Overview

overview

10

Static

static

7

4b47be1f90...18.exe

windows7-x64

10

4b47be1f90...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    15/07/2024, 20:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4b47be1f9057a6bb502d373226569780_JaffaCakes118.exe

  • Size

    108KB

  • MD5

    4b47be1f9057a6bb502d373226569780

  • SHA1

    1a86826e74e5a9e79dd97472d9b30223dd0e66ec

  • SHA256

    3a496e21edbc2f26f141c796121250e8ea83ba38c2de9b2fdd1a9b3135b160ac

  • SHA512

    d36019757dd8f3b107bfbaf5fe30cee954e07e90e1cf86e4c7e244be421adfcc4aa5222e28de2742745ed123c589136a5de1a16c0fd11d8a547e6bab8c467755

  • SSDEEP

    3072:vJBU7f5Hyhj7k+zzjTJ7LqcdjDtR+W3axuygNyIt:vETwj7lzzjTp1xtUWCuyPIt

Score
10/10
evasionspywarestealerupx

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4b47be1f9057a6bb502d373226569780_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4b47be1f9057a6bb502d373226569780_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1064
    • C:\Windows\system\756136.exe
      "C:\Windows\system\756136.exe" /start
      2⤵
      • Executes dropped EXE
      PID:2400
  • C:\Windows\system\756136.exe
    C:\Windows\system\756136.exe
    1⤵
    • Modifies firewall policy service
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2248

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\web\ddid
    Filesize

    6B

    MD5

    af6273cfd501714834eccc19c2c59df8

    SHA1

    11cb21deba2626ac1e020922d24b512f6b659844

    SHA256

    39627b5e4c0aaf8849dafc1fd7b585a94a349858096221885ebbb55bec381a09

    SHA512

    d41879b537f280a72bd61a8d74d50815767a7dfa083581f316044d7d77b49e0e3a9953acc62dbb311deb49301356da0676331cfb4318c4f53fb72e0ef6c63c25

    Download Submit

  • C:\Windows\web\ddnm
    Filesize

    10B

    MD5

    1ddfcd411a4176f669034db88952ee45

    SHA1

    154c5b1a64b28db43b468bdb65f3870c267ac0c8

    SHA256

    d92ff27780e7969a72febf2b8a59212dd63af16b1b5c3daa06925b3537bb04aa

    SHA512

    a685456f7dcfc80117ea25a491b6c323bd5f8eb2fd649b95afea5c5f77764abfbb0cb1b2e42f403111befcb466b369862580d9f0e5ca09f53ece00c712531022

    Download Submit

  • C:\Windows\web\ddsn
    Filesize

    5B

    MD5

    863a76ba2c63cb56d4e4c40508ac3de0

    SHA1

    30a6ebb597cedbe0e6176bdba7ca1e14d3353141

    SHA256

    b48f6ba463568ce38e5ed2860f95ef41481a73690210b0b6f1f35594888b4494

    SHA512

    c8a56d957459aa2089d120bfdbc1d8aab11a802c9cdad945ff51a1f1b93ccaea74a4415ec1064aec5b893be12211737e8ea765ed7ee8a41258abb6c10361281f

    Download Submit

  • C:\Windows\web\result.dark
    Filesize

    32B

    MD5

    bb20a835bd1210468af8014aa6a022cd

    SHA1

    f3a93f807ff651d1b2ca1efb65a258de036a9fb4

    SHA256

    5f0f9de4feeb753b9c4bef8cb56070a3b681d8129f19e3874e39e99a105dd152

    SHA512

    1aa2e4b9185a68e3d1260c2189e49b9a16cf20fbc53260d974d2857728ff9b1d2a755a74df86d57e40850e157e6e13020898daa719c19b50e376fc5ec5cf7d98

    Download Submit

  • \Windows\system\756136.exe
    Filesize

    108KB

    MD5

    4b47be1f9057a6bb502d373226569780

    SHA1

    1a86826e74e5a9e79dd97472d9b30223dd0e66ec

    SHA256

    3a496e21edbc2f26f141c796121250e8ea83ba38c2de9b2fdd1a9b3135b160ac

    SHA512

    d36019757dd8f3b107bfbaf5fe30cee954e07e90e1cf86e4c7e244be421adfcc4aa5222e28de2742745ed123c589136a5de1a16c0fd11d8a547e6bab8c467755

    Download Submit

  • memory/1064-15-0x0000000002BE0000-0x0000000002CF8000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1064-0-0x0000000000400000-0x0000000000518000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1064-3-0x0000000000400000-0x0000000000518000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1064-1-0x0000000000400000-0x0000000000518000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1064-19-0x0000000000400000-0x0000000000518000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1064-17-0x0000000002BE0000-0x0000000002CF8000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2248-26-0x0000000000400000-0x0000000000518000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2248-27-0x0000000000400000-0x0000000000518000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2248-30-0x0000000000400000-0x0000000000518000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2400-24-0x0000000000400000-0x0000000000518000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2400-29-0x0000000000400000-0x0000000000518000-memory.dmp

    Filesize

    1.1MB

    Download