9f610272cc71de34597dd5dc583f18ff2c688f1205e6a1231b7640ae074a1fb9

Analysis

max time kernel
143s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 15:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe
Size

9.7MB
MD5

5c77f9e33d2786114a77cff22a3e144b
SHA1

ece989b1a0e0641aac9ef5a792e4fb8f4b0fe049
SHA256

9f610272cc71de34597dd5dc583f18ff2c688f1205e6a1231b7640ae074a1fb9
SHA512

048227c034d4b68e60a4fc43ee1a083d82bc802078b416cf1ba9e847406cee383f8f58c484dec014ed51928291a5456f40dd04ea92e2be1786df209ec1323634
SSDEEP

196608:3kWq069PtbRxBrTPx+S1sDVJs7ZRy6gh/j3PIh7aYoK5zIM0O3aj5a0l08Z4L19V:xq069PtbRxt7MIf7ZMzIh7J5zOMklfKp

Score

7^/10

adware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0005000000018703-57.dat	acprotect

Executes dropped EXE 5 IoCs

pid	Process
1932	setup.exe
2320	MegaDecoder_ver1.6322.0.exe
2160	scan.exe
2568	silent.exe
2728	setup.tmp

Loads dropped DLL 13 IoCs

pid	Process
2212	5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe
2212	5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe
2212	5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe
2212	5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe
2212	5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe
2212	5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe
2720	WerFault.exe
2720	WerFault.exe
1932	setup.exe
2728	setup.tmp
2728	setup.tmp
2720	WerFault.exe
2568	silent.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000015d5f-33.dat	upx
behavioral1/memory/2568-39-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/files/0x0005000000018703-57.dat	upx
behavioral1/memory/2568-58-0x0000000000220000-0x000000000025F000-memory.dmp	upx
behavioral1/memory/2568-59-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/2568-61-0x0000000000220000-0x000000000025F000-memory.dmp	upx

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{065E0D95-68D6-4520-ADD1-0A6C43E4224B}	silent.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\setup.exe	5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2720	2160	WerFault.exe	32

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{065E0D95-68D6-4520-ADD1-0A6C43E4224B}\InprocServer32	silent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	silent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	silent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{065E0D95-68D6-4520-ADD1-0A6C43E4224B}	silent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{065E0D95-68D6-4520-ADD1-0A6C43E4224B}\InprocServer32\ = "C:\\Windows\\SysWow64\\apirc.dll"	silent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{065E0D95-68D6-4520-ADD1-0A6C43E4224B}\InprocServer32\ThreadingModel = "apartment"	silent.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2568	silent.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2728	setup.tmp

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 1932	2212	5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe	30
PID 2212 wrote to memory of 1932	2212	5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe	30
PID 2212 wrote to memory of 1932	2212	5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe	30
PID 2212 wrote to memory of 1932	2212	5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe	30
PID 2212 wrote to memory of 1932	2212	5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe	30
PID 2212 wrote to memory of 1932	2212	5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe	30
PID 2212 wrote to memory of 1932	2212	5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe	30
PID 2212 wrote to memory of 2320	2212	5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe	31
PID 2212 wrote to memory of 2320	2212	5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe	31
PID 2212 wrote to memory of 2320	2212	5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe	31
PID 2212 wrote to memory of 2320	2212	5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe	31
PID 2212 wrote to memory of 2160	2212	5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe	32
PID 2212 wrote to memory of 2160	2212	5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe	32
PID 2212 wrote to memory of 2160	2212	5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe	32
PID 2212 wrote to memory of 2160	2212	5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe	32
PID 2212 wrote to memory of 2568	2212	5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe	33
PID 2212 wrote to memory of 2568	2212	5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe	33
PID 2212 wrote to memory of 2568	2212	5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe	33
PID 2212 wrote to memory of 2568	2212	5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe	33
PID 2160 wrote to memory of 2720	2160	scan.exe	35
PID 2160 wrote to memory of 2720	2160	scan.exe	35
PID 2160 wrote to memory of 2720	2160	scan.exe	35
PID 2160 wrote to memory of 2720	2160	scan.exe	35
PID 1932 wrote to memory of 2728	1932	setup.exe	36
PID 1932 wrote to memory of 2728	1932	setup.exe	36
PID 1932 wrote to memory of 2728	1932	setup.exe	36
PID 1932 wrote to memory of 2728	1932	setup.exe	36
PID 1932 wrote to memory of 2728	1932	setup.exe	36
PID 1932 wrote to memory of 2728	1932	setup.exe	36
PID 1932 wrote to memory of 2728	1932	setup.exe	36

