Overview

overview

7

Static

static

3

7350543180...18.exe

windows7-x64

7

7350543180...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/07/2024, 08:34

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    73505431808f35451429c9f2928fed8c_JaffaCakes118.exe

  • Size

    3.6MB

  • MD5

    73505431808f35451429c9f2928fed8c

  • SHA1

    246594865870a10e4b3354915d1bc26ae6a8fca8

  • SHA256

    57e34074450dc3b3a0595d45e69952c3c331bbff9f25771af7895a1bb7bd010e

  • SHA512

    6cef32fc926f53c4282a5afcc9acf29ddf25f1767211e60dfa8dbdf6799e099757b12b62e36010cbe23701885612bb7b778a59c4f2d081f6ee2b095cd5bfbbd8

  • SSDEEP

    98304:4giUcW86XsORYZl4/eWTsOE+mf+4kTZXa/v/iZCeZfAN:H8jLZiGaTc/HiUvN

Score
7/10
discoveryupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs .reg file with regedit 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\73505431808f35451429c9f2928fed8c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\73505431808f35451429c9f2928fed8c_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1124
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\UltimateDefrag\Portable UDefrag.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\UltimateDefrag\Portable UDefrag.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1816
      • C:\Windows\SysWOW64\regedit.exe
        regedit /e HLM2.reg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug"
        3⤵
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:4736
      • C:\Windows\SysWOW64\regedit.exe
        regedit /s HLM.reg
        3⤵
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:992
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\UltimateDefrag\App\UDefrag.exe
        App\UDefrag.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4300

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\UltimateDefrag\App\UDefrag.exe
          Filesize

          2.2MB

          MD5

          ea4e000a8fdda90a74964c497bc9bc4c

          SHA1

          71ae121fe8bdc14ec8e5e24eeb57a45a5afeb326

          SHA256

          a3f9612a8d867f14cd305f8e1063e7a2cae7326e3f4c0584f1869e67a63cc2e1

          SHA512

          bbf4cec7a53081812f2b15232e3f302a83e4647fd9f250586e9ee369d163ce6b52d6c6a17505dc43924cacd333ecb4f6ec244eb6f7607ecfad56be508adc2b6e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\UltimateDefrag\App\UDefrag.xml
          Filesize

          1KB

          MD5

          76b14ddbd69a7015b0161643918617cc

          SHA1

          ca487c6131c6e7d7921db70fa7a941c18de9c9e8

          SHA256

          84e6e7e27aff618cee797f40c03774c6d02c5eca212c304e337afacca0a67b26

          SHA512

          f0398ed901b55a692fad34dd213c4b98aa13d605f74fab9918f8d4163c66702c23407593a135598629dc2f02ec4eae36fec5f86c3281015bc2f6f7954a2cce61

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\UltimateDefrag\Data\Registry\Ins\HLM.reg
          Filesize

          606B

          MD5

          5a9874fe962e4a1be1fb2ad435aaed99

          SHA1

          e4da659016b182ac2ee0e64ee194044c0c642d91

          SHA256

          63c2fc60268e8d0f77dbe1ad1ae567b60e5483212d6eadfe745818c86a1cc65a

          SHA512

          13668dc2131a25f5413d25ce8479a39bf745a27093732b8fac0f272760aa00f05ff98ed31c38f654daaa1dd6c9e4248af0d2476de7b50687c64a3f704da3ba5c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\UltimateDefrag\Portable UDefrag.exe
          Filesize

          618KB

          MD5

          ad99ea4b7bd66aedff8aef99d5d290c6

          SHA1

          46bf435b03685182cd9aab27b71b8aab351368ba

          SHA256

          1936dd535582b04f69465bd8b52dcf2abd5c956bc2a276862e68e364739bc2ae

          SHA512

          50d6099cac8cda4c7958e32933f219ad088b0b43b665ddb62fb2342327d3096b24ee046c6fc61563b39d0411edaec920686857633f6ec1e305e0acf9c4f49d40

          Download Submit

        • memory/1124-36-0x0000000000400000-0x0000000000471000-memory.dmp

          Filesize

          452KB

          Download

        • memory/1816-28-0x0000000000400000-0x0000000000536000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1816-37-0x0000000000400000-0x0000000000536000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4300-34-0x0000000000400000-0x000000000090D000-memory.dmp

          Filesize

          5.1MB

          Download

        • memory/4300-38-0x0000000000400000-0x000000000090D000-memory.dmp

          Filesize

          5.1MB

          Download