Overview

overview

10

Static

static

7

3fd1f524eb...18.exe

windows7-x64

10

3fd1f524eb...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    13/07/2024, 02:24

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    3fd1f524eb44f235052756f110a7d0ba_JaffaCakes118.exe

  • Size

    410KB

  • MD5

    3fd1f524eb44f235052756f110a7d0ba

  • SHA1

    184a1057536da4fc7af2918d72b683073d233543

  • SHA256

    be92682a435ad66b1ca051475cbc80798296ea3ad042c41585f028b050825e0a

  • SHA512

    85f2297898c087b4ecb3b9427118b62cbb21291f9ae5701507dd561d15a6f5addfe33220f2425be58796ef731c17a7849099c9a0412545394175ecd3536e42b9

  • SSDEEP

    12288:SnNhuBoY8SorxgmA+nlvVlua2WMCZcMF1FR4U:SPatCg7EPAfecFU

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3fd1f524eb44f235052756f110a7d0ba_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3fd1f524eb44f235052756f110a7d0ba_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visiblity of hidden/system files in Explorer
    • Adds policy Run key to start application
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1472
    • C:\Windows\SysWOW64\csrcs.exe
      "C:\Windows\System32\csrcs.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1020
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Users\Admin\AppData\Local\Temp\suicide.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2920
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 5 -w 250 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:2916
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 5 -w 250 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:624
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\suicide.bat
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2640
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 5 -w 250 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:2188

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\qlhiipq
          Filesize

          85KB

          MD5

          0e312f9da07b862cf6ac2917e7164849

          SHA1

          1743ed731e5ff823b4fcbfc9688c8cfde7b053b4

          SHA256

          9a8c63e5860ee0c1ce3aa435e2dc54beb821fb0b50509298c01ae38b46c59863

          SHA512

          4b8fe2aea987334f9ee4312910caf715f2b8fa460ce581412bf987951c2f246125a7c1ac991b2c1c4439cb1003280f7290a9a822941211332276c0990a85440e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\suicide.bat
          Filesize

          141B

          MD5

          9d7ddbc6c331aefed77908f803fca1e5

          SHA1

          d36afa796236730342b216f083c68a39227c13bf

          SHA256

          19f0453504f36aef7d207f11345ed203440a3a8dd1594df1aa072b2f4eeb39bf

          SHA512

          014c7cb15ec0bfc96e1f5b5a66b0bba9b87440256d0e8d9106cef8c4d2f1d244a3063a7abb847957310b2e0c9db466291851d7bb2ff8e6b50e0b9ad907b9b54c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\suicide.bat
          Filesize

          251B

          MD5

          1e234e6e914b53671966f35e7284a401

          SHA1

          09979f541de889178587464efcbb2c7df42f0865

          SHA256

          96eb0fee18d904e1963759ff03ffeac02cab723e0c5eab05477a4e08764ed941

          SHA512

          9d67ca2b890d9eaa05e7c2cf14a4232d7177f7fab38da8ba9fe6b845be3bb7fbbe1144c6eb97426e667371ba7221780fadb9d7c4ea1aa404cce2b42c2d5cf30b

          Download Submit

        • C:\Windows\SysWOW64\csrcs.exe
          Filesize

          410KB

          MD5

          3fd1f524eb44f235052756f110a7d0ba

          SHA1

          184a1057536da4fc7af2918d72b683073d233543

          SHA256

          be92682a435ad66b1ca051475cbc80798296ea3ad042c41585f028b050825e0a

          SHA512

          85f2297898c087b4ecb3b9427118b62cbb21291f9ae5701507dd561d15a6f5addfe33220f2425be58796ef731c17a7849099c9a0412545394175ecd3536e42b9

          Download Submit

        • memory/1020-50-0x0000000000400000-0x0000000000492000-memory.dmp

          Filesize

          584KB

          Download

        • memory/1472-0-0x0000000000400000-0x0000000000492000-memory.dmp

          Filesize

          584KB

          Download

        • memory/1472-16-0x0000000005480000-0x0000000005512000-memory.dmp

          Filesize

          584KB

          Download

        • memory/1472-29-0x0000000005480000-0x0000000005512000-memory.dmp

          Filesize

          584KB

          Download

        • memory/1472-59-0x0000000000400000-0x0000000000492000-memory.dmp

          Filesize

          584KB

          Download