Overview

overview

7

Static

static

7

3f17fe39c3...18.exe

windows7-x64

7

3f17fe39c3...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-07-2024 22:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3f17fe39c3750cf36e00d02ed92d049e_JaffaCakes118.exe

  • Size

    21KB

  • MD5

    3f17fe39c3750cf36e00d02ed92d049e

  • SHA1

    4e68c3eb16e855cc4fb5b5990f372fce01753390

  • SHA256

    27b1f51d75c91979cacec43c28940bdd8ec70958d4f3717236945e871317d429

  • SHA512

    f5f998d6effe21444201e73474fd303276e229061b6ed115545c7344b03f260bbc43241607f6cef476ea7de45ba511e7f591df4e06ff03b532a73f9fac3f95ce

  • SSDEEP

    384:SIiV728hUQ7Y2P/cVEccDdye7kjlWLe7grPiA8jyrMPhTjanbBoZvp1HOaNJawcV:SRGuY2P0Vo6r7SiAwyrMRjbBHfnbcuyM

Score
7/10
persistenceupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3f17fe39c3750cf36e00d02ed92d049e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3f17fe39c3750cf36e00d02ed92d049e_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3860
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B630.tmp\autorun.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1268
      • C:\Windows\SysWOW64\reg.exe
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d "C:\Windows\svservice.exe" /f
        3⤵
        • Adds Run key to start application
        • Modifies registry key
        PID:1048
      • C:\Windows\SysWOW64\reg.exe
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v WLIDCVS /t REG_SZ /d "C:\Windows\windsv.exe" /f
        3⤵
        • Adds Run key to start application
        • Modifies registry key
        PID:812
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn "windows" /tr "C:\windows.exe" /sc daily /mo 1 /st 21:00:00 /SD 01/01/2012 /ed 31/12/2012
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1772

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\B630.tmp\autorun.bat
    Filesize

    345B

    MD5

    aed492dbef42e8528386599feafcd07d

    SHA1

    2e6ade6f7e0dbd97d6e116e73ba7b5316be148af

    SHA256

    594cfc81619330b88be2c7817ba1804f5d46aafe155ad759bd88750c2ce81c1e

    SHA512

    89919440165bda7dd9b69bcc9cb05837ef7b3ff808ebf218b1821fc407e22b3c1f5d046e7e724774c7d7bf90a71cc0f720c3e3898e17daf84c5b3c250e04419c

    Download Submit

  • memory/3860-0-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3860-5-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download