Overview

overview

10

Static

static

3

767db86316...18.exe

windows7-x64

10

767db86316...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-07-2024 01:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    767db863164ec054813a61fc1c469b60_JaffaCakes118.exe

  • Size

    25.9MB

  • MD5

    767db863164ec054813a61fc1c469b60

  • SHA1

    cf1f5541ea6fcd245d725b89e4e2309b895ab4f7

  • SHA256

    b13330d8e458c80c87cc8420ee96d9b1bc0e62db607c569fbe5ef7f1abd9bc31

  • SHA512

    c723996862f4368555af5cd3435ffc7207e9b7f945369ff543b1de5e527a26bed0cd18389ca64bb95085426b9d7f7d2753b8995de2bcfd02b882ac3f4a4f16ed

  • SSDEEP

    786432:zfzDs7aZXBWhs6cets5XOjehnRLy3f3xfDcgH:zffYavetwmehntyJff

Score
10/10
pandastealershurkcredential_accessdiscoveryinfostealerstealervmprotect

Malware Config

Signatures

  • Panda Stealer payload 2 IoCs
  • PandaStealer

    Panda Stealer is a fork of CollectorProject Stealer written in C++.

    stealerpandastealer
  • Shurk

    Shurk is an infostealer, written in C++ which appeared in 2021.

    infostealershurk
  • Shurk Stealer payload 2 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\767db863164ec054813a61fc1c469b60_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\767db863164ec054813a61fc1c469b60_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2988
    • C:\ProgramData\start.exe
      "C:\ProgramData\start.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1200
      • C:\Windows\system32\cmd.exe
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7D3B.tmp\7D3C.tmp\7D3D.bat C:\ProgramData\start.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:244
        • C:\ProgramData\Changer.exe
          Changer.exe -pskxLL0100xKKsjXJ19289 -dc:/ProgramData
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:728
          • C:\ProgramData\allSkinsData.exe
            "C:\ProgramData\allSkinsData.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3500
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:1436
          • C:\ProgramData\InventoryChangerLoader.exe
            "C:\ProgramData\InventoryChangerLoader.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1168

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Changer.exe
    Filesize

    25.6MB

    MD5

    432498138f372d6f58fb1ce3838eaab9

    SHA1

    74e5cd939cf140d9ed37ee901d68b2a51e49aa33

    SHA256

    47d02c42b8460c5c7031a32add3cb69ac6950f8f8f613e93a2e956721f42bdd7

    SHA512

    98fbcf36196d41289579aa6383593d85080bfd2e3095c75dcd645aa59a911e3a6ac3f638fa9e0b5649b2d16ed9db29e0f2c3bf9c640838792e63c4ffb14372a0

    Download Submit
  • C:\ProgramData\InventoryChangerLoader.exe
    Filesize

    14.2MB

    MD5

    3dd6cc2610355bbd373e371bf73a00e8

    SHA1

    2fbaaa9fbbcffe14ce59ff76d3dc362bfb8b3acf

    SHA256

    0b1673433abfcb1257ff9db3c6f4d84cd3637ba9351fdabd889209798da2b228

    SHA512

    eb44ac42d55fddfc1a93f82c8cbf577c7fdef65b2938e0cbcf58630c92cb7b073916906d096970a3a3271a0fcf20fd32c3c9c10788f12820d79a2d28abeafba6

    Download Submit
  • C:\ProgramData\allSkinsData.exe
    Filesize

    1.4MB

    MD5

    9e964d0100dde88172f64ecef8e49299

    SHA1

    e65910e0c60e1c728f59a2004ba2f0d44eb56da9

    SHA256

    22fc083a0dc3b0b7f2275a8097e3a7c60fa6ebdd00ad80a90dcfc03f90e50644

    SHA512

    63c56cdec6bfe0f02bc495cf4636cbb5524affc0af7f3b7802cd90aa59d8eba57eaeb55c6fe0f312e4d61d069c9f3ff0207dca14a60f71dad0f6874464868b49

    Download Submit
  • C:\ProgramData\start.exe
    Filesize

    88KB

    MD5

    9590a44fb19cef257378efe5697e8b0b

    SHA1

    7c6bec1a118adcb4fc2dad41512b94b2577a5a48

    SHA256

    1270bb6be5ccb0754ac42b7362e93de56e10cae6e6ddaa60a77faf63696c5853

    SHA512

    421f80702314165eb1e68dc0698533b9f6b91bdaa2ea8488f6812e84731599d4cb8b80469c962681ea58d20dd46ef34e7efbb1f7badfb0bd3e68cd876d3c2247

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\7D3B.tmp\7D3C.tmp\7D3D.bat
    Filesize

    74B

    MD5

    ad1338af912f600aacea8967b518c5cf

    SHA1

    e1a44e009c1f925bce69d423949d1e27670b21f2

    SHA256

    3407436e93523047a207cc6ae8d4eb17cc578b7687e41601b0347e7e42d3ba26

    SHA512

    68147c07bef9aa52bd88375e96cb07984f851cfd31a08e85eb6fa818bc10a6d38c392b4afe02ec25317f5d2d54873ded12dff6a6faf0a24b769db736e3190875

    Download Submit
  • memory/1168-52-0x000001E653970000-0x000001E653A20000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1168-49-0x000001E639770000-0x000001E639780000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1168-54-0x000001E65B510000-0x000001E65B548000-memory.dmp
    Filesize

    224KB

    Download
  • memory/1168-45-0x000001E653A30000-0x000001E65411A000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1168-46-0x000001E654F80000-0x000001E65566E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1168-48-0x000001E639730000-0x000001E63975E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/1168-47-0x000001E6396E0000-0x000001E639730000-memory.dmp
    Filesize

    320KB

    Download
  • memory/1168-43-0x000001E637610000-0x000001E63925A000-memory.dmp
    Filesize

    28.3MB

    Download
  • memory/1168-50-0x000001E63AFA0000-0x000001E63AFDA000-memory.dmp
    Filesize

    232KB

    Download
  • memory/1168-51-0x000001E655F60000-0x000001E65601A000-memory.dmp
    Filesize

    744KB

    Download
  • memory/1168-55-0x000001E65B4E0000-0x000001E65B4EE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1168-53-0x000001E65AC90000-0x000001E65AC98000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1436-67-0x0000000000400000-0x000000000047F000-memory.dmp
    Filesize

    508KB

    Download
  • memory/1436-68-0x0000000000400000-0x000000000047F000-memory.dmp
    Filesize

    508KB

    Download
  • memory/3500-42-0x00000000002C0000-0x0000000000434000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/3500-44-0x0000000004DA0000-0x0000000004DBE000-memory.dmp
    Filesize

    120KB

    Download