Overview

overview

10

Static

static

7

452c03079c...18.exe

windows7-x64

10

452c03079c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-07-2024 09:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    452c03079c479667f61a329eeebf79b0_JaffaCakes118.exe

  • Size

    33KB

  • MD5

    452c03079c479667f61a329eeebf79b0

  • SHA1

    812785745a1aad6bf53486b6558252a47dcb4d39

  • SHA256

    993ba2778a53990821d0fc5d16e597a6df53c9ba47d3a1dfee102872f58de015

  • SHA512

    c8cda4e5e3b54db22ba970152d41348748a1f26d8732c19bb06ded980d7918318868122d54d5cc25c468a481b283abc5be8c762c9da41ef8f8581f8405822255

  • SSDEEP

    768:EuUv9Fk8jvbj3BmXPwO80I/w2U2zNH9ykEhBr4KNY1oggihr:ExLk8j/RmXF8dtzNH9xEYFOU

Score
10/10
evasionexecutionupx

Malware Config

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 8 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\452c03079c479667f61a329eeebf79b0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\452c03079c479667f61a329eeebf79b0_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4012
    • C:\Windows\SysWOW64\net.exe
      net stop cryptsvc
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:744
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop cryptsvc
        3⤵
          PID:556
      • C:\Windows\SysWOW64\sc.exe
        sc config cryptsvc start= disabled
        2⤵
        • Launches sc.exe
        PID:4964
      • C:\Windows\SysWOW64\sc.exe
        sc delete cryptsvc
        2⤵
        • Launches sc.exe
        PID:4556
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Users\Admin\AppData\Local\Temp\1720948061.dat, ServerMain c:\users\admin\appdata\local\temp\452c03079c479667f61a329eeebf79b0_jaffacakes118.exe
        2⤵
        • Deletes itself
        • Loads dropped DLL
        PID:4164

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1720948061.dat
      Filesize

      33KB

      MD5

      e5dd3ade77751e70539eb7186be7b34a

      SHA1

      44e180c8457879e42f68de5f770250c44abfbcb1

      SHA256

      d60e1a93d8c304b1a00f9c39a7cb488d319694ecb207ce35fa70faecde1047ca

      SHA512

      b0489b159d3733000cbb79c291e6456bd81c29462b1e50f584decc3664b89c6d58efda6e59af4a97c592dcc54ef80cbfd5c7ab0672d1a28517af7776b5a68300

      Download Submit

    • memory/4012-0-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4012-11-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download