Overview

overview

10

Static

static

7

5f26d790de...18.exe

windows7-x64

10

5f26d790de...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/07/2024, 05:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5f26d790dec57efefd921b40fa58e3a6_JaffaCakes118.exe

  • Size

    9.9MB

  • MD5

    5f26d790dec57efefd921b40fa58e3a6

  • SHA1

    6f962d0cd28de9278c7f4c240aca635783001114

  • SHA256

    0df4152fb09489d30a10b6e4864c3fe005a689e4923324dfd13e256d87f06d3d

  • SHA512

    80acc1affc11a9951201d4989c3ec59cf477d90e27b6be2b9b03aea505446c14d2c537543b128cf76906fcefc6f543f36e6b81750283b71f65f8144bf1a1e009

  • SSDEEP

    196608:i7effIPEsy58doQaTzwZ8Jq3QKnqVtxQnKnqVtxQu9OryfEQncryfEQuly58doQ6:i7effIPEsy58doQaTzwZ8Jq3QKnqVtxg

Score
10/10
adwarepersistencestealerupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Drops file in Drivers directory 3 IoCs
  • Sets service image path in registry 2 TTPs 2 IoCs
    persistence
  • ACProtect 1.3x - 1.4x DLL software 4 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 2 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Modifies WinLogon 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5f26d790dec57efefd921b40fa58e3a6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5f26d790dec57efefd921b40fa58e3a6_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops file in Drivers directory
    • Sets service image path in registry
    • Loads dropped DLL
    • Adds Run key to start application
    • Enumerates connected drives
    • Modifies WinLogon
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:836
    • C:\Users\Admin\AppData\Local\Temp\5f26d790dec57efefd921b40fa58e3a6_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\5f26d790dec57efefd921b40fa58e3a6_JaffaCakes118.exe
      2⤵
      • Enumerates connected drives
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3956
      • C:\Users\Admin\AppData\Local\Temp\5f26d790dec57efefd921b40fa58e3a6_JaffaCakes118.exe
        C:\Users\Admin\AppData\Local\Temp\5f26d790dec57efefd921b40fa58e3a6_JaffaCakes118.exe
        3⤵
        • Enumerates connected drives
        PID:3776
    • C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
      2⤵
      • Installs/modifies Browser Helper Object
      PID:460
    • C:\Users\Admin\AppData\Local\Temp\5f26d790dec57efefd921b40fa58e3a6_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\5f26d790dec57efefd921b40fa58e3a6_JaffaCakes118.exe
      2⤵
      • Drops file in Drivers directory
      • Sets service image path in registry
      • Loads dropped DLL
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4536
      • C:\Users\Admin\AppData\Local\Temp\5f26d790dec57efefd921b40fa58e3a6_JaffaCakes118.exe
        C:\Users\Admin\AppData\Local\Temp\5f26d790dec57efefd921b40fa58e3a6_JaffaCakes118.exe
        3⤵
        • Enumerates connected drives
        PID:784
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 836 -s 1652
      2⤵
      • Program crash
      PID:1252
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 836 -ip 836
    1⤵
      PID:4888

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
      Filesize

      1KB

      MD5

      7fb5fa1534dcf77f2125b2403b30a0ee

      SHA1

      365d96812a69ac0a4611ea4b70a3f306576cc3ea

      SHA256

      33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

      SHA512

      a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
      Filesize

      174B

      MD5

      3dd1a122c44731e4c4c063ca650e8288

      SHA1

      c80570593913f4e91f1f62427f7dcdb2f59043fe

      SHA256

      e5ef35b5188f5a3a461c16c247a799f23d82ed16911fb55984357f2aeacb8af4

      SHA512

      3d08df026f4eddc33df3f18d596fd5bd1bd9d841c9129a3979cd42188597a3dd6ee36a48b79dd9448a14d1888035ea29b7051852d18311e6094d288d42d998ab

      Download Submit

    • C:\Users\Admin\AppData\Local\cftmon.exe
      Filesize

      9.9MB

      MD5

      dd2b78905c97c8edd67b6b81661777b1

      SHA1

      1f1860efb5c43aa72113460cb48c27e59815006f

      SHA256

      7d61388ee3ef81d837ee38d5d042f27780a5249b98516f3952b40416ee1c79a4

      SHA512

      a74660e120e413ce349504df6c9e7ca72f3c39ac223b20f98ecb2ce3f6061b70f13b0cfc32bb03c6e1591f97e7d169b8a1ddc69fee62f14a46952a6bf183480d

      Download Submit

    • C:\Windows\SysWOW64\drivers\spools.exe
      Filesize

      9.9MB

      MD5

      a4c9fa76865b010386fff8fc4d83290b

      SHA1

      0936121612c5054e50a808ab68c9b53f8aa8de3c

      SHA256

      8096e4d51dc78cb529c13879f8f373b646fc89cb00ea6c3eec68459eefdb836d

      SHA512

      a8c48cdf5ca88c82d34b9d3da4ec1f7e3436be8ba7fb43f972bb1092eda9656ea795b05edf3add7beae387ed0f5486ce73d251abdc161f9dccb7c674a88ae0fa

      Download Submit

    • C:\Windows\SysWOW64\ftpdll.dll
      Filesize

      5KB

      MD5

      d807aa04480d1d149f7a4cac22984188

      SHA1

      ffd5be65fd10017e34c11cecd105ebf4aa6c0cd9

      SHA256

      eddf092d901afe128322910c3ff41a3f242d33d6b4cdf91ece327076b324ccbb

      SHA512

      875543583c20ab164f37a4fb2587d234ce0a15d649d22b0d1dae5933f0a7683db170578746ea4458c51fec26e2243c6ec00dc10db8d4289789e50d5800cf863e

      Download Submit

    • memory/784-37-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/836-18-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/836-17-0x0000000010000000-0x000000001010B000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/836-13-0x0000000010000000-0x000000001010B000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/836-0-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/3776-36-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/3956-35-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/4536-7-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/4536-32-0x0000000010000000-0x000000001010B000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4536-34-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download