Overview

overview

7

Static

static

3

65db70d3bd...18.exe

windows7-x64

7

65db70d3bd...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    23/07/2024, 02:51

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    65db70d3bde8cab4ee6fc955548fb933_JaffaCakes118.exe

  • Size

    1.4MB

  • MD5

    65db70d3bde8cab4ee6fc955548fb933

  • SHA1

    f4b2810261631e7895489d9c097f788fa35c5930

  • SHA256

    95975470125c1bca6801434105518e932b2bf0aca14ad626f2814e29f3b8c01f

  • SHA512

    ac4cbfda3d7f6236f7e3c160d3b042930fd7d9e646abea49f3f57c53191773c66ae926b998fdb40d23c1a2c6415edc07ff019a148aa6884c11e655f360a2c0a9

  • SSDEEP

    24576:ZhsROjFH2anRtRdYtJeIqybrF9xBhWU0B9FCXqB0ZEOMq+hbXfo5ax6qtOP3BcmT:ZtR28RdYtJJqybB9tWU0B9gg0ZEOMq+K

Score
7/10

Malware Config

Signatures

  • Drops startup file 3 IoCs
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1040
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1116
        • C:\Users\Admin\AppData\Local\Temp\65db70d3bde8cab4ee6fc955548fb933_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\65db70d3bde8cab4ee6fc955548fb933_JaffaCakes118.exe"
          2⤵
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2096
          • C:\Users\Admin\AppData\Roaming\AKM Antivirus 2010 Pro\AKM Antivirus 2010 Pro.exe
            "C:\Users\Admin\AppData\Roaming\AKM Antivirus 2010 Pro\AKM Antivirus 2010 Pro.exe"
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2748
            • C:\Users\Admin\AppData\Roaming\svchost.exe
              "C:\Users\Admin\AppData\Roaming\svchost.exe"
              4⤵
              • Drops startup file
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:2644
              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of WriteProcessMemory
                PID:2648
                • C:\Users\Admin\AppData\Roaming\svchost.exe
                  "C:\Users\Admin\AppData\Roaming\svchost.exe"
                  6⤵
                  • Executes dropped EXE
                  PID:3020
                • C:\Users\Admin\AppData\Roaming\AKM Antivirus 2010 Pro\AKM Antivirus 2010 Pro.exe
                  "C:\Users\Admin\AppData\Roaming\AKM Antivirus 2010 Pro\AKM Antivirus 2010 Pro.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:612
                • C:\Users\Admin\AppData\Roaming\AKM Antivirus 2010 Pro\AKM Antivirus 2010 Pro.exe
                  "C:\Users\Admin\AppData\Roaming\AKM Antivirus 2010 Pro\AKM Antivirus 2010 Pro.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:1340
                • C:\Users\Admin\AppData\Roaming\AKM Antivirus 2010 Pro\AKM Antivirus 2010 Pro.exe
                  "C:\Users\Admin\AppData\Roaming\AKM Antivirus 2010 Pro\AKM Antivirus 2010 Pro.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:3048
              • C:\Users\Admin\AppData\Roaming\AKM Antivirus 2010 Pro\AKM Antivirus 2010 Pro.exe
                "C:\Users\Admin\AppData\Roaming\AKM Antivirus 2010 Pro\AKM Antivirus 2010 Pro.exe"
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:1592
              • C:\Users\Admin\AppData\Roaming\AKM Antivirus 2010 Pro\AKM Antivirus 2010 Pro.exe
                "C:\Users\Admin\AppData\Roaming\AKM Antivirus 2010 Pro\AKM Antivirus 2010 Pro.exe"
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:1964
              • C:\Users\Admin\AppData\Roaming\AKM Antivirus 2010 Pro\AKM Antivirus 2010 Pro.exe
                "C:\Users\Admin\AppData\Roaming\AKM Antivirus 2010 Pro\AKM Antivirus 2010 Pro.exe"
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:2996
            • C:\Users\Admin\AppData\Local\Temp\win891E.tmp
              C:\Users\Admin\AppData\Local\Temp\win891E.tmp "http://core2700.freesourceforyou.com/stat/action3.cgi?p=3&a=2700" "C:\Users\Admin\AppData\Local\Temp\win88B0.tmp" 1
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:2420
            • C:\Users\Admin\AppData\Roaming\alggui.exe
              "C:\Users\Admin\AppData\Roaming\alggui.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:1608

