Overview

overview

7

Static

static

7

5e88379b1b...18.exe

windows7-x64

7

5e88379b1b...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    16s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    20/07/2024, 01:35

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    5e88379b1b7eecc0ecef49ad0d2c9aa0_JaffaCakes118.exe

  • Size

    176KB

  • MD5

    5e88379b1b7eecc0ecef49ad0d2c9aa0

  • SHA1

    817815e93bf3a2041bf268030f297cf72bbf3544

  • SHA256

    1a99ea90b1a99aa47f22d5e3aa753d5dab2ecccd4374ceae709a82c584688742

  • SHA512

    7ae6a247beae9423c09fcbdf0e66b5d16f6984a628c719b22e744718bbe57dd318a034ed25b4300930dddce101d08a21486cbea3df3ac5cd20614343c0fe7307

  • SSDEEP

    3072:5YkY1S8Nl0gLqcVUirACXKqKNpJdzkP+ixH+CiTCF+z4lzXJkoE6J4tJt1fveH+A:5q17zvVNkQBOpQPlUkJXJkoBaJLf2H+A

Score
7/10
discoverypersistenceupx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5e88379b1b7eecc0ecef49ad0d2c9aa0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5e88379b1b7eecc0ecef49ad0d2c9aa0_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Modifies Internet Explorer settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1432
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Delete.bat" "
      2⤵
      • Deletes itself
      PID:2960

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Delete.bat
          Filesize

          231B

          MD5

          e90c6f1cb212c5db90028a8ad79e8040

          SHA1

          0bd22b5a110c8d789d5615d49a272657dd06d8a0

          SHA256

          55f3161ff64367f058d2d61439cc38cc894315264f97e20f97d3968019df2f53

          SHA512

          670cb1549f2907d495d2f1099c265890a034ce833b2d0403364e7cf68bf809af162dc470d0ca0ede1d63a5ed112a174d6c3699a2c1cd58fdbd6626d1f75ff9f2

          Download Submit

        • memory/1432-0-0x0000000000400000-0x000000000073A000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/1432-16-0x0000000000400000-0x000000000073A000-memory.dmp

          Filesize

          3.2MB

          Download