Overview

overview

7

Static

static

7

9fd10745e0...18.exe

windows7-x64

7

9fd10745e0...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    143s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    16-08-2024 20:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9fd10745e0e2de606ca664553149ce2e_JaffaCakes118.exe

  • Size

    34KB

  • MD5

    9fd10745e0e2de606ca664553149ce2e

  • SHA1

    5cd5f804fb25528f78f0afd7e131fc7db9aae468

  • SHA256

    5383cbe6a2c2e664aa30c5aff3d576af7e765fb7ebb0cdb0d5de7d599ea0da94

  • SHA512

    38cad49727d20d751932a34eef59bd5bf0f6bc77f0b16737c849f83c51fd2aee5c87abd303bbf8746ac2c1fc342d647ab1c292326797be1d1a14c74607e74bac

  • SSDEEP

    768:YPVxpVcS9gV4pa5MUtsw7GPs0m2jnaWfunmT:uxpVcS62cvmw7GPcsaJ8

Score
7/10
discoverypersistenceprivilege_escalationupx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Gathers network information 2 TTPs 6 IoCs

    Uses commandline utility to view network configuration.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9fd10745e0e2de606ca664553149ce2e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\9fd10745e0e2de606ca664553149ce2e_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2604
    • C:\Windows\SysWOW64\lockie.exe
      C:\Windows\system32\lockie.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2852
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig.exe /all
        3⤵
        • System Location Discovery: System Language Discovery
        • Gathers network information
        PID:2884
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AutoDns.cmd" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1660
        • C:\Windows\SysWOW64\netsh.exe
          netsh interface ip set dns name="????" source=static addr=61.38.252.108 register=PRIMARY
          4⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2816
        • C:\Windows\SysWOW64\netsh.exe
          netsh interface ip add dns name="????" addr=219.87.170.14 index=2
          4⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2840
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig.exe /all
        3⤵
        • System Location Discovery: System Language Discovery
        • Gathers network information
        PID:1188
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig.exe /all
        3⤵
        • System Location Discovery: System Language Discovery
        • Gathers network information
        PID:896
    • C:\Windows\SysWOW64\lock.exe
      C:\Windows\system32\lock.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig.exe /all
        3⤵
        • System Location Discovery: System Language Discovery
        • Gathers network information
        PID:2664
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AutoDns.cmd" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3036
        • C:\Windows\SysWOW64\netsh.exe
          netsh interface ip set dns name="????" source=static addr=61.38.252.108 register=PRIMARY
          4⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2384
        • C:\Windows\SysWOW64\netsh.exe
          netsh interface ip add dns name="????" addr=219.87.170.14 index=2
          4⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2724
        • C:\Windows\SysWOW64\netsh.exe
          netsh interface ip set dns name="??????" source=static addr=61.38.252.108 register=PRIMARY
          4⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2408
        • C:\Windows\SysWOW64\netsh.exe
          netsh interface ip add dns name="??????" addr=219.87.170.14 index=2
          4⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2208
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig /flushdns
          4⤵
          • System Location Discovery: System Language Discovery
          • Gathers network information
          PID:2736
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig.exe /all
        3⤵
        • System Location Discovery: System Language Discovery
        • Gathers network information
        PID:2452

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\AutoDns.cmd
    Filesize

    346B

    MD5

    42d9fbc7d0ed316cebb137610d6bada9

    SHA1

    0356d4ca0c086e503681400f0bfbed8b4df99ba2

    SHA256

    56269ccbe1626753ce19500448778901cce9fe46b5414c66844cd94da474d02b

    SHA512

    e3eb05fafc66459972871048fb469539aea149960e2a5f7ff6f5434d36a381d0cb90e9d2ee30bb37fb498d36df93282f97fc5b140224e804dd8928febfb66128

    Download Submit

  • \Windows\SysWOW64\lock.exe
    Filesize

    12KB

    MD5

    3e134484817b081eef906eabeaf4d4e6

    SHA1

    87a21cfe9a15a7b6678371341bd9d1fe8f36612d

    SHA256

    d5139e0fc1d889755a100e7ab69851742a65e0fe76bafca80d56eed97e0250a8

    SHA512

    b6cffb797a801697a6161f7934cbaf108d98f0ca935e34b9cd002cd6a566649da295ab56ff703a2346da1d33816d467c767435e542f7caf330796521f54c6b4d

    Download Submit

  • \Windows\SysWOW64\lockie.exe
    Filesize

    56KB

    MD5

    4292bd9215a26d6e087b91dbb1ae33f2

    SHA1

    a1094e480b7062bb056abb5ee741bd2cea5706c1

    SHA256

    479b340b0a020b8a438135a814ed20388e052cfdb50b615ab634015a040e0b50

    SHA512

    c4e9c1e5e06634138726b320e4c6541ec35725be8db56209854dc15e597a2d0e0e7de2007488cb2afc7e0d342d62559355a3b26d325f7a9307e8ca836c2cb5e5

    Download Submit

  • memory/2604-0-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2604-16-0x00000000001E0000-0x00000000001ED000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2604-23-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2796-24-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2796-38-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2796-39-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2796-42-0x0000000004C50000-0x0000000005CB2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2796-43-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download