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\win891E.tmp
              Filesize

              4KB

              MD5

              ed21b352d000691f00ebbe08b265db66

              SHA1

              3c1dc4a1f0dac17d362798af7fc3b41718ce39b2

              SHA256

              62ed3c2009d67df1d28e8c80e311b2243f94e10d4a83ed014166257f734d7b24

              SHA512

              7979e7d2d1f8482a95a64742074d627fb3ee6d317f836a1737d9faf25011207a64694148ae572ae23c0ad596e71cba8f69ce79f83964c705decd5212a127fdc0

              Download Submit

            • C:\Users\Admin\AppData\Roaming\AKM Antivirus 2010 Pro\AKM Antivirus 2010 Pro.exe
              Filesize

              1.4MB

              MD5

              65db70d3bde8cab4ee6fc955548fb933

              SHA1

              f4b2810261631e7895489d9c097f788fa35c5930

              SHA256

              95975470125c1bca6801434105518e932b2bf0aca14ad626f2814e29f3b8c01f

              SHA512

              ac4cbfda3d7f6236f7e3c160d3b042930fd7d9e646abea49f3f57c53191773c66ae926b998fdb40d23c1a2c6415edc07ff019a148aa6884c11e655f360a2c0a9

              Download Submit

            • C:\Users\Admin\AppData\Roaming\wp4.dat
              Filesize

              80B

              MD5

              20656e82580fe329d500a1e4b5f52d86

              SHA1

              85d63ed2d4437b0b96380c3c945f7ffb18a3b371

              SHA256

              a7794f333259946b8389f5615fca99d43d29da43c58b51f5a190912d3b053959

              SHA512

              f41ecaf1a5954bfe954403227b82e84b1a65006049cb892a06568f6f4095bcdfc3a04679a015e1a0a8553d41f237f8cc700d4608338414c161db590c65dc0be0

              Download Submit

            • \Users\Admin\AppData\Roaming\alggui.exe
              Filesize

              55KB

              MD5

              36897f92a5448fd3066b56000e6b70b4

              SHA1

              54b61b272ee8e0ce9496030508060982b95ef3ce

              SHA256

              a87671ca271ded7ed1ce7cb6a693791dcf96ba72734c39d13e842a8e0a0e9556

              SHA512

              fc2f7cccec8863afc6cc4559c3d2f451a46eca927790fc15eacf49e1a95997aa310a99f42c667e990e6f62e0726781bdb63a52ff4997f47440dd1b955601914d

              Download Submit

            • \Users\Admin\AppData\Roaming\svchost.exe
              Filesize

              45KB

              MD5

              eb9ca021b0c180b0cbb0057e49b3e660

              SHA1

              b0e7fe042c9131b44ac99ecd86643b503b7a30e6

              SHA256

              9f15880a3f92474d5f91d6cb086cb86fbfe50dc4dccd493c02688c3806a6224a

              SHA512

              41effe6e16af638d523c6af93c55eb870bc4214b4d785da7d5b0b76fc00581973dd398a79fb2db98bac49e1b8dfe1e08f68caf17e2eb1a914d2c0057a41bcff5

