Overview

overview

8

Static

static

7

8e52e23315...18.exe

windows7-x64

8

8e52e23315...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    12-08-2024 10:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8e52e23315107af7267625ae6585b375_JaffaCakes118.exe

  • Size

    392KB

  • MD5

    8e52e23315107af7267625ae6585b375

  • SHA1

    36a2e290281a2a6a39c763ee22964f206023e861

  • SHA256

    889b91ba5fc0b15d338a48d1f8f71d6860ad5aff3e28336c1f43b445e049e383

  • SHA512

    5cd4f72645fe8b9a5e3d5fddc29ea4a2d8a6e4c56ed61d7058a6c77940b28b409274f8fda92dccc77e3081cdaeef4e3f81fa321337e14ec8a36625e40d4475a6

  • SSDEEP

    6144:amUPQw5bPV6eJedItmt/shiqV4KIMNSJ7e7ESmA7ptFnMABnZAVnEKYdy/F9htj:N69JP14N/sgk7mA7ptXanEKYdy/F/t

Score
8/10
aspackv2discoverypersistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 6 IoCs
    persistence
  • Sets service image path in registry 2 TTPs 4 IoCs
    persistence
  • ASPack v2.12-2.42 3 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 11 IoCs
  • Drops file in Program Files directory 31 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8e52e23315107af7267625ae6585b375_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8e52e23315107af7267625ae6585b375_JaffaCakes118.exe"
    1⤵
    • Adds policy Run key to start application
    • Sets service image path in registry
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2284
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s C:\Windows\MSSTDFMT.DLL
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:2728
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s C:\Windows\wshom.ocx
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2740
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s C:\Windows\scrrun.dll
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:2904
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s C:\Windows\REGTOOL5.DLL
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:2668
    • C:\Program Files (x86)\mui\sysmss.exe
      "C:\Program Files (x86)\mui\sysmss.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2364
      • C:\Program Files (x86)\mui\igfxext.exe
        "C:\Program Files (x86)\mui\igfxext.exe"
        3⤵
        • Adds policy Run key to start application
        • Sets service image path in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2568
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32 /s C:\Windows\MSSTDFMT.DLL
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:1092
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32 /s C:\Windows\wshom.ocx
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1344
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32 /s C:\Windows\scrrun.dll
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:2772
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32 /s C:\Windows\REGTOOL5.DLL
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:2828

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Common Files\System\ado\CABARC.EXE
    Filesize

    36KB

    MD5

    1d5bb5211488b51bdeeacaead9dab27b

    SHA1

    13f9086aeb6e2684a38ed3dae4112c297e3e3356

    SHA256

    9251ad412e63c920f8ae360beb79e3e7e6a38f047bf965b445044f0402fc8699

    SHA512

    5ab3ff5ef4575dd5538deb22c28fc69b51ba90566f724c72563851adc2b074cb8cc30ccc20a47251d27423b4bb1ce29cd73e5c53e345f66953e87687d14ccb4a

    Download Submit

  • C:\Program Files (x86)\Common Files\System\ado\Wuauclt.exe
    Filesize

    392KB

    MD5

    8e52e23315107af7267625ae6585b375

    SHA1

    36a2e290281a2a6a39c763ee22964f206023e861

    SHA256

    889b91ba5fc0b15d338a48d1f8f71d6860ad5aff3e28336c1f43b445e049e383

    SHA512

    5cd4f72645fe8b9a5e3d5fddc29ea4a2d8a6e4c56ed61d7058a6c77940b28b409274f8fda92dccc77e3081cdaeef4e3f81fa321337e14ec8a36625e40d4475a6

    Download Submit

  • C:\Program Files (x86)\Common Files\System\ado\config.ini
    Filesize

    784B

    MD5

    99971d6c478302597afa5dcc6c658edc

    SHA1

    cb2d945592b662cf9b7bf4b67ffb59546f6ae0c0

    SHA256

    68b0187adc7b0842e1843e55482618e69e2f9990a34d9f95fa81facef38c513d

    SHA512

    bd611ccb7dd0894e99e7c43d53305ec1f284e175b80420f7aeea64f38134c82f2ba4f9bc9e7214933d02846030284e16e3eda1973e536a8ffc5f1f9a132a2f46

    Download Submit

  • C:\Program Files (x86)\Common Files\System\ado\readme.txt
    Filesize

    60B

    MD5

    5d813ed34c0ff34684d8c9a86f8af43b

    SHA1

    06101fa8079934e2d3051875c880c0e07458efbd

    SHA256

    a3f3b9ee7e6279c47cc92f3d0e9414bc87b6feb024ddcbc52275a47ab8d30dfe

    SHA512

    da3437a113e97bb76d58f64df441163a149d777e83677775642cb30a090f7b9f41229d558497cddba2548434c7e72dc33596cfa56696dc03ab26fb4a004edbe7

    Download Submit

  • C:\Program Files (x86)\Mui\Upload.dll
    Filesize

    114KB

    MD5

    9f45990fec1b4415b6ec180cbafba623

    SHA1

    8db7a82151096c36e3fc5ad740bddbe9ffb522b1

    SHA256

    7e25898a5ad104757d9ab2d2b46d839ca646ef3053e3a2bf4479061e639b6985

    SHA512

    c65410c6e833c812865dbd386865c1a00222e72879babd0fbc54b333b104db89bb6e8e065a4cb5cc3ebcfb7037957096898f890b4d959126b77d3e510f871560

