Overview

overview

10

Static

static

3

3e8bde9ae5...18.exe

windows7-x64

10

3e8bde9ae5...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    12-07-2024 19:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3e8bde9ae57acb06c8814256e164527f_JaffaCakes118.exe

  • Size

    1.3MB

  • MD5

    3e8bde9ae57acb06c8814256e164527f

  • SHA1

    9eb3ed407b6f198de315fd82cd24d3dac1f01ea1

  • SHA256

    d0bd104b9d9f9d92c7cd2c55f3b53912c22213a50795cbbe96db7f242aa84d8e

  • SHA512

    1cbf683be0a79bf6eaf8a1ae03954e1a9e7c29b85af38aafa83582ccd8525a5e90875a4f8ee402653f514d80235c85c40294e494cba078d49a7c29ef29635dc2

  • SSDEEP

    12288:zrFqgvk90di6ZBjfwXZhjDmoKURwiTrqAXJ3xfbAN0ZaAcgnNG6a86KEW/T/0Yy:zrJkX6ZFyZhuOBrqAXHANCGU7/by

Score
10/10
evasionexecutionspywarestealerupx

Malware Config

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Stops running service(s) 4 TTPs
    evasionexecution
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 8 IoCs
  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3e8bde9ae57acb06c8814256e164527f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3e8bde9ae57acb06c8814256e164527f_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2272
    • C:\Users\Admin\AppData\Local\Temp\3e8bde9ae57acb06c8814256e164527f_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\3e8bde9ae57acb06c8814256e164527f_JaffaCakes118.exe"
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2440
      • C:\mh2.exe
        "C:\mh2.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2716
        • C:\Windows\SysWOW64\net.exe
          net stop cryptsvc
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2676
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop cryptsvc
            5⤵
              PID:2788
          • C:\Windows\SysWOW64\sc.exe
            sc config cryptsvc start= disabled
            4⤵
            • Launches sc.exe
            PID:2008
          • C:\Windows\SysWOW64\sc.exe
            sc delete cryptsvc
            4⤵
            • Launches sc.exe
            PID:2780
      • C:\WINDOWS\TQSE.exe
        "C:\WINDOWS\TQSE.exe"
        2⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:740
        • C:\mh2.exe
          "C:\mh2.exe"
          3⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of AdjustPrivilegeToken
          PID:2704

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\mmgl20.dll
      Filesize

      19KB

      MD5

      43e5de578251a41f2c70c96f3eaf11d6

      SHA1

      0dd0da795da352154be5b232fbf47a311acbb5db

      SHA256

      7202895bd1f930e7b2c555d9f531df7edd21b0841e16c6a30b9b90da3c7f185a

      SHA512

      60dd880b2a4dc808414524fb30dba25022322e6b838b393161cf9dfe71972b610d6615f65dee91bd3214573fa2492af6a7765b00435c6d0cc76e225625c42470

      Download Submit

    • C:\Windows\TQSE.exe
      Filesize

      1.3MB

      MD5

      3e8bde9ae57acb06c8814256e164527f

      SHA1

      9eb3ed407b6f198de315fd82cd24d3dac1f01ea1

      SHA256

      d0bd104b9d9f9d92c7cd2c55f3b53912c22213a50795cbbe96db7f242aa84d8e

      SHA512

      1cbf683be0a79bf6eaf8a1ae03954e1a9e7c29b85af38aafa83582ccd8525a5e90875a4f8ee402653f514d80235c85c40294e494cba078d49a7c29ef29635dc2

      Download Submit

    • C:\mh2.exe
      Filesize

      17KB

      MD5

      3c909e1ae2c1ceb9739c98233aea7e8c

      SHA1

      7338e0728d20ebb2e1e2e3dbfe89aa5414ed4aad

      SHA256

      482f16d7fc57958aeef3cbdca7e16a8bc3e01f72b61b1ef5529901b6956b6551

      SHA512

      0455cdd53ab14ac739ec947c154ce5eee854336abca6e05b00e7c63cfd6688bdaeb8fab6fe11dc9b93486a33082cd682a1c34010ed995916659766389c5b61c3

      Download Submit

    • memory/740-12-0x0000000000680000-0x000000000068C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/740-10-0x0000000000680000-0x000000000068C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/740-28-0x0000000000680000-0x000000000068C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2440-14-0x0000000000650000-0x000000000065C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2440-11-0x0000000000650000-0x000000000065C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2704-15-0x0000000000400000-0x000000000040C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2704-26-0x0000000000400000-0x000000000040C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2716-17-0x0000000000400000-0x000000000040C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2716-27-0x0000000000400000-0x000000000040C000-memory.dmp

      Filesize

      48KB

      Download