Overview

overview

10

Static

static

3

761533a58e...18.exe

windows7-x64

10

761533a58e...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-07-2024 22:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    761533a58e9678720bd218b10e943d80_JaffaCakes118.exe

  • Size

    1.9MB

  • MD5

    761533a58e9678720bd218b10e943d80

  • SHA1

    f3d4c60f04e96aa3f9b6227ce60d1c87eff51058

  • SHA256

    873becc2d2a5b3c84ab132a7b677088a5e92a72bbe0883861513f5e786e6b9c2

  • SHA512

    84633493280ac2adcb89c718a1b7b9dfccbe74db03f4058d24a0ae2099bb53c74835e3ca47ce71fc0af181484eab097b73085adf2cac1e9872c148dc4d182405

  • SSDEEP

    24576:l39ZDtTS7od7341D2+jjqBicDSdwAO3BECoRWz5smhqzxGkdNrAQDEyYECMrU1y:l3dh73WD2IcicDsZO3BjwG5h+dJfr

Score
8/10
discoverypersistenceupx

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\761533a58e9678720bd218b10e943d80_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\761533a58e9678720bd218b10e943d80_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3256
    • C:\Windows\SysWOW64\Cloud AV 2012v121.exe
      C:\Windows\system32\Cloud AV 2012v121.exe 5985C:\Users\Admin\AppData\Local\Temp\761533a58e9678720bd218b10e943d80_JaffaCakes118.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3304
      • C:\Users\Admin\AppData\Roaming\UcSiD3nG4Q6\Cloud AV 2012v121.exe
        C:\Users\Admin\AppData\Roaming\UcSiD3nG4Q6\Cloud AV 2012v121.exe 5985C:\Windows\SysWOW64\Cloud AV 2012v121.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:2724
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4020

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\ahst.lni
    Filesize

    612B

    MD5

    3e4bafe050d74564309e67950a1c836d

    SHA1

    9b7f5c7266c54c22af1433f7a5a0c8a3baa80bd0

    SHA256

    9747f345fed40a47ad9f2507dc3e240fad1669a030e600a2fe8ad95ed71177d3

    SHA512

    17762d9820153dbcb9aa649274fe5eebe894dd5753490e298cbf2285a7c76d31da285635f5a83e495c3056f619985938acc56488d2eb64c1b76b24c399ba76f2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\ahst.lni
    Filesize

    1KB

    MD5

    098c7f5db223cd68dbe5c053a5359295

    SHA1

    de64ef27bff9eb0a44d9693ffe654c0f961e0f2c

    SHA256

    7685dfebe8261e3a3934dcb83d9ededdfa75bab0ca1fae4cfb4b09da3a4b037f

    SHA512

    39edfa26dc3cf563eeb5434d6e69cb211708be149611597c0d9dfeb454c4cd55a6f43312559e21613140c2a529ddc99ee7d3cbe4385c7ff9da47f01242356b2c

    Download Submit

  • C:\Windows\SysWOW64\Cloud AV 2012v121.exe
    Filesize

    1.9MB

    MD5

    761533a58e9678720bd218b10e943d80

    SHA1

    f3d4c60f04e96aa3f9b6227ce60d1c87eff51058

    SHA256

    873becc2d2a5b3c84ab132a7b677088a5e92a72bbe0883861513f5e786e6b9c2

    SHA512

    84633493280ac2adcb89c718a1b7b9dfccbe74db03f4058d24a0ae2099bb53c74835e3ca47ce71fc0af181484eab097b73085adf2cac1e9872c148dc4d182405

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    f39b39afb13a3a66e9c63df6215d56fa

    SHA1

    6f4ae5303ab0930a50ab76f74279eac24a2b87b8

    SHA256

    7457e9075b928fb204b20b7d14fe785d26f36006c3b00dc4063e4d72c17c8b72

    SHA512

    925b92827b7d048d45c4c9f136522599b92350a862054c41a816df023b8e1035b332f794159dbda25321a68b7ee5669776eab7de0c00da0be977feaeefb87fe8

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    50ab0dd716dd66ad0c3eb5fb63f2f118

    SHA1

    bd9641078264b2135d3b3b0007c98f977d057960

    SHA256

    1f9037b078250201c92f8e1ea1ad3023011039c76a5aa74d3710edc452fc6517

    SHA512

    24c0b8ca8650fb50f81b9a89bbb7e8e5492b303b065fbf846c55aeb76c9fc41ebb5b9c6163d168a1362941720473486fdf2596dab4764176ebb348ad264b61d6

    Download Submit

  • memory/2724-84-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2724-101-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2724-221-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2724-19-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2724-177-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2724-143-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2724-121-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/3256-1-0x0000000000400000-0x0000000000914000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/3256-2-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/3256-7-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/3256-8-0x0000000000400000-0x0000000000914000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/3304-11-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/3304-10-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/3304-17-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

    Download