Overview

overview

10

Static

static

3

4427708235...18.exe

windows7-x64

10

4427708235...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-07-2024 03:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    442770823595863fdceaf6697f78dd74_JaffaCakes118.exe

  • Size

    484KB

  • MD5

    442770823595863fdceaf6697f78dd74

  • SHA1

    faa96d12535b04f9b2b6999eccfd61a0b5f825a2

  • SHA256

    48ef472be8748fd7a626b69d56f43bbbe191b4b9422cc1c86c1a7b4f0c202228

  • SHA512

    8b3e1b4f53f24eabc3b1988263b3c067422f9b4dc481a15305d09e4e82faf1945c98f01025ee4a01dd3b40c9edcadd970a19db0565974664f4b7ce909ebf4a4f

  • SSDEEP

    12288:EP9GBWQch+L/ZgHP+v7xK0DmFwUfIp7JVyvWt1aBnSFAPHzeO:EPoBHch+uudKNffiv1aVSaPTeO

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 54 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\442770823595863fdceaf6697f78dd74_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\442770823595863fdceaf6697f78dd74_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2112
    • C:\Users\Admin\AppData\Local\Temp\442770823595863fdceaf6697f78dd74_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\442770823595863fdceaf6697f78dd74_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1020
      • C:\Users\Admin\V6oUpCF0mC.exe
        C:\Users\Admin\V6oUpCF0mC.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4496
        • C:\Users\Admin\ttzuez.exe
          "C:\Users\Admin\ttzuez.exe"
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:5044
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del V6oUpCF0mC.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1240
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            5⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:1184
      • C:\Users\Admin\ayhost.exe
        C:\Users\Admin\ayhost.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4972
        • C:\Users\Admin\ayhost.exe
          "C:\Users\Admin\ayhost.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:2768
      • C:\Users\Admin\byhost.exe
        C:\Users\Admin\byhost.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1652
        • C:\Users\Admin\byhost.exe
          "C:\Users\Admin\byhost.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1676
          • C:\Windows\explorer.exe
            000000D0*
            5⤵
              PID:400
        • C:\Users\Admin\cyhost.exe
          C:\Users\Admin\cyhost.exe
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Suspicious use of WriteProcessMemory
          PID:4552
          • C:\Users\Admin\cyhost.exe
            C:\Users\Admin\cyhost.exe startC:\Users\Admin\AppData\Roaming\conhost.exe%C:\Users\Admin\AppData\Roaming
            4⤵
            • Executes dropped EXE
            PID:2420
          • C:\Users\Admin\cyhost.exe
            C:\Users\Admin\cyhost.exe startC:\Users\Admin\AppData\Local\Temp\dwm.exe%C:\Users\Admin\AppData\Local\Temp
            4⤵
            • Executes dropped EXE
            PID:1668
        • C:\Users\Admin\dyhost.exe
          C:\Users\Admin\dyhost.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1596
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del 442770823595863fdceaf6697f78dd74_JaffaCakes118.exe
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2156
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:1180

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\16C9.60E
      Filesize

      996B

      MD5

      373ca55e200e9b8123ebbd0b4f291727

      SHA1

      8680a57221552fe9014ebd8bb631df222b9bf687

      SHA256

      570eefe075edc6361c4419ece80c8850cff1bc1f57fff82b2b8b35c11efafcc8

      SHA512

      8632840ce8b534904efb04d413ded7eb07c5d6fcb0eb46e3fbcd083618ca5d41aafb60f1d3b286d07b189d895c882091006fbeb6a8dbf369ee8dcb5797a32720

      Download Submit

    • C:\Users\Admin\AppData\Roaming\16C9.60E
      Filesize

      1KB

      MD5

      af4a0a0b0d6f9cd1f5d0270aefd0ad60

      SHA1

      b4e27dc386bf19de638d7942cd4a3408d24fce6c

      SHA256

      9613277217a89f20b0ba5c68705c1191b2128fd7794a94cedd64e3e45c1dae4b

      SHA512

      98489d69d908b114bbee8d70bcc4586a81a7b622463f525249c922da65c0bda4d94cb5575ca31ba6f51031136f48ddfc733160c7a76500661140ec58b9fb88c4

      Download Submit

    • C:\Users\Admin\AppData\Roaming\16C9.60E
      Filesize

      600B

      MD5

      6234c5102360ef1b291fdab84070e9f1

      SHA1

      5c61a28651c2b1f34b16fb8e1852d998b1d78bc9

      SHA256

      10ae64fd3e84f97b385f0c315ee8c4ca6e2c34787f9c07ec129fe37277aedb28

      SHA512

      2bfd8d7024793bfbfab7c25dc3e0fd8639fac6df731d4c5f9a8f36a7ee03013cd8433602034da1f0d4120013bf92ef5ee7c8e4b5730427be8d4ebad1c49a27c8