C:\Users\Admin\AppData\Local\Temp\5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5c77f9e33d2786114a77cff22a3e144b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\setup.exe
  "C:\Windows\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Users\Admin\AppData\Local\Temp\is-2Q529.tmp\setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-2Q529.tmp\setup.tmp" /SL5="$8010A,9475680,49152,C:\Windows\setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2728
- C:\Users\Admin\AppData\Local\Temp\MegaDecoder_ver1.6322.0.exe
  "C:\Users\Admin\AppData\Local\Temp\MegaDecoder_ver1.6322.0.exe"
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Users\Admin\AppData\Local\Temp\scan.exe
  "C:\Users\Admin\AppData\Local\Temp\scan.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 116
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2720
- C:\Users\Admin\AppData\Local\Temp\silent.exe
  "C:\Users\Admin\AppData\Local\Temp\silent.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MegaDecoder_ver1.6322.0.exe

Filesize
60KB

MD5
62cf667fd67cd22bc7f3a2ea418055a4

SHA1
cf12d73657edd3a7c2bdfebecb5baeeea8c82ed9

SHA256
b847caf14be8ae12e362ef2eb603907ebb88b94a200ed061c48de9c270484e84

SHA512
b87306b8f1dc3a5f0250c415c84e9ad0729c79a946c1d505b0a77948c425af03ba26c1e84ad7fa123519e3c75f4cfe9b6acfa812c41a4e49a8e7b2c548aaf553

Download Submit
C:\Users\Admin\AppData\Local\Temp\silent.exe

Filesize
118KB

MD5
1aab9752fe77b92c95961f1806b515d1

SHA1
c6055e9b839166c25555c601d375dac9b3e66404

SHA256
ef3af4903b9d7cd52e96df218ce478bb6cdb2e847a4c1c37879e3c4f3c47b7bb

SHA512
6bbba76a7b9abd8e6833be11e1e335dbf42842e1b7ed03f5334278aca08c697e02e1111cb78839559df7a9f6ed817c40c451cc1bc51e66d07368e676896d1d89

Download Submit
C:\Windows\setup.exe

Filesize
9.3MB

MD5
5324acf8f04891980bb60c7d192c92c8

SHA1
63473f8cd901de4162aea385b90470afaae680e3

SHA256
1a2e5ed4d4ebce63230b5487c927ee9b01542e997dd6fe3ba1aac965af3cbbce

SHA512
3f45eb9ea9c8dd43bc9a27e600bd3a6e04c67ce2e08fa761fa5301f678e640c0595d250a49dfde77847e808339b774dd535f11d5a9d80e21a036fd3e079c17fa

Download Submit
\Users\Admin\AppData\Local\Temp\is-2Q529.tmp\setup.tmp

Filesize
665KB

MD5
1e9793373762239a4bc032b00aa953b7

SHA1
ea5a7cf198f0265fb670756daad3b555d34823e3

SHA256
60035136dc5d2e21b9060a4e6618193b0bcfd99c950dafc6749259f40e14ef2e

SHA512
639bb90227b3a2d5e91a8cc540d8d6daa893495b97c0149f573be7ad5ebb7fa0a0887b7dc1d3e724dbbae5fb05a03acc9e06e0a6a2077c51eaf3c1657484c3d8

Download Submit
\Users\Admin\AppData\Local\Temp\is-3NI2K.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\scan.exe

Filesize
182KB

MD5
3f4003f42cb84f47d31c6f4df3ba984c

SHA1
9eb46635bebd9957d4e71051401865a071751dc8

SHA256
3057e6352174caa26fe7bb1136bbf7f4374f362f7d917c8eeca5eef64e79f9ba

SHA512
8fdc8c145c91a9bf30f076540628cfd9592acf8c80dc7ee96be71e54aeabbc3a1a249ad935c801bb551489a71735851e6726de2059968f22ea78e88dcd6994ba

Download Submit
\Windows\SysWOW64\apirc.dll

Filesize
91KB

MD5
b8383252f4d62af7d422b7cca1f956e3

SHA1
54996425ec9edc0f73f47928ab257ebe00e1a51a

SHA256
a223b0977bb2097af28963b0fe2392dca5c2f3ba1333626fa68a45d7a257aadc

SHA512
8125ca13810443308bca172ec9448fbc4cc2148e233f26b18b8f40b7003c4e997f28f004673882dbfdf57fc0730ffb1e11d669f1774d4322d9eca9ea3008efa1

Download Submit
memory/1932-40-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1932-62-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2160-27-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2160-26-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2160-63-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2212-2-0x0000000000400000-0x0000000000DAE000-memory.dmp

Filesize
9.7MB

Download
memory/2212-38-0x0000000000F40000-0x0000000000F66000-memory.dmp

Filesize
152KB

Download
memory/2212-37-0x0000000000F40000-0x0000000000F66000-memory.dmp

Filesize
152KB

Download
memory/2212-36-0x0000000000400000-0x0000000000DAE000-memory.dmp

Filesize
9.7MB

Download
memory/2568-39-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2568-61-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2568-59-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2568-58-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2728-64-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download