Overview

overview

7

Static

static

7

78786c6d55...18.exe

windows7-x64

7

78786c6d55...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-07-2024 14:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    78786c6d55eb94c675da76123d3dff10_JaffaCakes118.exe

  • Size

    702KB

  • MD5

    78786c6d55eb94c675da76123d3dff10

  • SHA1

    36d611aa2d68b02ba61a12bb08876b54ae568485

  • SHA256

    f5baaf14bb531269e459660b2d616989ab94f1bf3ecdf09b82b65943b987690a

  • SHA512

    3d4edd2b5748a66c79353bccf3ccdb31b076429981fd3d6e27a94fcc8bd4062726b74cb798c50adbebacc86ff7462a9eaa86eb170c19f8a8995644ff21a74ec5

  • SSDEEP

    12288:/tlStDU/H3LktG5lc3p86thfZ+nrSjhF6BXXkCDYO568Ndd+haWKkAlr1TEAmdza:/tl4IXLksl+WG5Z+MTmXXkM7dyCr1ox4

Score
7/10
discoverypersistencespywarestealerupx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\78786c6d55eb94c675da76123d3dff10_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\78786c6d55eb94c675da76123d3dff10_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4536
    • C:\Users\Admin\AppData\Local\Temp\G7g0TDSSc8AmKdk.exe
      C:\Users\Admin\AppData\Local\Temp\G7g0TDSSc8AmKdk.exe
      2⤵
      • Executes dropped EXE
      PID:2404
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4088

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
    Filesize

    449KB

    MD5

    9f7baaee7d7d6d2d731447f26994f74d

    SHA1

    87fd6ebb8a1e47efc2c62810aa743735984a2e8d

    SHA256

    9302d09b15a74f3313f1bbe06c3450a61471dd50ea413ec809441e325293ad0d

    SHA512

    818b1fb4367cedae7d3c407540e75e82ce32e33672ce24241a369a24297e4e20a2763508dee1af5fdd8454a0c02de3e74858d7059f7e3fae4344266196d6b22e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\G7g0TDSSc8AmKdk.exe
    Filesize

    574KB

    MD5

    6503efe0a01c2d50c97be27f3cb10a43

    SHA1

    a0cb3708603a18f02352d01ec672020e5bad5073

    SHA256

    0cf9864ae3a8679ed503f954a453452c93fa44f99ca6f39bbc5860abde7fd35e

    SHA512

    ebdbc553ba4348676fd3f2ca12e48af53a229b449a36e653dbfca90efb34d21033e41d1157dcca28c2b1e5f91368c0839298992247cf7d2e8feca5feab8ecea4

    Download Submit

  • C:\Windows\CTS.exe
    Filesize

    128KB

    MD5

    709bc52ebffc5b45b42524d9dbdc2bfd

    SHA1

    819d49a89ecf928c13b083798114952d9e934c8d

    SHA256

    e2fb713c788d38ad4200362ef9d81b13d895e633f70ff6d8c424f53b8c164e1a

    SHA512

    16e8a872abfaac83e4a38c0acf24e7ed16ec668fcdcb1706f4ef69bf2834d8969161e3b9e304c1c9eb777c5e68de31bbc6c6170ef9ac9a12c2a5accc86602e16

    Download Submit

  • memory/4088-10-0x0000000000250000-0x0000000000267000-memory.dmp

    Filesize

    92KB

    Download

  • memory/4536-0-0x0000000000F80000-0x0000000000F97000-memory.dmp

    Filesize

    92KB

    Download

  • memory/4536-9-0x0000000000F80000-0x0000000000F97000-memory.dmp

    Filesize

    92KB

    Download