Analysis

  • max time kernel
    16s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    13/08/2024, 19:22

General

  • Target

    946730c20ca674471d84de82629e1668_JaffaCakes118.exe

  • Size

    28KB

  • MD5

    946730c20ca674471d84de82629e1668

  • SHA1

    2a02a4096b354ceccf42a14a9a0cbaa7188453ae

  • SHA256

    eb52eb12f874d8c9ed82cc0f4360e734b5a94da6004327ee93f36a763cba2834

  • SHA512

    cd8dec3c3ad2303f21f641a2babd62da22ba6b7f3393eb8795fd5ab0f60308c61b1335467a5d071bf6b628e6873652c700133206ed5c82170680c82ceca539ce

  • SSDEEP

    384:YCMWXgg7FmdaMbPwNXvwJk9XRCK1IvS8Zu4LKyapxdg2VZIkKzkoMuGwS9nYaK4E:Y/Xg7YaMDwN/H9XwvS8F2yMZo4ql

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1304
      • C:\Users\Admin\AppData\Local\Temp\946730c20ca674471d84de82629e1668_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\946730c20ca674471d84de82629e1668_JaffaCakes118.exe"
        2⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:288
        • C:\Windows\SysWOW64\gbvgbv06.exe
          C:\Windows\system32\gbvgbv06.exe C:\Windows\system32\dbr06049.ocx pfjaoidjglkajd C:\Users\Admin\AppData\Local\Temp\946730c20ca674471d84de82629e1668_JaffaCakes118.exe
          3⤵
          • Deletes itself
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:580
        • C:\Windows\SysWOW64\gbvgbv06.exe
          C:\Windows\system32\gbvgbv06.exe C:\Windows\system32\dbr99006.ocx pfjieaoidjglkajd
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1716
          • C:\Windows\explorer.exe
            "C:\Windows\explorer.exe"
            4⤵
              PID:3012

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\dbr06049.ocx

        Filesize

        40KB

        MD5

        6ba409640610a0d02a24234444c11725

        SHA1

        d7b2b916c59ab0d1d8e950a05db2eb4872205c03

        SHA256

        09924c2e3f12c20f188db312fcc7c2bdb31463c1d9c61bf020be372db5b536bf

        SHA512

        de2516d0052751dea7a07a8a8b96afa06d8d568c7cddc1174c9e54952260b9add77a51dc0d620957437ed574cd083ad47ccc9698a31436ed541c5aabf1672f1b

      • C:\Windows\SysWOW64\dbr99006.ocx

        Filesize

        8KB

        MD5

        4dbe3f485090d535cff13f8733c3b329

        SHA1

        94e15422a7089cef9bd34676662ccc2aa4b44822

        SHA256

        34f9334ba7f3b4b5b78beb34db88b5e49de3395a32e8bd57a19f0babf665f7e7

        SHA512

        a2cb3768ba463cc6519f362a831c061a0ce512fb16a71a2e58f0f9eb88966640169d336c679c35f9fad4fc1eca2d0d2210e351e8345e9a44a6f530a41827386b

      • C:\Windows\SysWOW64\gbvgbv06.exe

        Filesize

        43KB

        MD5

        51138beea3e2c21ec44d0932c71762a8

        SHA1

        8939cf35447b22dd2c6e6f443446acc1bf986d58

        SHA256

        5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

        SHA512

        794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

      • C:\Windows\fonts\dbr06049.ttf

        Filesize

        540B

        MD5

        b5d5e7b074ce1134ec2eaf053bdde807

        SHA1

        98ef00594d69dcafb4c02df0ad79a1422d74b5b1

        SHA256

        efde2aa71ba499683d9d7400025dec9e51ce041e950e61eb223898ce98e1a008

        SHA512

        775a37bbfe55cbf88e8f8b5ba2bb4b76ce407ac2a1e7ff243eb8f7ca5d012ed52b8b2061d3a3636507fdc2fdf76a03ff86a2e2d20a6208446437d6209b249e70

      • memory/288-9-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

      • memory/580-32-0x0000000000170000-0x0000000000176000-memory.dmp

        Filesize

        24KB

      • memory/580-31-0x0000000000170000-0x0000000000176000-memory.dmp

        Filesize

        24KB

      • memory/580-30-0x0000000010000000-0x0000000010010000-memory.dmp

        Filesize

        64KB

      • memory/1304-6-0x00000000025F0000-0x00000000025F1000-memory.dmp

        Filesize

        4KB

      • memory/1716-21-0x0000000010000000-0x0000000010006000-memory.dmp

        Filesize

        24KB

      • memory/1716-29-0x00000000001E0000-0x00000000001F0000-memory.dmp

        Filesize

        64KB