Overview

overview

10

Static

static

7

86f6100513...18.exe

windows7-x64

10

86f6100513...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    10/08/2024, 17:21

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    86f6100513be895e0be88169fe26d56b_JaffaCakes118.exe

  • Size

    73KB

  • MD5

    86f6100513be895e0be88169fe26d56b

  • SHA1

    325dd74e6f9ea63dda510a557e33b1d97d269729

  • SHA256

    7bda7f255c9a90c12598edba75594c831bf262ccfbf7da7a0b372084b2caaadf

  • SHA512

    0164c466ff95bd73fef4d9130f3566b20e593368a58602f84273a0d27b6a0a1930d7429de7ce131ee23d613e6e25882b87d6ad9efde9735e29c4715fdd141774

  • SSDEEP

    1536:Dt1l74fw0OY8/3dMWOsSBiHXhZNy5bV8PqZLgsc2BajR:DXZuDOYK3h/y5bSMgsctjR

Score
10/10
discoveryevasiontrojanupx

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1204
      • C:\Users\Admin\AppData\Local\Temp\86f6100513be895e0be88169fe26d56b_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\86f6100513be895e0be88169fe26d56b_JaffaCakes118.exe"
        2⤵
        • UAC bypass
        • Windows security bypass
        • Windows security modification
        • Checks whether UAC is enabled
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:2152
        • C:\Users\Admin\AppData\Local\Temp\86f6100513be895e0be88169fe26d56b_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\86f6100513be895e0be88169fe26d56b_JaffaCakes118.exe"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2504

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1204-10-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/1204-14-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2152-0-0x0000000000400000-0x0000000000439000-memory.dmp

            Filesize

            228KB

            Download

          • memory/2152-5-0x0000000000400000-0x0000000000439000-memory.dmp

            Filesize

            228KB

            Download

          • memory/2504-3-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

            Download

          • memory/2504-6-0x0000000000400000-0x00000000004083A0-memory.dmp

            Filesize

            32KB

            Download

          • memory/2504-8-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

            Download

          • memory/2504-9-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

            Download

          • memory/2504-13-0x0000000000400000-0x00000000004083A0-memory.dmp

            Filesize

            32KB

            Download