Overview

overview

10

Static

static

7

67df7ccb79...18.exe

windows7-x64

10

67df7ccb79...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/07/2024, 14:06

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    67df7ccb79956877849c7d0d27893b11_JaffaCakes118.exe

  • Size

    38KB

  • MD5

    67df7ccb79956877849c7d0d27893b11

  • SHA1

    8150525706ee564ab7002229c2febf6c5d4d5c13

  • SHA256

    9e189ba35731a028b16eed1b3f344514ffcf2b334791f8342fa852b5559041da

  • SHA512

    45ee6cd662cde589751d7df9a12a682765ab139212f098e383ac146457356e61a3ecd4b6b441d4769a8623273e2fc359471257d86e727bcd281d3ada08e0fa7a

  • SSDEEP

    768:8mBOe28ZLIcn6oHEAAPHSoZD87IcaIhiPAcRy3zBIv+8gDJNp4:8mECF6okAAvDlgIcaIxlD2+8gVn4

Score
10/10
evasionexecutionspywarestealerupx

Malware Config

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 8 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\67df7ccb79956877849c7d0d27893b11_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\67df7ccb79956877849c7d0d27893b11_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4424
    • C:\Windows\SysWOW64\net.exe
      net stop cryptsvc
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5000
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop cryptsvc
        3⤵
          PID:4160
      • C:\Windows\SysWOW64\sc.exe
        sc config cryptsvc start= disabled
        2⤵
        • Launches sc.exe
        PID:3368
      • C:\Windows\SysWOW64\sc.exe
        sc delete cryptsvc
        2⤵
        • Launches sc.exe
        PID:8
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Users\Admin\AppData\Local\Temp\1721743629.dat, ServerMain c:\users\admin\appdata\local\temp\67df7ccb79956877849c7d0d27893b11_jaffacakes118.exe
        2⤵
        • Deletes itself
        • Loads dropped DLL
        PID:2140

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysWOW64\sysapp10.dll
            Filesize

            40KB

            MD5

            2e1ede89c6666da23e5ef4125bb6352c

            SHA1

            b4d5128a71ffea310e1251c088879e3ab972cf4d

            SHA256

            9dda30701716d56592ad01b4cd2d7dc4d6a947d6a9d4472560aa0547389359d4

            SHA512

            b2dd2ba92e0dd6887553faeb180cf897f9ebd637640099f2ebb0acd4792e11d07cb7dc26900afeb92d9af23b1c9dc717ec12135885e7207673b0a7a1b52186b3

            Download Submit

          • memory/4424-0-0x0000000000400000-0x0000000000418000-memory.dmp

            Filesize

            96KB

            Download

          • memory/4424-3-0x0000000000400000-0x0000000000418000-memory.dmp

            Filesize

            96KB

            Download

          • memory/4424-13-0x0000000000400000-0x0000000000418000-memory.dmp

            Filesize

            96KB

            Download