Overview

overview

10

Static

static

3

6116c0edc9...18.exe

windows7-x64

10

6116c0edc9...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    21/07/2024, 19:26

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    6116c0edc9a70e39cd5ce0c2cf6944c2_JaffaCakes118.exe

  • Size

    564KB

  • MD5

    6116c0edc9a70e39cd5ce0c2cf6944c2

  • SHA1

    d0fe346918eeea017289b450552a26ffe2311c58

  • SHA256

    85782efb7daa0bf8f6f658e210bcfc45a526198393416f1557d96a764342570c

  • SHA512

    9a277c9e2ce66efe82bd084d6d37fff7430ba5350cb83e6dea3ceb4547677595795d4c0b232837fd9789ad953b5173d2f32a884ac2d4620e9f15686c4f2f8e3a

  • SSDEEP

    12288:hiEPVIq0TcwMi7tBNMLpJVeVvsZWILqY02JwwA1x33GwTuIj+w:hiRq0TcwvypSVvsfLNzJwwAkX

Score
10/10
evasionpersistencespywarestealerupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 10 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 26 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unexpected DNS network traffic destination 5 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application 2 TTPs 52 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\csrss.exe
    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
    1⤵
    • Executes dropped EXE
    • Suspicious use of UnmapMainImage
    PID:332
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies WinLogon for persistence
    PID:1176
    • C:\Users\Admin\AppData\Local\Temp\6116c0edc9a70e39cd5ce0c2cf6944c2_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\6116c0edc9a70e39cd5ce0c2cf6944c2_JaffaCakes118.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1900
      • C:\Users\Admin\Za0Fr02eH4.exe
        C:\Users\Admin\Za0Fr02eH4.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2508
        • C:\Users\Admin\hooloh.exe
          "C:\Users\Admin\hooloh.exe"
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:2232
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del Za0Fr02eH4.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2164
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            5⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:2168
      • C:\Users\Admin\2eaz.exe
        C:\Users\Admin\2eaz.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2644
        • C:\Users\Admin\2eaz.exe
          "C:\Users\Admin\2eaz.exe"
          4⤵
          • Executes dropped EXE
          PID:2760
        • C:\Users\Admin\2eaz.exe
          "C:\Users\Admin\2eaz.exe"
          4⤵
          • Executes dropped EXE
          • Maps connected drives based on registry
          • Suspicious behavior: EnumeratesProcesses
          PID:2872
        • C:\Users\Admin\2eaz.exe
          "C:\Users\Admin\2eaz.exe"
          4⤵
          • Executes dropped EXE
          PID:2596
        • C:\Users\Admin\2eaz.exe
          "C:\Users\Admin\2eaz.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2604
        • C:\Users\Admin\2eaz.exe
          "C:\Users\Admin\2eaz.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1884
      • C:\Users\Admin\3eaz.exe
        C:\Users\Admin\3eaz.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:320
        • C:\Users\Admin\AppData\Local\c8f83bbb\X
          *0*bc*3aab31e*31.193.3.240:53
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:2800
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe"
          4⤵
            PID:1912
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del 6116c0edc9a70e39cd5ce0c2cf6944c2_JaffaCakes118.exe
          3⤵
          • Deletes itself
          PID:1140
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:1936
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      1⤵
        PID:2960

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\c8f83bbb\X
              Filesize

              38KB

              MD5

              72de2dadaf875e2fd7614e100419033c

              SHA1

              5f17c5330e91a42daa9ff24c4aa602bd1a72bf6e

              SHA256

              c44993768a4dc5a58ddbfc9cb05ce2a7d3a0a56be45643d70a72bcf811b6c381

              SHA512

              e2520a53326a7d3b056e65d0cf60e9d823ffb34ca026cdddc7ea3a714f8396c53c37e13a887fc86a7dd7076c97fdfad53c3f5a68342ebc1bdec948c76bda8df3

