Overview

overview

7

Static

static

7

46b3299b1f...18.exe

windows7-x64

7

46b3299b1f...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    146s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/07/2024, 16:55

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    46b3299b1f4dc2c88223fbf7db824fbe_JaffaCakes118.exe

  • Size

    218KB

  • MD5

    46b3299b1f4dc2c88223fbf7db824fbe

  • SHA1

    6839e906e19199bca4e1d80ec416e13a482906ef

  • SHA256

    03a9e366c41345a2b52ec65c4c0beb91599c8aef0c1632b3da869072734c2a13

  • SHA512

    faa2b3f7a40fbaab65e633c735ea62516e0d0eec518a9b58c79a9907282bd1312ad9a0f33cb2b8e19382d7828fceac7130d11f1e4016911529e2da6d782d742c

  • SSDEEP

    3072:XFToY0hbid6a2MGkfNr3ak/gWpIV0AN3cU4qFhbGUbtB+DCqdd9TGpw2gLl6CRLK:l2U6a2sfNKkRg0dlq7VJBNqxipw2grLK

Score
7/10
persistencespywarestealerupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\46b3299b1f4dc2c88223fbf7db824fbe_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\46b3299b1f4dc2c88223fbf7db824fbe_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4056
    • C:\Windows\com32.exe
      "C:\Windows\com32.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:1592
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2891.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:212
      • C:\Windows\SysWOW64\PING.EXE
        ping 1.0.0.1 -n
        3⤵
        • Runs ping.exe
        PID:2376

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\2891.bat
          Filesize

          179B

          MD5

          af330305b1458ef80e0e6aefd64889fd

          SHA1

          b711f1a49251bc692abfe3d7ac97ca555384e29b

          SHA256

          7dc54bcf3f1b59724a4a77a540954e327ed71fea280d2b7dba2e31f23f636a67

          SHA512

          85d5ea2f4053e923433adc83620aa61efa007d275933d21afbd55c9fec0cfa0ff9436ae941e444cedb2ade6f4c51a1fca71ac121642f007b2ede8fdbe85ca466

          Download Submit

        • C:\Windows\com32.dll
          Filesize

          56KB

          MD5

          6b53abd463d03809011ac99c25808569

          SHA1

          af5fa8bfe2f19fb5d1a4db680036474591d93ddd

          SHA256

          46f53d6f391d6bfe01019c9d08e8d419bafa5645a9546127365f9829deded90a

          SHA512

          be537c0945377fb13282fe354d52209e9050d10a819f0bb253129e1eb3c20de73fb9de184fd35e4b04c7ea27a55ffc865f280c9058ffd4c01aaa8dca9d2cdc33

          Download Submit

        • C:\Windows\com32.exe
          Filesize

          3KB

          MD5

          0d6b2c02b6ce0dc179140b7e61aee386

          SHA1

          af292e0547d91cf217110c6fa699b85e1cdc38cf

          SHA256

          bc83e4468902ba3cc6fe376efde3f2d49634d82f077674215802b5fd2a84539b

          SHA512

          7e43e7d57a97ec5b7d1edeba5ded64f34fca7ce6b447a3fccb2f4dc6a2015259cb29eff6c3575f5cb47e50e0797240d5fb3c4f9ed78e0e2de5f5e6b4732f0222

          Download Submit

        • C:\Windows\userinfo.ini
          Filesize

          1KB

          MD5

          3e3ac8407106165544852ca38977d112

          SHA1

          9ff81e031db1c4e8a93a0ab7a6b097ec551ddf8e

          SHA256

          5690d975ce6400a98a16ad6a3c8e6f8cc987f05e9467d082c3bb381b1373e65a

          SHA512

          c5e51c04444f1d0e2026397c16333278f1c58740d710100c053cbf5e2329416af596113db89e1ce71b18d1bbc06b0d0d085dc926159c27e7e949774320d91941

          Download Submit

        • memory/4056-0-0x0000000000400000-0x000000000044E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/4056-1-0x0000000000400000-0x000000000044E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/4056-2-0x0000000000400000-0x000000000044E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/4056-3-0x0000000000400000-0x000000000044E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/4056-19-0x0000000000400000-0x000000000044E000-memory.dmp

          Filesize

          312KB

          Download