Overview

overview

7

Static

static

7

434868e3e9...18.exe

windows7-x64

7

434868e3e9...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    121s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    13-07-2024 20:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    434868e3e9110f4b1dd8612189482131_JaffaCakes118.exe

  • Size

    97KB

  • MD5

    434868e3e9110f4b1dd8612189482131

  • SHA1

    f2caed1c8f9b009c7d33c56b0e16ada2a1d50854

  • SHA256

    90ae15f8416ef6d07adff15ed8cb0655eb3efeb345e8099b6848c4acebcbfcee

  • SHA512

    be60746cc82d7f4169b9b80827b554d5a4a9b6ade886950d09885a494014e261e706857da159d620a878d84c504427bf480fbf93c7a28c9940785fe0cebd9bff

  • SSDEEP

    3072:+7m32cZ8UtE2UvMzSKMLTQ7ja8qULZsJg/:+K3fo5yo3Q7ja8qe

Score
7/10
adwarediscoverypersistencestealerupx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\434868e3e9110f4b1dd8612189482131_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\434868e3e9110f4b1dd8612189482131_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Program Files (x86)\PostTip\PostTip.dll"
      2⤵
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Modifies registry class
      PID:1284
    • C:\Program Files (x86)\PostTip\PostTip.exe
      "C:\Program Files (x86)\PostTip\PostTip.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1736
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32 /s "C:\Program Files (x86)\PostTip\PostTip.dll"
        3⤵
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • Modifies registry class
        PID:2944
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c \DelUS.bat
      2⤵
      • Deletes itself
      PID:2996

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\DelUS.bat
    Filesize

    271B

    MD5

    d099e18e4fba7d4ba62e0d3472787b7c

    SHA1

    d9b5fb640c1d9664e93080ab1cfa6d38048f0076

    SHA256

    6511402c85825ec5d74962246deecc94842bec3a8f90aa475c4dc0a9482d5f00

    SHA512

    a0d583913d0085aac716d86b08babf4464124457de820670a52464478621ea95781d5770f44468aed1a5f92f1bf47e925e275b26ae0f8d2caf83aa0ac230fea2

    Download Submit

  • \Program Files (x86)\PostTip\PostTip.dll
    Filesize

    162KB

    MD5

    dc62c2f61a803bd1292b0b169fa6f8d9

    SHA1

    117ecef652f645ab87a611eab5bc16ae085d6ffb

    SHA256

    7434776f552dde651370f0e43026def6c56c412eb1c62d5214406b34144319af

    SHA512

    55f22c83fcfccf10bb799af214b456392f43b7c394a7dcebbe2fe7059c65ba2fad859c9709b4ca2ab28ab55f03e054196a5b3857a0ec09c3b603a3458cb212d1

    Download Submit

  • \Program Files (x86)\PostTip\PostTip.exe
    Filesize

    38KB

    MD5

    c2b5be376cac31c0b01603105ae4ea89

    SHA1

    4fcfa0181ca5478103c6999199957be40f4a937b

    SHA256

    8ec9ca043b655d4bf868ccd7d9d5fdd4e23ad8610aed2fb983370437b7851feb

    SHA512

    d17e798a414a6d2295f13339a10151f2a34cff5a7d6c81862c26a0c4ac831bf9f867f9f2bf028fa15f189a93f8d8883a334a9857a33bcabac916376267c9da72

    Download Submit

  • memory/2084-0-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2084-1-0x0000000000230000-0x0000000000278000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2084-26-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download