Overview

overview

7

Static

static

7

8a88a3dece...18.exe

windows7-x64

7

8a88a3dece...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    143s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/08/2024, 13:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8a88a3dece91605e2c81cf1ea859cc27_JaffaCakes118.exe

  • Size

    894KB

  • MD5

    8a88a3dece91605e2c81cf1ea859cc27

  • SHA1

    c1a23ccf32701a73cdac7f26bb9aa7fbc1642352

  • SHA256

    31f0aa0f559dd67f7982e6ab0601c41aa63ba5b56e7374128da0172b9b785af9

  • SHA512

    eb8ba47e6e4bf2e0bb8a64c22812f9dc7294b37c05750f4a4f930ed65eac7d19109f115c31b2ea414feadf1479026490e2428666a9fd415fb044577802d06e7f

  • SSDEEP

    24576:yPPNoNQgx1B90BdAPgv593hBHxrUtaH4puJEP:XSjd3fRrURpT

Score
7/10
discoveryupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8a88a3dece91605e2c81cf1ea859cc27_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8a88a3dece91605e2c81cf1ea859cc27_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3244
    • C:\WINDOWS\TEMP\LILI.exe
      "C:\WINDOWS\TEMP\LILI.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1772
    • C:\WINDOWS\TEMP\wretchbot.exe
      "C:\WINDOWS\TEMP\wretchbot.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2384

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Temp\LILI.exe
    Filesize

    369KB

    MD5

    5e15b358722e1a587ffa1001f4035bcc

    SHA1

    a5529bb40715387bdefe8b3c4d22b02e35078c18

    SHA256

    ae8b247c59c6bc1a180227fc7a2e72f1974f5668a572c1ecb73b8b63965ce07a

    SHA512

    e8a6ba6fb8603195e84ce38b3a6525779ed4495329a826f7d3170b81b6b68fc5a026348a1d925b6cb232db6e9284130fd7e0035861363a98594c52d025b295f9

    Download Submit

  • C:\Windows\Temp\wretchbot.exe
    Filesize

    468KB

    MD5

    a3010d4ac7e52031368ac9b3828dc37c

    SHA1

    b89b040be9041b21ab7632514c8a016e141f82fc

    SHA256

    7b03eec3c6be7177726ad52114e2cbb46476e80e654ddbc90af9a9b0850ad26e

    SHA512

    32615248e8d95f93772e9480249792dadb7bb3275ef41fa37958e43051292c759fca5b290f3cd0f86d391c9a34a3543c5ce4c8c823a902f4bcb70ae0c689e8fa

    Download Submit

  • memory/1772-36-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/1772-37-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/3244-0-0x0000000000400000-0x00000000004F6000-memory.dmp

    Filesize

    984KB

    Download

  • memory/3244-22-0x0000000000400000-0x00000000004F6000-memory.dmp

    Filesize

    984KB

    Download