    Download Submit

  • C:\Program Files (x86)\Mui\readme.txt
    Filesize

    40B

    MD5

    4ffa8b4876916115a81642c4be90ea7c

    SHA1

    44e66436fd10dccbefb16f4a4ccab617dc9623c8

    SHA256

    abf78384ed9d107c46017b2185e5565bcf8e8a4871502d7bf921a6168bda9793

    SHA512

    8b828d2cb9787b266858ad9a0499f0cc4a2b9cf4e355cef0e71e508a8794bb2b7da8e1ecc10a27f62c99c8403173ca0a72561e2537c87967011ce860b1710170

    Download Submit

  • C:\Program Files (x86)\Mui\sysmss.exe
    Filesize

    72KB

    MD5

    b5bb26012ccca79ece9e3a33e1dac6d5

    SHA1

    cc58c99ecdd2d6889d96f1169add4ea56bc8f095

    SHA256

    1dd51c8777afe6067b6ba7f40b56ba8b8f82d73d14b6f5cbb4698669659fbfaf

    SHA512

    74f9992602743757792cf87774e315286c1dae868834a67bda719d3eef0c2275578df06ea26f0350c2ba35579dda8ca3b31a541f621e659e2ae61cdcddedea46

    Download Submit

  • C:\Windows\MSSTDFMT.DLL
    Filesize

    116KB

    MD5

    38950fbc15ea45be9b8988d897007fb1

    SHA1

    5aabb9eff890f63c300e0633028b65cd0a93660e

    SHA256

    73eae3c481beaf127017349e0dd03f023d5ed1888b2333b0d562c2522cd34800

    SHA512

    6a392beeb1563977d4b1b39d683f067a6e3ed6af708c598e87fd234b25220c480d0eb5ff5eaedbc573d31fba3b38f7e82dded38824e30be6c4eeb2e40c9061c2

    Download Submit

  • C:\Windows\REGTOOL5.DLL
    Filesize

    32KB

    MD5

    c3ab59f59b12d84af6e5d0239568c1b9

    SHA1

    369d577ffb177d1fd5cd08f4c09861952c030834

    SHA256

    5867810967f63871ec9c34c7aa9e4dd8fdf930438e951c621edbf7ec65d0eb67

    SHA512

    840fb4202ca42cb44ff60953f2e6c0a562c6499555def142273b6f3f2e98fbbc5f2e9ce9cff78b918fe5a8279be179d2e41ba75d24efea33afc9bf7279fd12c1

    Download Submit

  • C:\Windows\ScrRun.dll
    Filesize

    148KB

    MD5

    02016b635e1951eb7ce5d434639e08fc

    SHA1

    dc16249731679f03fd6c7ffef1d02c95d9a0d9b7

    SHA256

    8648112f8908d98beb1f69bc6a3e8a3e3f115805caf322c75f1034b91ab810a7

    SHA512

    50b5766438fc0ec10fcc81cc91cdb463e0286502c386522ce7657d17faca4a40474c74c4cb8ce76e640f772b2cf82975a4db0c10f63ded9085d89f01149eb841

    Download Submit

  • C:\Windows\stdole2.tlb
    Filesize

    17KB

    MD5

    0857394e30de11ca0cd9497e310d6469

    SHA1

    ba35fba3e44040e7b891fa814dceff94d1c1b114

    SHA256

    e2b26b1ad2d439dded0799d195ca918a03ccf22146690577e2704f871c098426

    SHA512

    05309e02b7c427f379f3235d2d7398d53ee35b3f1f9d7f28ad72607c82e0af6163a2def42734666f7e1fd0b67395031632aff9c9af36fb30c0175fad145f1185

    Download Submit

  • C:\Windows\wshom.ocx
    Filesize

    96KB

    MD5

    45a87dbbfb14ff12b81e166147799c81

    SHA1

    95100c112ecaad15b4cd652b99c588f00e6e636b

    SHA256

    e102483d03588447dbf8efdf1bac54ebf1458c50429e39c76c20209b501bae18

    SHA512

    d1d6727fc418ba47d3dec2795906897579ac1abafbe935b077de307e967c34a13e7814ed50f9c517b6cb08753c01f064465d7a72615435bdb9bff314c88de228

    Download Submit

  • \Users\Admin\AppData\Local\Temp\KVTBF.DLL
    Filesize

    29KB

    MD5

    f17ccc7123909fbb13158003edc68034

    SHA1

    f06989a733361ea7f8ad464f4233c4103c6f8ef9

    SHA256

    79f4cded8b29ba5e1ada817322268b5aa4bc1593f39ca9c8be514788709d5168

    SHA512

    632eaf9bad7aadb96e82d458885ed60e28c6544949f0af84502f3f10184cbef26f772f5fc2b6e27e4938f8b414384f56dc5579db7f838acc8dcdb631ee5ecb98

    Download Submit

  • memory/2284-0-0x0000000000400000-0x00000000004E1000-memory.dmp

    Filesize

    900KB

    Download

  • memory/2284-1-0x00000000004F0000-0x00000000005D1000-memory.dmp

    Filesize

    900KB

    Download

  • memory/2284-100-0x0000000000400000-0x00000000004E1000-memory.dmp

    Filesize

    900KB

    Download

  • memory/2364-60-0x00000000031D0000-0x00000000032B1000-memory.dmp

    Filesize

    900KB

    Download

  • memory/2568-67-0x0000000000230000-0x0000000000311000-memory.dmp

    Filesize

    900KB

    Download

  • memory/2568-62-0x0000000000400000-0x00000000004E1000-memory.dmp

    Filesize

    900KB

    Download

  • memory/2568-101-0x0000000000400000-0x00000000004E1000-memory.dmp

    Filesize

    900KB

    Download