Overview

overview

7

Static

static

3

46e39a5f32...18.exe

windows7-x64

7

46e39a5f32...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    14-07-2024 17:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    46e39a5f32136bef752b128de0af54d7_JaffaCakes118.exe

  • Size

    76KB

  • MD5

    46e39a5f32136bef752b128de0af54d7

  • SHA1

    0e6fbf9f629e70feec9f149ddd48d4925c843e78

  • SHA256

    ef0bfac8bd8acb943449d81d9505cabe0885094c4b387f1268e3c496006d78c7

  • SHA512

    3c6809d1aec3ecbf7ee77bc8137b45812161869f057bc034395bd6d5173fd36874fd9c227207a4b3521c806e788b90f36d6a0ce055d83ab0d94f90a3e4d85583

  • SSDEEP

    1536:t5IctgeInVw24Mu9kJxlJoCtghVlJOmcKuVTD1:t5Ictrcwiu9kJxlOBEx

Score
7/10
persistenceupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\46e39a5f32136bef752b128de0af54d7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\46e39a5f32136bef752b128de0af54d7_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2608
    • C:\Windows\SysWOW64\winNzbfP.exe
      "C:\Windows\System32\winNzbfP.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      PID:2808

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Windows\SysWOW64\winNzbfP.exe
    Filesize

    30KB

    MD5

    0aa29f812f9362a7aa0efcc6571a45c3

    SHA1

    7de2999d3527717376a75e5f2724610e401ff61f

    SHA256

    2cde921c6a4a79a0767054699b284fdc0c09921945995b8f27021bf43933fa9f

    SHA512

    9bcc759635c8034244180b6a916760e3dc9876aa308c8df50c693934f9966f26bb82af8bfa5476132706b8b776a5eaef701d67bc12d83a3cc9be70fe1d85ec89

    Download Submit

  • memory/2808-9-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2808-14-0x00000000002E0000-0x00000000002F8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2808-13-0x00000000002E0000-0x00000000002F8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2808-30-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download