              Download Submit

            • memory/612-60-0x0000000000400000-0x0000000000BDC000-memory.dmp

              Filesize

              7.9MB

              Download

            • memory/1116-72-0x0000000013140000-0x0000000013144000-memory.dmp

              Filesize

              16KB

              Download

            • memory/1116-75-0x0000000013140000-0x0000000013144000-memory.dmp

              Filesize

              16KB

              Download

            • memory/1116-78-0x0000000013140000-0x0000000013144000-memory.dmp

              Filesize

              16KB

              Download

            • memory/1116-81-0x0000000013140000-0x0000000013144000-memory.dmp

              Filesize

              16KB

              Download

            • memory/1340-178-0x0000000000400000-0x0000000000BDC000-memory.dmp

              Filesize

              7.9MB

              Download

            • memory/1592-61-0x0000000000400000-0x0000000000BDC000-memory.dmp

              Filesize

              7.9MB

              Download

            • memory/1608-181-0x0000000000400000-0x0000000000418000-memory.dmp

              Filesize

              96KB

              Download

            • memory/1608-129-0x0000000000400000-0x0000000000418000-memory.dmp

              Filesize

              96KB

              Download

            • memory/1608-104-0x0000000000400000-0x0000000000418000-memory.dmp

              Filesize

              96KB

              Download

            • memory/1608-114-0x0000000000400000-0x0000000000418000-memory.dmp

              Filesize

              96KB

              Download

            • memory/1964-177-0x0000000000400000-0x0000000000BDC000-memory.dmp

              Filesize

              7.9MB

              Download

            • memory/2096-10-0x0000000000404000-0x000000000043D000-memory.dmp

              Filesize

              228KB

              Download

            • memory/2096-11-0x0000000000400000-0x0000000000BDC000-memory.dmp

              Filesize

              7.9MB

              Download

            • memory/2096-13-0x0000000000400000-0x0000000000BDC000-memory.dmp

              Filesize

              7.9MB

              Download

            • memory/2096-1-0x0000000000400000-0x0000000000BDC000-memory.dmp

              Filesize

              7.9MB

              Download

            • memory/2096-0-0x0000000000404000-0x000000000043D000-memory.dmp

              Filesize

              228KB

              Download

            • memory/2644-102-0x0000000000400000-0x0000000000415000-memory.dmp

              Filesize

              84KB

              Download

            • memory/2648-103-0x0000000000400000-0x0000000000415000-memory.dmp

              Filesize

              84KB

              Download

            • memory/2748-136-0x0000000000400000-0x0000000000BDC000-memory.dmp

              Filesize

              7.9MB

              Download

            • memory/2748-126-0x0000000000400000-0x0000000000BDC000-memory.dmp

              Filesize

              7.9MB

              Download

            • memory/2748-118-0x0000000000400000-0x0000000000BDC000-memory.dmp

              Filesize

              7.9MB

              Download

            • memory/2748-115-0x0000000000400000-0x0000000000BDC000-memory.dmp

              Filesize

              7.9MB

              Download

            • memory/2748-146-0x0000000000400000-0x0000000000BDC000-memory.dmp

              Filesize

              7.9MB

              Download

            • memory/2748-160-0x0000000000400000-0x0000000000BDC000-memory.dmp

              Filesize

              7.9MB

              Download

            • memory/2748-174-0x0000000000400000-0x0000000000BDC000-memory.dmp

              Filesize

              7.9MB

              Download

            • memory/2748-101-0x0000000000400000-0x0000000000BDC000-memory.dmp

              Filesize

              7.9MB

              Download

            • memory/2748-15-0x0000000000400000-0x0000000000BDC000-memory.dmp

              Filesize

              7.9MB

              Download

            • memory/2748-186-0x0000000000400000-0x0000000000BDC000-memory.dmp

              Filesize

              7.9MB

              Download

            • memory/2748-196-0x0000000000400000-0x0000000000BDC000-memory.dmp

              Filesize

              7.9MB

              Download

            • memory/3020-59-0x0000000000400000-0x0000000000415000-memory.dmp

              Filesize

              84KB

              Download