Overview

overview

7

Static

static

3

49a0bdb50a...18.exe

windows7-x64

7

49a0bdb50a...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    15-07-2024 11:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    49a0bdb50a9f22753fae5fa4688b788a_JaffaCakes118.exe

  • Size

    32KB

  • MD5

    49a0bdb50a9f22753fae5fa4688b788a

  • SHA1

    24203af328e5d71a874b1569182e3806692ff1cb

  • SHA256

    4669b8660d87bf1e7c7b0d14a5458aee315c50862365d55ef1054ea53a7194b0

  • SHA512

    caeabbb7635995998d45577809d87f5c5fef28d49594fe5998808e650fc4ebeca06512e618356499b1e44ea038b0df11a58bc1f1ee7a4a44e914f41b4191a48c

  • SSDEEP

    384:CnR+rWpg/Smpc2AfUMjTtVkYCFJykE0bvmH4ciu1VNipbNtCGyF55U:g+rWpg/2sgTtVZ+mH4Ru7sTIb

Score
7/10
persistenceupx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 11 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Modifies WinLogon 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\49a0bdb50a9f22753fae5fa4688b788a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\49a0bdb50a9f22753fae5fa4688b788a_JaffaCakes118.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1252
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c if exist c:\temp_l.exe start c:\temp_l.exe&ping 127.0.0.1 -n 5&if exist c:\temp_l.exe del c:\temp_l.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1716
      • \??\c:\temp_l.exe
        c:\temp_l.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:1836
        • C:\Windows\SysWOW64\myInsDll.exe
          "C:\Windows\system32\myInsDll.exe" Processa.dll,UHbabNASBBAS c:\temp_l.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Modifies WinLogon
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:2812
          • C:\Windows\SysWOW64\sfc.exe
            "C:\Windows\system32\sfc.exe" /REVERT
            5⤵
              PID:2132
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 320
              5⤵
              • Loads dropped DLL
              • Program crash
              PID:2904
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 5
          3⤵
          • Runs ping.exe
          PID:1160

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\myInsDll.exe
      Filesize

      43KB

      MD5

      51138beea3e2c21ec44d0932c71762a8

      SHA1

      8939cf35447b22dd2c6e6f443446acc1bf986d58

      SHA256

      5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

      SHA512

      794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

      Download Submit

    • \??\c:\temp_l.exe
      Filesize

      14KB

      MD5

      ec481dc6b8fe1fa78983e710f817369f

      SHA1

      57978c31c5b2cb86d51b5607cb1e82afb88b7cc8

      SHA256

      e5b3572c771a9c076158843fbf4df12fe0e367d8a0a2bd74f0744685e240d71f

      SHA512

      e2231b3ed092b4969a70dcf48a63c751bf05992aa1184bc2cc5b61a8f18e83519f304e6c2a8437fd702dfde47f2190872c6be5ba2470ed51dde291794777b296

      Download Submit

    • \Windows\SysWOW64\Processa.dll
      Filesize

      10KB

      MD5

      f7606c1f93c12fb51359487267173379

      SHA1

      db6a7aea02ff43c2a6f2a683ebf0f4da4421593e

      SHA256

      3a9d3c9f12b9e4293318a42191684f607edb40bb3894cb70267e246f82ad5e6a

      SHA512

      a72d12994f59bce341ef09c1a68cafed53a350040b14be5f0b77fc45a0f5b133734e0b33646b7bc7e745005270a5a9183b86476418d04ade590a93f27fcb6705

      Download Submit

    • \Windows\SysWOW64\sfc32.dll
      Filesize

      40KB

      MD5

      84799328d87b3091a3bdd251e1ad31f9

      SHA1

      64dbbe8210049f4d762de22525a7fe4313bf99d0

      SHA256

      f85521215924388830dbb13580688db70b46af4c7d82d549d09086438f8d237b

      SHA512

      0a9401c9c687f0edca01258c7920596408934caa21e5392dbaefc222c5c021255a40ec7c114a805cdb7f5a6153ec9fa9592edcc9e45406ce5612aa4e3da6a2c4

      Download Submit

    • memory/1716-7-0x0000000000120000-0x000000000012C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1716-6-0x0000000000120000-0x000000000012C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1836-8-0x0000000000400000-0x000000000040C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2812-21-0x0000000010000000-0x0000000010100000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2812-23-0x0000000010000000-0x0000000010100000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2812-22-0x0000000010000000-0x0000000010100000-memory.dmp

      Filesize

      1024KB

      Download