Overview

overview

7

Static

static

3

5a4a9ebb10...18.exe

windows7-x64

7

5a4a9ebb10...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    19/07/2024, 03:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5a4a9ebb10ba32cff89b5a167358c2cd_JaffaCakes118.exe

  • Size

    280KB

  • MD5

    5a4a9ebb10ba32cff89b5a167358c2cd

  • SHA1

    e8e41b6659f4d04e8d3ea86ef7efafd81cbcf578

  • SHA256

    683cb5caac114d471b1b3168857d0ad0da521c6a5776642984953cfd54137860

  • SHA512

    4ab67913b0d0a61cbfb05c3c3a45131a9f8354ae459a85b4753cd1f49ef33018af0d4a9bf84cfe2134deb8f20c8b13c7650d261548c64436a63fc3a34f428ea3

  • SSDEEP

    6144:za47Kmz932r4BayJXUtZ74obPuMHWeud82JF:zaYTz9320BapHbWeud7

Score
7/10
adwarediscoverystealer

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 60 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5a4a9ebb10ba32cff89b5a167358c2cd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5a4a9ebb10ba32cff89b5a167358c2cd_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Users\Admin\AppData\Roaming\npad.exe
      "C:\Users\Admin\AppData\Roaming\npad.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2460
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Users\Admin\AppData\Local\Temp\DE6D.bat
        3⤵
          PID:2644
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Users\Admin\AppData\Local\Temp\DE2F.bat
        2⤵
          PID:2376

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\altcmd\altcmd32.dll
        Filesize

        180KB

        MD5

        22846b0f8ea425509bacd20b62955b15

        SHA1

        1d9535077e31bddca0f23b809d2ea9d5c0f62fe6

        SHA256

        10e09e62661b8b5d74748aa750fc8d91b49f24616ed2126b076c187ce664c1fb

        SHA512

        4f19d20b1061b39fbfbea9dbeadfaec94b523ab28f0b32e5d5376a0b2c3eb339f3792197fb53fe05564c3c34b1d04e84c787fa2317dad673479c64dce25c5d15

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\DE2F.bat
        Filesize

        259B

        MD5

        742286f595075b348a30b0cf6f5d7ffa

        SHA1

        3726b858d4931cb96405a873681c6db935b13819

        SHA256

        5687dd87eddc4815973aeb2379e7916113ac5eeda37178a8494aed9552dfc6c8

        SHA512

        0cf169d14416b6d3e499693d75780c5268af453242711bdbde0b9cb8a98e29d5d59b62cb5f7642a268040ab23e9cb5c3422c2af4daf81ef255ba181baa3175b8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\DE6D.bat
        Filesize

        169B

        MD5

        b48615fdef77cf5a1d83733a168ce01b

        SHA1

        8ca8c5528b1cf27ea698605989947aeebaba614d

        SHA256

        cbfc7c5f280607d1870cf8875565b598778a2dcd934ab0a8b1a35e9086f53ea8

        SHA512

        54c1b7f47b332c9e09f1bf7522e262d3616fb8416893759f0e3d302333495ca4d2627fc1922e2ac037f5f75756b98496885d776adeb41f31880461e098541236

        Download Submit

      • C:\Users\Admin\AppData\Roaming\npad.exe
        Filesize

        204KB

        MD5

        a75dfbace47f24b1d189a96add4eb9ac

        SHA1

        aaa810d4564c69ba2f3c1eb036a7ce7a8fa06b28

        SHA256

        cc10413fa4f47f9d4c4205d6580e56b574f0c1060a7f64123caf3140a86004c8

        SHA512

        12a24816246b72cd2180f43925fc48e75ab3855a72ef68d15cbe9b1a53a4546937c14a2db6ed6caf416c531290ff419bbe96d49f6ee742fdb65bbb09fae30e0c

        Download Submit

      • \Users\Admin\AppData\Roaming\nvsvc1024.dll
        Filesize

        56KB

        MD5

        dd4afbcf01b1eeff176324dd83682e20

        SHA1

        4e5b4eea02e0365ce97a059a456cf769c4017353

        SHA256

        a258f68eae18fae9d0fb7110527a8dd6e2cbd0e44016a19373ad10bb5eb16020

        SHA512

        2db69c8507b0407713b6d2f638425bbd632c4493e5d4cf86352481f4a8efa8f954092f1efe5c47ba38afddec94a19dffec7e7ef5bc0d42b76a42ac463a47ce7a

        Download Submit

      • memory/2316-21-0x0000000010000000-0x0000000010018000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2316-22-0x0000000000400000-0x0000000000446000-memory.dmp

        Filesize

        280KB

        Download

      • memory/2460-41-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download