      Download Submit

    • C:\Users\Admin\V6oUpCF0mC.exe
      Filesize

      332KB

      MD5

      b96dc0230580570446ab648e20a7e3b3

      SHA1

      27483df87ef7093d51062fb2d2fc9944f94c23fb

      SHA256

      2c65220c1c3ec6cb3282759e1d583b598ad43bf09484239325ae06b961bf0af0

      SHA512

      b8dd8743eb45f9dcc0d74b5cf450ef2950482e5c33dcdb5ab9494ad2e396d7ea5ebd80d477fca52a25a46cede6e2c31eb2647612090fda72d7e61e49913c042f

      Download Submit

    • C:\Users\Admin\ayhost.exe
      Filesize

      68KB

      MD5

      2c7c2d4e9c03a1818621def0e1281a81

      SHA1

      c92b29a7f6e9998c7a86b9b57cff15f28647a127

      SHA256

      9fb6cf502b6a872ed2e58666672db9fdc0eb57e6ff5a5677b6dbc8de42193f3e

      SHA512

      431cadf9b1d4de1dd0c5efebd5bae2af2ac0f6c98a2d71a5f7bc72e2421ecf77d67616d805bb643680192de6c8921e894a48a538276492567524c4267a4e4a66

      Download Submit

    • C:\Users\Admin\byhost.exe
      Filesize

      136KB

      MD5

      1d0f81b6e185ec95e716d2a0b2ba69a1

      SHA1

      09399ffa69ae8bfd9794104bc4b7b4f481980e3a

      SHA256

      abe89315434ce50001a90c9bdd662a0c42fa90d95acdf5baed5823d760e4f878

      SHA512

      6c4ecc1346bfc9952d7a1a2cb30ed5076bec24db099bb3fe20a248b19f56c075ff592d03100a1a3660ad5f47dfaff6a64b6b2bebe1bcbc7ce747f968a4c7e6b1

      Download Submit

    • C:\Users\Admin\cyhost.exe
      Filesize

      168KB

      MD5

      234bf3937f8fe09351acc53c059b40d2

      SHA1

      256f162b65eacc7a1fee35722fbfdbd55bba93c7

      SHA256

      86c568452305c3943eb7d1530cef65c75f6fac39d178082783db8b12fc8eef2b

      SHA512

      6c768729abebd0b9bde9712ee827262c433ac928bb638b9176ef7f4085c2d2b4fdfa3cacffdb7da477d23a1e0ce32e63cba2ab9ace1f45dfcc8109b2c68812b7

      Download Submit

    • C:\Users\Admin\dyhost.exe
      Filesize

      24KB

      MD5

      9814ec05c8857737f599ba75b1610fb1

      SHA1

      aa9d9b016c2feda03cf6ad1bbca332070eb9b295

      SHA256

      a68f44fa166ade605dfd2e5827a8ca3fa21141eda423c096d1f41d9bf172e597

      SHA512

      c9daf5d8015ab4d5e0c333b986e04a917a596aef6d61baf43f53e5da346e3e665cd16eb5da35726713689dca991a03fbfa137b7f3f879c77779a477a89a0268d

      Download Submit

    • C:\Users\Admin\ttzuez.exe
      Filesize

      332KB

      MD5

      522ba8dfb5a8b52c414d18252714429a

      SHA1

      1b4506ca373499ea9e8937aa7e34d65573b39d6d

      SHA256

      8fbe381dc57343f6035922b677eaf835ce168a2d92b299f31e1fbe58f6300ab1

      SHA512

      4eba11726f6b8daf96cabe38b01784f6f984d6af6775ba372ceda726613f50cafa9603a3148a5290b3201e0791495f56623fe9b090e3612bdc01e3e3ec1d554c

      Download Submit

    • memory/1020-88-0x0000000000400000-0x00000000004BE000-memory.dmp

      Filesize

      760KB

      Download

    • memory/1020-273-0x0000000000400000-0x00000000004BE000-memory.dmp

      Filesize

      760KB

      Download

    • memory/1020-274-0x0000000000400000-0x00000000004BE000-memory.dmp

      Filesize

      760KB

      Download

    • memory/1020-2-0x0000000000400000-0x00000000004BE000-memory.dmp

      Filesize

      760KB

      Download

    • memory/1020-4-0x0000000000400000-0x00000000004BE000-memory.dmp

      Filesize

      760KB

      Download

    • memory/1020-6-0x0000000000400000-0x00000000004BE000-memory.dmp

      Filesize

      760KB

      Download

    • memory/1652-70-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1668-154-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

      Download

    • memory/1676-64-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/1676-66-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2420-85-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

      Download

    • memory/2768-54-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2768-58-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2768-56-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/4552-155-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

      Download

    • memory/4552-272-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

      Download

    • memory/4552-277-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

      Download