Overview

overview

7

Static

static

7

85df87bbaa...18.exe

windows7-x64

7

85df87bbaa...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    151s
  • max time network
    52s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    10-08-2024 11:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    85df87bbaa4b865175047ec06b8a4e7c_JaffaCakes118.exe

  • Size

    132KB

  • MD5

    85df87bbaa4b865175047ec06b8a4e7c

  • SHA1

    cd556bbea6be04dd3608d39c27eacbc2463c74f4

  • SHA256

    1c195f123314403488502df64fc92777fafd399bd4468a7ef499c5b009c4c5e0

  • SHA512

    fecf644985ff7121504eb0db7ca33fda74e895c66d90110261168fe662ddfd67bccbddc90fc7e92d9a7ea0f4241d2da24356370687a2c177314404788781511d

  • SSDEEP

    3072:Ro5xY9VjrFaLG9ID4HT0CwANauWoP7O19RlxXmNf9O69:m5EVjJa5AC78TOm

Score
7/10
discoverypersistencespywarestealerupx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1176
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1288
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1352
          • C:\Users\Admin\AppData\Local\Temp\85df87bbaa4b865175047ec06b8a4e7c_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\85df87bbaa4b865175047ec06b8a4e7c_JaffaCakes118.exe"
            2⤵
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1612
            • C:\Users\Admin\AppData\Roaming\Oxafn\ygfyh.exe
              "C:\Users\Admin\AppData\Roaming\Oxafn\ygfyh.exe"
              3⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:2948
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpb28cbcab.bat"
              3⤵
              • Deletes itself
              • System Location Discovery: System Language Discovery
              PID:820
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:1248
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
            1⤵
              PID:1280
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
              1⤵
                PID:112

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\tmpb28cbcab.bat
                Filesize

                271B

                MD5

                aef887137adf803827e887ff77df39df

                SHA1

                ce97ad077f8e4fc85b39cca882c41c8025282c59

                SHA256

                ca511836860a39190d3a3e9c9cec91649651294e34aa33a9ea3455dbdd78d4f9

                SHA512

                e86526c5d7bc3ea03b73ebd07034c75d560e680320df12f7b1cd43aa4a9aaf06ab2a788a3dac0a15efe519ab344cb4339ab7c55efa38a3f90c6e32754800f486

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Raeq\suez.yxo
                Filesize

                380B

                MD5

                31f1909cc9442f66abe39d1b448d4827

                SHA1

                48ac89c4a783ea3d2d1aba25ef46ed235206e7be

                SHA256

                3bc6360a8c8b3b30f44d062b0f46bd8b012b11e5f4bd0ee9518dab077b77f9eb

                SHA512

                20a4feb3cf529cdeaaf0d2d3098973c4d98bffc686c557e05ad49f60daed352c04e994405174dec0b2ab02b6ba89eb8e14b5ba122b545c2b7ffb9498104394a1

                Download Submit

              • \Users\Admin\AppData\Roaming\Oxafn\ygfyh.exe
                Filesize

                132KB

                MD5

                73164a651862279cd7681304b6e9e1c1

                SHA1

                786f0956d9f78f2dd34399a25d3bd962f2786d02

                SHA256

                ae54a70a1b2f64649ca6ca87176038ff2cf3f6a73871eed0a568a66d8123530b

                SHA512

                8fb88d8c6da17eb9dc66862c892e5cb02f897ddf734b5b14b36eb97cfb4d4c6e94c6a7a48fa4f3e1a8ef812f2ce0f6a5e61df43479f64294145bc5becdea28f5

