Overview

overview

7

Static

static

3

64ad3fbf31...18.exe

windows7-x64

7

64ad3fbf31...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/07/2024, 20:25

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    64ad3fbf31657091b2dbddc095752b3e_JaffaCakes118.exe

  • Size

    251KB

  • MD5

    64ad3fbf31657091b2dbddc095752b3e

  • SHA1

    1ddd280954e9a50460e91f8ef2edbd50a897e4d4

  • SHA256

    815ce88eb9a6faa9bd1447651c34e593b4fe6bcf186b6953411392f607969764

  • SHA512

    16fd8d7b784958b4b8c968d519fa67e38939f4c99edc46514972f701464b97da2b3db21b627fd1da651f6f26f517bc9be926d2276196a50fea2739dbe92a2e58

  • SSDEEP

    3072:GY0yj4Gi3dDlp67pX6LG2Nexysk758vf3F2TEDCfjab4nRVOhRUv9qPbwPlclusb:GY94N5mwLeFoEDC7NRw2zNclusKPbS

Score
7/10
adwarepersistencestealer

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 46 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\64ad3fbf31657091b2dbddc095752b3e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\64ad3fbf31657091b2dbddc095752b3e_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:4772
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:4136
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nuke IP Death.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nuke IP Death.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:872
      • C:\WINDOWS\System\jabcora.exe
        C:\WINDOWS\System\jabcora.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Installs/modifies Browser Helper Object
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:1596

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nuke IP Death.exe
          Filesize

          32KB

          MD5

          4af544316c0e73801624faeea2b4307f

          SHA1

          4c6d62b53d453294c22fe04202e2f35daf42e473

          SHA256

          6781d92f199f3e02ebc5c58ad164b1cca802d3981b097b646e927875a5bab22c

          SHA512

          06ac238046af45d4c589f181f432742513bb63c06591035e57db065f07ed84c3ab1b988a33d3d17ccf7036e635de8bc7862b8e077add767a56067a3dfa5e49c6

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat
          Filesize

          996B

          MD5

          e0064d12f42d1148602d926b4c4f34ff

          SHA1

          cae23d6c8700ebd3751a80fc534a85ec8c33bd03

          SHA256

          fce967be78fd4bf66284b40e920624b4e9ce81df551700f86399f021da0b3a21

          SHA512

          278d92c7e896ee94276af4f1eb33937047127ba9fede27aa7edf09d24fa2f88e2e0ce36e40a041dd7f2507b45d8c2187b1411ea20e2d0f7d05fd3c85ff1084f5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\jabcora.exe
          Filesize

          428KB

          MD5

          2cf8e7033db4057911b9ec1c9ac6d27f

          SHA1

          3ed68e186fcb19be3c51161523f154f08cde4253

          SHA256

          654364ea9de26a05955645e7b95959a3d83fcc34a663c7acee2e273651eaa0db

          SHA512

          fd599ce97e267c1fdb468316e640d31778eaab39aa2f3d7355b3fd7bf3ec268fc3d654d22f71ec38c8d8f501b5278ebd44a3fb71b9b5813cd376e71c227cd777

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\jabcorahk.dll
          Filesize

          24KB

          MD5

          6f48b9bbd868ff24f7f1dfc2c57db79b

          SHA1

          f71a063b93c248a6dd146472b3b00663f05a68e8

          SHA256

          91a92522b953d0713d83a4fe073e71baf2a183ff83146722e7a88afbf48d24b6

          SHA512

          94f10cfcd38bca608b2f79e2183205b7e66702dcf5b9388c02a1941faa9a95224c5fe169e67c58b7204b70783f162f38446b8fee289501c9bfc3469e7cc97ef7

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\jabcorawb.dll
          Filesize

