Overview

overview

7

Static

static

3

38d50b3ef5...18.exe

windows7-x64

7

38d50b3ef5...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    140s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    11/07/2024, 10:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    38d50b3ef5a0403986c3bdbebdd94207_JaffaCakes118.exe

  • Size

    85KB

  • MD5

    38d50b3ef5a0403986c3bdbebdd94207

  • SHA1

    92a17658e6b0b5b0d035533258797413e8b84f5c

  • SHA256

    20a9d6e9c6452db4bca47c3aa48bf2abd5ad0a01141e47be4e4ec0fd4c9b7597

  • SHA512

    9b605f689369c25d78652ad50bdde21836f714318d77bf7f5d8f4d80302ad7f6f4c56753285ed29514abea4c829312d45fea9025318e707c56890f48353563d8

  • SSDEEP

    1536:GyapL5ZVzu+ApVBxYhQfp5XmQwg/sdT46:BaLZVzu+ArPfp5XmPgEB

Score
7/10
upx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1184
      • C:\Users\Admin\AppData\Local\Temp\38d50b3ef5a0403986c3bdbebdd94207_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\38d50b3ef5a0403986c3bdbebdd94207_JaffaCakes118.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2072
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c start arq1.exe
          3⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2496
          • C:\Users\Admin\AppData\Local\Temp\arq1.exe
            arq1.exe
            4⤵
            • Executes dropped EXE
            PID:2948
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c start arq2.exe
          3⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2916
          • C:\Users\Admin\AppData\Local\Temp\arq2.exe
            arq2.exe
            4⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Drops file in Windows directory
            • Modifies Internet Explorer settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2840
            • C:\Windows\SysWOW64\EXPLORER.EXE
              EXPLORER.EXE
              5⤵
                PID:2852
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\arq2.exe"
                5⤵
                  PID:2724

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\arq1.exe
          Filesize

          15KB

          MD5

          d086545408c8a9fe705ac367d6f2e551

          SHA1

          4e9df7d7cd71679937f0b186d6495db8964eacab

          SHA256

          878843d0d31967fe610a127e1a3e131d699aae23babc3caac2ed202b129d78cd

          SHA512

          164a2988c067afedccc7c35829894d0b3672023a230a4ffae8ec80891c054aa09f3f629de12b17b204f6f4a24366d4eb3f560052c29016f8cc2577e90bebb8ca

          Download Submit

        • \Users\Admin\AppData\Local\Temp\arq2.exe
          Filesize

          51KB

          MD5

          b101a6b64d8f1341a3c88b8d746a5998

          SHA1

          9121c811e4ccded2420d7b15e3e3efeef365cee3

          SHA256

          453e9d696d04834c07d2639b7689b8bece4d41cfef91bcbd146eb4939cf62f38

          SHA512

          db71f23191e51918725c416187c051264a429e4df855936a1f4785f247e039ddab3b7360dfc4852a999f3346cbf30bfe376cedb3eb6584c0e54d26d62aa8a3aa

          Download Submit

        • memory/1184-22-0x0000000003E70000-0x0000000003E71000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2072-10-0x0000000000400000-0x0000000000406000-memory.dmp

          Filesize

          24KB

          Download

        • memory/2840-23-0x0000000013140000-0x0000000013175000-memory.dmp

          Filesize

          212KB

          Download

        • memory/2948-6-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/2948-24-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download