7506e4ec2715438c862a3ac6d9d71c81a7afb08757

    SHA512

    bc403b7e2a66e50065e0becdcba1ca8ddcd782ddc4739d753d36d73ada52a7049e66f3f6f4bf9c9504a33193af41833958d5b99b449a5383be9b7171e99d331f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\suicide.bat
    Filesize

    141B

    MD5

    9d7ddbc6c331aefed77908f803fca1e5

    SHA1

    d36afa796236730342b216f083c68a39227c13bf

    SHA256

    19f0453504f36aef7d207f11345ed203440a3a8dd1594df1aa072b2f4eeb39bf

    SHA512

    014c7cb15ec0bfc96e1f5b5a66b0bba9b87440256d0e8d9106cef8c4d2f1d244a3063a7abb847957310b2e0c9db466291851d7bb2ff8e6b50e0b9ad907b9b54c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\suicide.bat
    Filesize

    251B

    MD5

    d7c09bd67c420693c3104a3bcb359a4d

    SHA1

    ccf340fd408e0ab177c12a4c46dd35a157c361a2

    SHA256

    1a0158c2784f1360310c5f3785bb2293ad35f8ac2b6096defe5b89122cc019c9

    SHA512

    da6917075c3ea8ee8b6925ff3206fd12af0f2fecb279324deb8d6217f39707df308b69684439bac1c2b6e3c46f75ba8c54b8c8dbbc05f00cfbca44207a9961ae

    Download Submit

  • C:\Windows\SysWOW64\csrcs.exe
    Filesize

    410KB

    MD5

    3880ca7706869ac27a222cd9999264af

    SHA1

    0159759add921aae85ef21d57ee6c4201017fe16

    SHA256

    9a3498f594d05341417167964592c6b1935c7969009728bd22b481e0167c9d63

    SHA512

    051e144770adb0b773454008e5e551133c7592a30705847b3cafa1531a9b8168f125be092151fef4214e7259eb06543dbc8c74164c7da7eb460766a37f308bb6

    Download Submit

  • memory/1372-71-0x0000000000400000-0x0000000000492000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1372-83-0x0000000000400000-0x0000000000492000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1776-0-0x0000000000400000-0x0000000000492000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1776-88-0x0000000000400000-0x0000000000492000-memory.dmp

    Filesize

    584KB

    Download