              Download Submit

            • C:\Windows\system32\consrv.dll
              Filesize

              29KB

              MD5

              1149c1bd71248a9d170e4568fb08df30

              SHA1

              6f77f183d65709901f476c5d6eebaed060a495f9

              SHA256

              c2dcf387cb4d218f50463338291e7db38afbdab9aab88fc54e7f9283df1792d1

              SHA512

              9e6eac8facb23b38552d37c9f3cb24098f871d2885ecb3630fcd0199c5600b12a42f095f9fbeb90e5632496491d46fd987660cdda695e92dc386bd482d3ff459

              Download Submit

            • \Users\Admin\2eaz.exe
              Filesize

              184KB

              MD5

              b5e4ef8f155546bb96b2725ec36f8dd9

              SHA1

              7e1301b8759c39f37993c7145d233f9fd45fa1c9

              SHA256

              c5ce89c5116fe9796e3324b2045fc53369e099bf92d22d7303a55ae67d0a5755

              SHA512

              b6ba29f78fd3ad4895a9aa6d30f46ecabee67d5ff38a3c0dfc5f5dd5bb170ec2bbf47dd963285fcc90097804523ba12fd41418005f7abf3367875ac21f23e904

              Download Submit

            • \Users\Admin\3eaz.exe
              Filesize

              254KB

              MD5

              0c0be014832905bc4bb981a03f279d6e

              SHA1

              16e8d3cf157ed3afb5041df2bbe97f4422c5a1dc

              SHA256

              13b0b4e5adf34babefd24eb5886a2b9a5d0d2e6cce61a77c2cbd501e22d36f48

              SHA512

              1be55754d1ab77f9ef9c588599428f5754a6cc349471e5f63ca98a5a5d54e40210616937e9f53abe4912b5aa637620b85cb0665e3b60661fd1ca046f7da65060

              Download Submit

            • \Users\Admin\Za0Fr02eH4.exe
              Filesize

              212KB

              MD5

              c613e1456c877e1487154fbafe1a298e

              SHA1

              af8c9d76cfb43659ced915b12bba47d0bba11ba0

              SHA256

              b21afd7848d64eadace47bc6f278f4ec2f89b8a42d9be9f55123b0e2de7320f9

              SHA512

              a675e9cd0f4ad741ddaacc15b4a119ab862009b1c62a97ac43a760c6ca5c2ea10e8f00928cd89489759aeea3f91a505b842536a5c221bb6a7b2ecf9a33fc3663

              Download Submit

            • \Users\Admin\hooloh.exe
              Filesize

              212KB

              MD5

              671f4f97411dd2047567a382f05a4c37

              SHA1

              7c2e6a3abb584323cf2bd79266e5d89203584e6a

              SHA256

              3e3f95d8e7f7d04caa270ba571af8f3778e867ec677de7f0878663d9011b9f17

              SHA512

              a629fbc66b976791bb8edd1d1bd56566f91628510372a818e6348018ba3f26731dc9c6516fa0ce712916c2704082d517fdc3242745d1c081a97c0b0221067050

              Download Submit

            • \systemroot\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
              Filesize

              2KB

              MD5

              4c1216e054fa7e280096b6d0f4f0f0f1

              SHA1

              6fc93cae784ee44268d6e2694907b84731cd2b10

              SHA256

              8c010147b0085b640564224367f4be72df0929aff8a2277f8e4713201808c2a7

              SHA512

              9d2bb2dc2cbff314655401a515f5811504b6417b2831a023ccd9ca26f782147654917eb53fbf54e3cee9583023f2729c70b4f57171e8e41edd10a00dd6fa0244

