Overview

overview

10

Static

static

3

04654d2d59...18.exe

windows7-x64

10

04654d2d59...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    28/07/2024, 01:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    04654d2d595db4b36bc1186f0e56a947_JaffaCakes118.exe

  • Size

    125KB

  • MD5

    04654d2d595db4b36bc1186f0e56a947

  • SHA1

    d9a1b88a645e732eac58f5e866b121fb9bc5f588

  • SHA256

    ee06f14a3b346b7516368d69f2fbdac12622aaf24d01526c13932f6e4e2e1da5

  • SHA512

    450ed1a99bedd38387dfad68eb00997fb140fd0b65f5b0c4cecfc1bf98cbc3bce96c05732eaa6f26dc159d3b5cc0b152a1578512833716f44a4009b1a7193d45

  • SSDEEP

    3072:L6pO5MNL3J8uqmAxOxRqDrbt3hgMUDQ0L5P2B:O8G13JpqfxqKXgnF2

Score
10/10
defense_evasiondiscoverypersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 4 IoCs
    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\04654d2d595db4b36bc1186f0e56a947_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\04654d2d595db4b36bc1186f0e56a947_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cmd /c move /y "C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\04654d2d595db4b36bc1186f0e56a947_JaffaCakes118.exe" "C:\Users\Admin\AppData\lsass.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2216
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c move /y "C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\04654d2d595db4b36bc1186f0e56a947_JaffaCakes118.exe" "C:\Users\Admin\AppData\lsass.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: RenamesItself
        PID:2752
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cmd /c reg add "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon" /v userinit /t reg_sz /d "C:\WINDOWS\system32\userinit.exe,C:\Users\Admin\AppData\lsass.exe" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2544
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c reg add "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon" /v userinit /t reg_sz /d "C:\WINDOWS\system32\userinit.exe,C:\Users\Admin\AppData\lsass.exe" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2228
        • C:\Windows\SysWOW64\reg.exe
          reg add "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon" /v userinit /t reg_sz /d "C:\WINDOWS\system32\userinit.exe,C:\Users\Admin\AppData\lsass.exe" /f
          4⤵
          • Modifies WinLogon for persistence
          • System Location Discovery: System Language Discovery
          PID:2848
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cmd /c attrib +h "C:\Users\Admin\AppData\lsass.exe"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2140
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c attrib +h "C:\Users\Admin\AppData\lsass.exe"
        3⤵
        • Hide Artifacts: Hidden Files and Directories
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2832
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Users\Admin\AppData\lsass.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2860
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cmd /c attrib +h "C:\Users\Admin\AppData"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c attrib +h "C:\Users\Admin\AppData"
        3⤵
        • Hide Artifacts: Hidden Files and Directories
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2876
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Users\Admin\AppData"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2836

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2028-0-0x00000000002B0000-0x00000000002B2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2028-1-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2028-3-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download