          40KB

          MD5

          669104f155e1bb1c984af74b0edd20cc

          SHA1

          8a7efce57c128b121bfbbef9244289a3552add2d

          SHA256

          017f905690e343762ffd8369c0fad8c9a41e07a25f595ab316a02745af888fdf

          SHA512

          ee519fb75170fe1982a3806ffd5d98732cbb76349024b9183741dfae1f462a669a3f2ac1288730f0d55fd0f0937dc246734b42e9e581fa91f460c37385884b20

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\pk.bin
          Filesize

          4KB

          MD5

          f2a0fc2f227ec1613f9791e80b50206c

          SHA1

          01b3d167a2817d98f7edfcfa2fd41a588eb5603a

          SHA256

          b587bf0c48bbc8420f43482d2451812d635e71a81273a34d4c2cdbac7ad8fac2

          SHA512

          e149dad9d1ed3e12a3c79c0762d36d74c43fded4f5cca0ac4e997f3856670082baf6082e90c0a77ef8fe96c933109191bbc9132fd287c0fb272f7ba5700ab301

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
          Filesize

          7KB

          MD5

          a455ca431e66975d886f1a8cfee8cb9f

          SHA1

          95868529973c77199b76ec593a686d9b324dee8b

          SHA256

          6bba0b8d8bf03ba15828c53e72d83d766e44b3238b55ab75348d8ce93bfd0056

          SHA512

          53e0c4edf9d91ebdea04bfb343c568190eaaeb066bc6742262f1e5943d2b27c375e1eca483419ae8753138dc2131c9d3c7742812c16863689c3bb266057c0531

          Download Submit

        • C:\WINDOWS\System\jabcorahk.dll
          Filesize

          24KB

          MD5

          58129986fa29f6dacd99ab45f60bcb3c

          SHA1

          7f21995794a060fc8629e0d113cf568de14c509e

          SHA256

          525414ffe5f797ebdd7de5620b75ff723de17bf8f399ffcd7ddec2d0b8a5dc4a

          SHA512

          62ade2d2eb41cd99dcd9f6d66e7966d129be20551faadcf827558e85d669f885ad144d10a87c3be7faed08103b86ab523fb6756b44f9e0ba77cdff586214701a

          Download Submit

        • C:\WINDOWS\System\jabcorawb.dll
          Filesize

          40KB

          MD5

          2e6016325548ab79e2d636640c6ec473

          SHA1

          586e2b84d46ef00e26c1686033def28e8a9995a5

          SHA256

          62e2948c3e3857e8304a657b7e7da30cdcb6842f71bd4c678a1734ebbf17198e

          SHA512

          1dc89b9e15f5835dff3203e278f000df5c0d8d93cbef5059be3f1024ef1e16ae8087a4f8e1131b20b190942984e9dc6079dfe951a52de7f4d4ad7de8721a0e86

          Download Submit

        • C:\WINDOWS\System\pk.bin
          Filesize

          4KB

          MD5

          795e512f8713fa3a9214d1ea874fe8ab

          SHA1

          060c974cbea54847ff61bd47a409d0c37bc41fdb

          SHA256

          8c7daeae0c41d9666eec78a1fbcfa1c72de360aaaea12f10bf587e56dadd790a

          SHA512

          065e8efa54c827ec5232fc508794198d489e48868cfb71c54d7d453becc49db8a7ac21b2d424757906d69b74ba5911e37b07ea65f76393253ff4b20099b5d016

          Download Submit

        • C:\Windows\System\jabcora.exe
          Filesize

          428KB

          MD5

          bae0fb25bcf05a5da7fde8dce759ee0d

          SHA1

          bc74b07d14a63ce572755c70ceb796136d129e20

          SHA256

          b966953b0a0e0bf648b1043b4e708445b52b020a0485921138bbf3be58d9995d

          SHA512

          74a61f7712df39194b2cb77186231d5960b8bfc5b37abdf20c357471a4e8dd8a8e648161cda7b1c8ee01d422926e3b30fd5ec9c6ebbf589a4feeaeba99ca2929

          Download Submit

        • memory/4772-51-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download