              Download Submit

            • memory/332-125-0x0000000002570000-0x000000000257B000-memory.dmp

              Filesize

              44KB

              Download

            • memory/1176-126-0x00000000031A0000-0x00000000031AB000-memory.dmp

              Filesize

              44KB

              Download

            • memory/1176-130-0x00000000031A0000-0x00000000031AB000-memory.dmp

              Filesize

              44KB

              Download

            • memory/1176-134-0x00000000031A0000-0x00000000031AB000-memory.dmp

              Filesize

              44KB

              Download

            • memory/1176-104-0x0000000002EC0000-0x0000000002EC6000-memory.dmp

              Filesize

              24KB

              Download

            • memory/1176-108-0x0000000002EC0000-0x0000000002EC6000-memory.dmp

              Filesize

              24KB

              Download

            • memory/1176-112-0x0000000002EC0000-0x0000000002EC6000-memory.dmp

              Filesize

              24KB

              Download

            • memory/1176-135-0x0000000003D60000-0x0000000003D6B000-memory.dmp

              Filesize

              44KB

              Download

            • memory/1884-89-0x0000000000400000-0x000000000040A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/1884-94-0x0000000000400000-0x000000000040A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/1884-79-0x0000000000400000-0x000000000040A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/1884-81-0x0000000000400000-0x000000000040A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/1884-83-0x0000000000400000-0x000000000040A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/1884-86-0x0000000000400000-0x000000000040A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/1884-88-0x0000000000400000-0x000000000040A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/2508-28-0x0000000003A40000-0x00000000044FA000-memory.dmp

              Filesize

              10.7MB

              Download

            • memory/2596-75-0x0000000000400000-0x0000000000455000-memory.dmp

              Filesize

              340KB

              Download

            • memory/2596-55-0x0000000000400000-0x0000000000455000-memory.dmp

              Filesize

              340KB

              Download

            • memory/2596-57-0x0000000000400000-0x0000000000455000-memory.dmp

              Filesize

              340KB

              Download

            • memory/2596-62-0x0000000000400000-0x0000000000455000-memory.dmp

              Filesize

              340KB

              Download

            • memory/2596-63-0x0000000000400000-0x0000000000455000-memory.dmp

              Filesize

              340KB

              Download

            • memory/2596-60-0x0000000000400000-0x0000000000455000-memory.dmp

              Filesize

              340KB

              Download

            • memory/2596-141-0x0000000000400000-0x0000000000455000-memory.dmp

              Filesize

              340KB

              Download

            • memory/2596-53-0x0000000000400000-0x0000000000455000-memory.dmp

              Filesize

              340KB

              Download

            • memory/2604-66-0x0000000000400000-0x0000000000407000-memory.dmp

              Filesize

              28KB

              Download

            • memory/2604-64-0x0000000000400000-0x0000000000407000-memory.dmp

              Filesize

              28KB

              Download

            • memory/2604-76-0x0000000000400000-0x0000000000407000-memory.dmp

              Filesize

              28KB

              Download

            • memory/2604-71-0x0000000000400000-0x0000000000407000-memory.dmp

              Filesize

              28KB

              Download

            • memory/2604-146-0x0000000000400000-0x0000000000407000-memory.dmp

              Filesize

              28KB

              Download

            • memory/2604-68-0x0000000000400000-0x0000000000407000-memory.dmp

              Filesize

              28KB

              Download

            • memory/2604-73-0x0000000000400000-0x0000000000407000-memory.dmp

              Filesize

              28KB

              Download

            • memory/2760-39-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2872-50-0x0000000000400000-0x0000000000429000-memory.dmp

              Filesize

              164KB

              Download

            • memory/2872-45-0x0000000000400000-0x0000000000429000-memory.dmp

              Filesize

              164KB

              Download

            • memory/2872-41-0x0000000000400000-0x0000000000429000-memory.dmp

              Filesize

              164KB

              Download

            • memory/2872-51-0x0000000000400000-0x0000000000429000-memory.dmp

              Filesize

              164KB

              Download

            • memory/2872-140-0x0000000000400000-0x0000000000429000-memory.dmp

              Filesize

              164KB

              Download

            • memory/2872-48-0x0000000000400000-0x0000000000429000-memory.dmp

              Filesize

              164KB

              Download

            • memory/2872-43-0x0000000000400000-0x0000000000429000-memory.dmp

              Filesize

              164KB

              Download

            • memory/2872-52-0x0000000000400000-0x0000000000429000-memory.dmp

              Filesize

              164KB

              Download