Overview

overview

7

Static

static

7

a4747e7f29...18.exe

windows7-x64

7

a4747e7f29...18.exe

windows10-2004-x64

7

$PLUGINSDI...el.dll

windows7-x64

7

$PLUGINSDI...el.dll

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...Ex.dll

windows7-x64

3

$PLUGINSDI...Ex.dll

windows10-2004-x64

3

$PLUGINSDI...ss.dll

windows7-x64

3

$PLUGINSDI...ss.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    126s
  • max time network
    65s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    17-08-2024 22:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a4747e7f29a54182f9eb25ffbbe3fa3a_JaffaCakes118.exe

  • Size

    575KB

  • MD5

    a4747e7f29a54182f9eb25ffbbe3fa3a

  • SHA1

    9845e99bb9836ad35b3df3155bb336e7af79f747

  • SHA256

    a5df26ac15a8125cd3c4b5035e05a8e7ec4b6123cf9e87065f26aa25d005d71a

  • SHA512

    ae15ab6029456fc816083441823ddc431d156269e428e1159856a9f97acb6512fc98ac936b071dcb19daa1e84917550e65286959a4a619bdb34103557a766f44

  • SSDEEP

    12288:ZaEr+K1+F94srm2mQGZXhvXVCpbscjhzrP5e1+F9Esrm2tQGdBcKTOh:ZaLL9ZyPZxvXVC/jhzbR9NxPdBc9

Score
7/10
adwarediscoverystealerupx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 11 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 24 IoCs
  • Modifies registry class 48 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a4747e7f29a54182f9eb25ffbbe3fa3a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a4747e7f29a54182f9eb25ffbbe3fa3a_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Windows\SysWOW64\explorer.exe
      C:\Windows\system32\explorer.exe
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1004
    • C:\Windows\SysWOW64\svcspwin.da.exe
      "C:\Windows\System32\svcspwin.da.exe" /stop
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2840
    • C:\Windows\SysWOW64\svcspwin.exe
      "C:\Windows\System32\svcspwin.exe" /i
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2972
    • C:\Windows\SysWOW64\svcspwin.exe
      "C:\Windows\System32\svcspwin.exe" /start
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2600
  • C:\Windows\SysWOW64\svcspwin.exe
    C:\Windows\SysWOW64\svcspwin.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2448

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Program Files (x86)\WinsPop\winspb.dll
    Filesize

    79KB

    MD5

    3b7e3190059452e7d4835321cd166039

    SHA1

    75f6ba8997b6954fcc532eb2b7f2d126556f7c64

    SHA256

    feb6b7a5e85fd8962996d24deb395ff00c36bb4521956e1beee6d01d0c2ec924

    SHA512

    8548ed798e9edfb22db88c23e3abe6fc96b860688ac72f42e4f1c8a2a714bbd51a8b117c574b4dfec9eb454154661cb378b0cf7a60a6dce3c458b6a0d982d1a8

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsuC10F.tmp\SelfDel.dll
    Filesize

    4KB

    MD5

    7cff7fe2caea5184d98c147e7e263132

    SHA1

    21f39d3d0dd5f7198d67ef30e95d10ae3460093e

    SHA256

    281c39b733579e031c62bdd247b41543ece1fe3bd6eda26fc8ad474b10f33101

    SHA512

    fb1161b8571d1d0c67e2df0d571b08f5e7a73f81409aed847344154d02406910629181bcce4e18e998ec472f51a6a1b40d956a010abdd10e850413aafa87808a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsuC10F.tmp\System.dll
    Filesize

    11KB

    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsuC10F.tmp\nsProcEx.dll
    Filesize

    24KB

    MD5

    0216cab025a4ea223141f66cbe14ccaf

    SHA1

    b08b563d5fd794e17208912e8237c961bca5516f

    SHA256

    c5c30c304347226e4ae6b758ba6ba0589cf1c0aee55886c4354859088bf88cf7

    SHA512

    e870aa7381e459e4114529efbfe0a354216b8e846c7c60e550749c6c625b98f8633da5e30192737a5f65de387f9497eebaf6502615cbb6fa16da5b8c5574207a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsuC10F.tmp\nsProcess.dll
    Filesize

    4KB

    MD5

    8f4ac52cb2f7143f29f114add12452ad

    SHA1

    29dc25f5d69bf129d608b83821c8ec8ab8c8edb3

    SHA256

    b214d73aea95191f7363ad93cdc12b6fbd50a3a54b0aa891b3d45bc4b7b2aa04

    SHA512

    2f9e2c7450557c2b88a12d3a3b4ab999c9f2a4df0d39dcd795b307b89855387bc96fc6d4fb51de8f33de0780e08a3b15fdad43daeaf7373cca71b01d7afdaf0c

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsuC10F.tmp\winsps.dll
    Filesize

    383KB

    MD5

    c0da7a6055d7f951a26c5b77461bed66

    SHA1

    6eee24f993c2a2427b534e5ed9e1a8ed887af402

    SHA256

    99987e5adc8c218f4cf2b0e76182310913026310c2a8c7506bcf192e6e14e2c9

    SHA512

    f1b9a243aec5313e38e60e0309881bfffa5afdf7cf79018df9bbfddbb4ed904ea7e7eaa69d59f4d065eb5140f94f3dfe08f2360603ff5b728b57cee900142d4a

    Download Submit

  • \Windows\SysWOW64\svcspwin.da.exe
    Filesize

    91KB

    MD5

    7be8571e5de6824e8ce1221cde75ec5c

    SHA1

    b95bb307f583c2fe306d61e3458087eacdc3e5ba

    SHA256

    1d4606b3e46bf9934c173843289f268dc6cda6ab8ec54bfc80deea8ad7c67b05

    SHA512

    270cfcca3d569d65133fbbc3f9a84fdd8fc16213aef3a29bed82bc58938f8b72c4d99bd9f2641a95e3c08e466f63820675d6b5cc5e1484de45d7f238057c99ef

    Download Submit

  • memory/2320-5-0x0000000074AB0000-0x0000000074AB9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2320-29-0x0000000002820000-0x0000000002883000-memory.dmp

    Filesize

    396KB

    Download

  • memory/2320-59-0x0000000000B80000-0x0000000000B94000-memory.dmp

    Filesize

    80KB

    Download