Overview

overview

10

Static

static

7

a0105c6ab8...18.exe

windows7-x64

10

a0105c6ab8...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/08/2024, 21:48

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    a0105c6ab812844353e357c9ecbc105d_JaffaCakes118.exe

  • Size

    957KB

  • MD5

    a0105c6ab812844353e357c9ecbc105d

  • SHA1

    ef5f4bab7171161fc6f23fe22bfa9e97c31f3aa8

  • SHA256

    ddd3f56b7d57c1178c4684027b326c3df10787d6f90baff3d3237b429334f6cb

  • SHA512

    ddf656580edb879643cba739c655647a3d8fd2ebe73c3e603300007087618cd2242517a1617d50993aaca9a19a8712a9084b7b639054873d02071d540c8b24fe

  • SSDEEP

    24576:66P9dgXF1lz4HqrqCEpsKe7XO2JFUc7w81qdZwC:66VeFujXGKe7XO2JicUx

Score
10/10
discoverypersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Drops file in Drivers directory 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 29 IoCs
    adwarespyware
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a0105c6ab812844353e357c9ecbc105d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a0105c6ab812844353e357c9ecbc105d_JaffaCakes118.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks computer location settings
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3292
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.soft-show.cn/setup/setup.asp?id=CCBAE3F0598FA5C68CCA5315EF9169777F4FB1ECA4F678B2&pcid=7DF35D8B5C4BDDE57D99C86CF393FEABA68F2F99DADD782A150D0227BF722509CACD771D03F0EE3574C7BC4D40ED370D&ver=1001&taday=1
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4068
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4068 CREDAT:17410 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3440
    • C:\Windows\SysWOW64\jsphelp.exe
      C:\Windows\system32\jsphelp.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1228
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\system32\DelSelf.bat
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2912
  • C:\Windows\SysWOW64\jspplay.exe
    C:\Windows\SysWOW64\jspplay.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1052
    • C:\Windows\SysWOW64\Regedit.exe
      Regedit.exe /s "C:\Windows\SysWOW64\arun.reg"
      2⤵
      • Modifies WinLogon for persistence
      • System Location Discovery: System Language Discovery
      • Runs .reg file with regedit
      PID:2300

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\DelSelf.bat
          Filesize

          228B

          MD5

          a0a2332b7c3daf1f55673aa1132d1652

          SHA1

          b10ea57ba60e4f7e23292963e83073a152954643

          SHA256

          2c3c0833f3f1e649d2a7d2d46c82f5883e5185712d8bb766574835174499aece

          SHA512

          5c02890791ddc22a3088cce8e174390fc166c274ae64546498212d67d3ae5d29787291cb1bef0cc2d968b966b0e48444eb037123406a14e9158f1e34a0f15149

          Download Submit

        • C:\Windows\SysWOW64\arun.reg
          Filesize

          150B

          MD5

          ed7b7db6f213df4e24b1b7f1821644e0

          SHA1

          31fece6abef02fc21b80fc0d525a4c681d0ef412

          SHA256

          2e0b3b6154fe67421a61f6c8b1d94901f25601efc0f80d627fc87eac38c3cfdb

          SHA512

          c654b62a61b606b65c4fdf6f5664708485ab0c52896100e6569d4d14fcc09fb7126be843ac4f91006eaee97cd7ad5b9fb83461a2e31cfec8d6c8e37d857421d7

          Download Submit

        • C:\Windows\SysWOW64\jsphelp.exe
          Filesize

          367KB

          MD5

          d72c4f4ee11cd376407794569f0ecce4

          SHA1

          5e3d4b3d7a33bac8d4f0e003912836527f61ca91

          SHA256

          056d6b97cb4285a1e36697b19e86f8fa5d7d090a71e1fcc4903f7e0d69a3304c

          SHA512

          41825c189672d316f0e58909f0dd3cf25069ba2a3611b336157a167a0f38fc0b0ace26c77f6ee5ae5c22c6c10a55778b43eabb8dae8aba0eff1159cfd29607a0

          Download Submit

        • C:\Windows\SysWOW64\jspplay.exe
          Filesize

          408KB

          MD5

          7624208d3eba7ff91943a426ee892a87

          SHA1

          b46703dc3c685b7b20ddc961c1fbe4dfc8dfdcdf

          SHA256

          7dfc785d59c14e407e6b54fae4305dddd5af639225368f76a87fd15df8fbd76d

          SHA512

          bbfc6cd1a4e6865b08d48992cc20ecc7395dbc4dc44fab6fe314dd6d1cad54a33d214436be3817fc096dcd0442493d0c98a53d1886457c39f6bda4fd79bb95c6

          Download Submit

        • C:\Windows\SysWOW64\jspshow.dll
          Filesize

          1.8MB

          MD5

          906884857eaa2353a332bfd22c848616

          SHA1

          e83a26d209969ffde57aca86d650cfcea6dfe036

          SHA256

          2f4e8b4aed1aebedea5588e509a50fe56c1a3ec9db4dc3b503bfbf1c5ddf56f0

          SHA512

          fa1ddd147b3abb63321dd554e14768110d1df2e873dd27d38ee611ee94cabba9beb1e05dcc33177ef818c89934fe2fc861c1ce50768a1fdff8f835196941b174

          Download Submit

        • memory/1052-22-0x0000000000D50000-0x0000000000D51000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1052-43-0x0000000000400000-0x000000000046D000-memory.dmp

          Filesize

          436KB

          Download

        • memory/1052-42-0x0000000000D50000-0x0000000000D51000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1228-30-0x0000000000400000-0x0000000000462000-memory.dmp

          Filesize

          392KB

          Download

        • memory/1228-29-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3292-38-0x0000000000400000-0x00000000006AC000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/3292-28-0x0000000000400000-0x00000000006AC000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/3292-0-0x0000000000400000-0x00000000006AC000-memory.dmp

          Filesize

          2.7MB

          Download