Overview

overview

10

Static

static

3

8686418a68...18.exe

windows7-x64

3

8686418a68...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-08-2024 15:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8686418a68ee6af68467a5c548a5b3a1_JaffaCakes118.exe

  • Size

    564KB

  • MD5

    8686418a68ee6af68467a5c548a5b3a1

  • SHA1

    fb3e02bbe1ab21de12fe61fb160f629a5a74e9a1

  • SHA256

    a22641f822e509298eb383e8accd405a2959b5ec5a8cb78222dace2f4e345c09

  • SHA512

    f79790027c80dc65d5dcc754886022dbf8728a12ab70b16df0e08a8ad429c7f8939b6a79c31e64457829b395ad8c0f4eb538b102f40671c6733fd9b417a3077a

  • SSDEEP

    12288:ziEPVIq0TcwMi7tBNMLpJVeVvsZWILqY02JwwA1x33GwTuIj+w:ziRq0TcwvypSVvsfLNzJwwAkX

Score
10/10
discoveryevasionpersistencespywarestealerupx

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unexpected DNS network traffic destination 2 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application 2 TTPs 52 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8686418a68ee6af68467a5c548a5b3a1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8686418a68ee6af68467a5c548a5b3a1_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Users\Admin\Za0Fr02eH4.exe
      C:\Users\Admin\Za0Fr02eH4.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2900
      • C:\Users\Admin\zeouso.exe
        "C:\Users\Admin\zeouso.exe"
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:4292
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del Za0Fr02eH4.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4448
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1860
    • C:\Users\Admin\2eaz.exe
      C:\Users\Admin\2eaz.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2844
      • C:\Users\Admin\2eaz.exe
        "C:\Users\Admin\2eaz.exe"
        3⤵
        • Executes dropped EXE
        PID:2376
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 80
          4⤵
          • Program crash
          PID:3212
      • C:\Users\Admin\2eaz.exe
        "C:\Users\Admin\2eaz.exe"
        3⤵
        • Executes dropped EXE
        • Maps connected drives based on registry
        • Suspicious behavior: EnumeratesProcesses
        PID:3124
      • C:\Users\Admin\2eaz.exe
        "C:\Users\Admin\2eaz.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2880
      • C:\Users\Admin\2eaz.exe
        "C:\Users\Admin\2eaz.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:368
      • C:\Users\Admin\2eaz.exe
        "C:\Users\Admin\2eaz.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2772
    • C:\Users\Admin\3eaz.exe
      C:\Users\Admin\3eaz.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2116
      • C:\Users\Admin\AppData\Local\3cc19ca7\X
        *0*bc*5598ac91*31.193.3.240:53
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3244
        • C:\Windows\explorer.exe
          "C:\Windows\explorer.exe"
          4⤵
          • Modifies registry class
          PID:3692
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del 8686418a68ee6af68467a5c548a5b3a1_JaffaCakes118.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4108
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3272
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2376 -ip 2376
    1⤵
      PID:3396

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\2eaz.exe
      Filesize

      184KB

      MD5

      b5e4ef8f155546bb96b2725ec36f8dd9

      SHA1

      7e1301b8759c39f37993c7145d233f9fd45fa1c9

      SHA256

      c5ce89c5116fe9796e3324b2045fc53369e099bf92d22d7303a55ae67d0a5755

      SHA512

      b6ba29f78fd3ad4895a9aa6d30f46ecabee67d5ff38a3c0dfc5f5dd5bb170ec2bbf47dd963285fcc90097804523ba12fd41418005f7abf3367875ac21f23e904

      Download Submit

    • C:\Users\Admin\3eaz.exe
      Filesize

      254KB

      MD5

      0c0be014832905bc4bb981a03f279d6e

      SHA1

      16e8d3cf157ed3afb5041df2bbe97f4422c5a1dc

      SHA256

      13b0b4e5adf34babefd24eb5886a2b9a5d0d2e6cce61a77c2cbd501e22d36f48

      SHA512

      1be55754d1ab77f9ef9c588599428f5754a6cc349471e5f63ca98a5a5d54e40210616937e9f53abe4912b5aa637620b85cb0665e3b60661fd1ca046f7da65060

      Download Submit

    • C:\Users\Admin\AppData\Local\3cc19ca7\X
      Filesize

      38KB

      MD5

      72de2dadaf875e2fd7614e100419033c

      SHA1

      5f17c5330e91a42daa9ff24c4aa602bd1a72bf6e

      SHA256

      c44993768a4dc5a58ddbfc9cb05ce2a7d3a0a56be45643d70a72bcf811b6c381

      SHA512

      e2520a53326a7d3b056e65d0cf60e9d823ffb34ca026cdddc7ea3a714f8396c53c37e13a887fc86a7dd7076c97fdfad53c3f5a68342ebc1bdec948c76bda8df3

      Download Submit

    • C:\Users\Admin\Za0Fr02eH4.exe
      Filesize

      212KB

      MD5

      c613e1456c877e1487154fbafe1a298e

      SHA1

      af8c9d76cfb43659ced915b12bba47d0bba11ba0

      SHA256

      b21afd7848d64eadace47bc6f278f4ec2f89b8a42d9be9f55123b0e2de7320f9

      SHA512

      a675e9cd0f4ad741ddaacc15b4a119ab862009b1c62a97ac43a760c6ca5c2ea10e8f00928cd89489759aeea3f91a505b842536a5c221bb6a7b2ecf9a33fc3663

      Download Submit

    • C:\Users\Admin\zeouso.exe
      Filesize

      212KB

      MD5

      2beb7361f2fbc2c51e41fc5631baca33

      SHA1

      ec80818f0568c6068273d38efab5a329e369d457

      SHA256

      b50fb11a7d5e612849cbfb47874c9afbb480a010893cebbeb83e1790786ad954

      SHA512

      70b991d14ffd76ed61a3ef0836523f37b75c7e5b1015d867106a3c13f676a514dc5a34ff6e35e36da2a085e19b58be56c13df75dd0924c241b1334bf0a4744cf

      Download Submit

    • memory/368-54-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/368-88-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/368-61-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/368-56-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/2116-85-0x0000000030670000-0x00000000306C6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2772-74-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2772-63-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2772-67-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2772-69-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2880-59-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/2880-53-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/2880-60-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/2880-62-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/2880-87-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/3124-50-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/3124-48-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/3124-51-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/3124-52-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/3124-86-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download