Overview

overview

10

Static

static

3

41eb30d817...18.exe

windows7-x64

10

41eb30d817...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    13/07/2024, 13:44

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    41eb30d817e52628e96a48dcba20789b_JaffaCakes118.exe

  • Size

    456KB

  • MD5

    41eb30d817e52628e96a48dcba20789b

  • SHA1

    72d45577071c0712fe808a9124f8c6efe443bf7e

  • SHA256

    7a8416b9850330e8274de5c7cd47c9955a4df2c354513a86894e24bdae44ee94

  • SHA512

    9e957aca540f780119f8b02ad224ccda1eb3f284ea219d7a4305b17281a26d69bd85b39ca4fd6b93f28a1a8882bb67ca70a594e2ccac89e8719f3a4f4da8a5d6

  • SSDEEP

    12288:y4ik34n1GxipPy4ZNj2mOb/DNlq41TzXe9Yv:y4ik34n15iN/5lq41Tzuq

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 10 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 53 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\41eb30d817e52628e96a48dcba20789b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\41eb30d817e52628e96a48dcba20789b_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1828
    • C:\Users\Admin\u8kSVi.exe
      C:\Users\Admin\u8kSVi.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2336
      • C:\Users\Admin\ytjow.exe
        "C:\Users\Admin\ytjow.exe"
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:2888
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del u8kSVi.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2132
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:2700
    • C:\Users\Admin\alay.exe
      C:\Users\Admin\alay.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Users\Admin\alay.exe
        "C:\Users\Admin\alay.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2668
    • C:\Users\Admin\dlay.exe
      C:\Users\Admin\dlay.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2716
    • C:\Users\Admin\flay.exe
      C:\Users\Admin\flay.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1616
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
          PID:572
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del 41eb30d817e52628e96a48dcba20789b_JaffaCakes118.exe
        2⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:2004
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:2816

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • \Users\Admin\alay.exe
            Filesize

            68KB

            MD5

            1bf479c263ff9b58c1cc00c965f4c14a

            SHA1

            494555c284279f4cb8b1ea9f91ce12c98e057fce

            SHA256

            3b5a01e9c4a8fc9e2f6f33da669a8020b76751720d4c32a42e7ba49e955b1093

            SHA512

            48134b823a6bd2877e200095c03521e75de79a2830d9e723138c00529e0c9436e4b368fb3bd37a5a67cfdbaa34405b8e3f9bd79a982adbf726d882e57823f161

            Download Submit

          • \Users\Admin\dlay.exe
            Filesize

            36KB

            MD5

            ca22de79e6c6c38eb6dfef7fe1660b05

            SHA1

            859243fbafb70d5631e96cf88fc3a4c917cecfca

            SHA256

            8eff51c017894840eec5141933794e35a13de7baf085e20e697106bc4b2467b4

            SHA512

            b136c8748cb46dabf6229477c3bd9b217562a7748c57c87f69c2874bd81e72cdda23ba7692602b7bc972e96716693af7ba0b33a9faf8ea25f4060a4c2dfff678

            Download Submit

          • \Users\Admin\flay.exe
            Filesize

            264KB

            MD5

            9b3122a0ed7ec1eb344be414036da288

            SHA1

            cf6a4651b24fc71db61e1870a360c3fa7d67c1ca

            SHA256

            ca0ae1bd6a5328945c7805621a2efe10840b3023f70e180750ed0f9f87cc7df7

            SHA512

            f57046121b54c8abd81bade8c2989530ac604e128c826397df63680fc7d8bc22715408613119bfa11920e736a7185950adf3d6c769df3f9b389d1020b22959e4

            Download Submit

          • \Users\Admin\u8kSVi.exe
            Filesize

            248KB

            MD5

            76a6dee598367ca2ce4e90457622eb62

            SHA1

            067b85364f34f26292739ea3c04706335c7a9ee4

            SHA256

            2bae3eab43e8f1761f7aa29d259d9966bc8d8f19303a53f57b7d1d4e9b11929d

            SHA512

            8125d4643b0cb63496eae85fae0907bb36c82100fd35af76dadb787b82af7d4014f071e63e2bf07021145786e11a64662693c0502cc2ba6df31a4be917c0474f

            Download Submit

          • \Users\Admin\ytjow.exe
            Filesize

            248KB

            MD5

            e6856bb71294c24c73b568a84a7ea096

            SHA1

            2db0b1782d2dc8ab1859778ee2079001b6a3528f

            SHA256

            b6cf249d71121c0d911128f0f11bc8cbc036733061f33d01bbf9ca5ac8c4c221

            SHA512

            5c85d1a68d6c5a4e407d50d986020e9b91702721409915ab597a970a1449a5baffc78d7e7680cad4afbb395ec01e6aecbabd766a3c5f7208222bb3e59651c74d

            Download Submit

          • memory/1616-91-0x0000000000400000-0x0000000000466000-memory.dmp

            Filesize

            408KB

            Download

          • memory/1616-89-0x0000000002A20000-0x0000000002A60000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1616-88-0x0000000002A20000-0x0000000002A60000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1616-81-0x0000000002A20000-0x0000000002A60000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1616-84-0x0000000002A20000-0x0000000002A60000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1616-87-0x0000000002A20000-0x0000000002A60000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2336-28-0x00000000037E0000-0x000000000429A000-memory.dmp

            Filesize

            10.7MB

            Download

          • memory/2668-50-0x0000000000400000-0x000000000040E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2668-39-0x0000000000400000-0x000000000040E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2668-41-0x0000000000400000-0x000000000040E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2668-43-0x0000000000400000-0x000000000040E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2668-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2668-46-0x0000000000400000-0x000000000040E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2668-49-0x0000000000400000-0x000000000040E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2668-48-0x0000000000400000-0x000000000040E000-memory.dmp

            Filesize

            56KB

            Download