                Download Submit

              • memory/1176-22-0x0000000001B50000-0x0000000001B75000-memory.dmp

                Filesize

                148KB

                Download

              • memory/1176-21-0x0000000001B50000-0x0000000001B75000-memory.dmp

                Filesize

                148KB

                Download

              • memory/1176-20-0x0000000001B50000-0x0000000001B75000-memory.dmp

                Filesize

                148KB

                Download

              • memory/1176-19-0x0000000001B50000-0x0000000001B75000-memory.dmp

                Filesize

                148KB

                Download

              • memory/1176-23-0x0000000001B50000-0x0000000001B75000-memory.dmp

                Filesize

                148KB

                Download

              • memory/1248-38-0x0000000001E10000-0x0000000001E35000-memory.dmp

                Filesize

                148KB

                Download

              • memory/1248-36-0x0000000001E10000-0x0000000001E35000-memory.dmp

                Filesize

                148KB

                Download

              • memory/1248-35-0x0000000001E10000-0x0000000001E35000-memory.dmp

                Filesize

                148KB

                Download

              • memory/1248-37-0x0000000001E10000-0x0000000001E35000-memory.dmp

                Filesize

                148KB

                Download

              • memory/1288-26-0x0000000001C50000-0x0000000001C75000-memory.dmp

                Filesize

                148KB

                Download

              • memory/1288-25-0x0000000001C50000-0x0000000001C75000-memory.dmp

                Filesize

                148KB

                Download

              • memory/1288-27-0x0000000001C50000-0x0000000001C75000-memory.dmp

                Filesize

                148KB

                Download

              • memory/1288-28-0x0000000001C50000-0x0000000001C75000-memory.dmp

                Filesize

                148KB

                Download

              • memory/1352-32-0x0000000002AA0000-0x0000000002AC5000-memory.dmp

                Filesize

                148KB

                Download

              • memory/1352-30-0x0000000002AA0000-0x0000000002AC5000-memory.dmp

                Filesize

                148KB

                Download

              • memory/1352-31-0x0000000002AA0000-0x0000000002AC5000-memory.dmp

                Filesize

                148KB

                Download

              • memory/1352-33-0x0000000002AA0000-0x0000000002AC5000-memory.dmp

                Filesize

                148KB

                Download

              • memory/1612-79-0x0000000000300000-0x0000000000301000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1612-73-0x0000000000300000-0x0000000000301000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1612-63-0x0000000000300000-0x0000000000301000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1612-61-0x0000000000300000-0x0000000000301000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1612-59-0x0000000000300000-0x0000000000301000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1612-57-0x0000000000300000-0x0000000000301000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1612-55-0x0000000000300000-0x0000000000301000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1612-53-0x0000000000300000-0x0000000000301000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1612-51-0x0000000000300000-0x0000000000301000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1612-49-0x0000000000300000-0x0000000000301000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1612-47-0x0000000000300000-0x0000000000301000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1612-45-0x0000000000300000-0x0000000000301000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1612-44-0x0000000000290000-0x00000000002B5000-memory.dmp

                Filesize

                148KB

                Download

              • memory/1612-43-0x0000000000290000-0x00000000002B5000-memory.dmp

                Filesize

                148KB

                Download

              • memory/1612-42-0x0000000000290000-0x00000000002B5000-memory.dmp

                Filesize

                148KB

                Download

              • memory/1612-40-0x0000000000290000-0x00000000002B5000-memory.dmp

                Filesize

                148KB

                Download

              • memory/1612-67-0x0000000000300000-0x0000000000301000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1612-69-0x0000000000300000-0x0000000000301000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1612-71-0x0000000000300000-0x0000000000301000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1612-65-0x0000000000300000-0x0000000000301000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1612-75-0x0000000000300000-0x0000000000301000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1612-77-0x0000000000300000-0x0000000000301000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1612-0-0x0000000000400000-0x0000000000467000-memory.dmp

                Filesize

                412KB

                Download

              • memory/1612-125-0x0000000000400000-0x0000000000467000-memory.dmp

                Filesize

                412KB

                Download

              • memory/1612-81-0x0000000000300000-0x0000000000301000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1612-1-0x0000000000220000-0x0000000000234000-memory.dmp

                Filesize

                80KB

                Download

              • memory/1612-41-0x0000000000290000-0x00000000002B5000-memory.dmp

                Filesize

                148KB

                Download

              • memory/1612-143-0x0000000000400000-0x0000000000467000-memory.dmp

                Filesize

                412KB

                Download

              • memory/1612-12-0x0000000000290000-0x00000000002F7000-memory.dmp

                Filesize

                412KB

                Download

              • memory/1612-13-0x0000000000290000-0x00000000002F7000-memory.dmp

                Filesize

                412KB

                Download

              • memory/1612-144-0x0000000000290000-0x00000000002B5000-memory.dmp

                Filesize

                148KB

                Download

              • memory/1612-3-0x0000000000400000-0x0000000000467000-memory.dmp

                Filesize

                412KB

                Download

              • memory/1612-2-0x0000000000400000-0x0000000000467000-memory.dmp

                Filesize

                412KB

                Download

              • memory/2948-15-0x0000000000400000-0x0000000000467000-memory.dmp

                Filesize

                412KB

                Download

              • memory/2948-16-0x0000000000400000-0x0000000000467000-memory.dmp

                Filesize

                412KB

                Download

              • memory/2948-18-0x0000000000400000-0x0000000000467000-memory.dmp

                Filesize

                412KB

                Download

              • memory/2948-261-0x0000000000400000-0x0000000000467000-memory.dmp

                Filesize

                412KB

                Download