Overview

overview

7

Static

static

7

a37e2dafe1...18.exe

windows7-x64

7

a37e2dafe1...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    17-08-2024 17:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a37e2dafe191e2b5032816242f442fee_JaffaCakes118.exe

  • Size

    960KB

  • MD5

    a37e2dafe191e2b5032816242f442fee

  • SHA1

    d71d8488eaf31ab93eefd44833f93a32c063f479

  • SHA256

    a828fe824249c9965db6d964a6fbb701f148aada1b56d9a39b58129beb537371

  • SHA512

    de25c76803ebd5296ed06fde3c648168da225150d5bf09766747beee0351b34ffb4e8832f333b46cda0b1ae426175565674e78d6838a6d874eaa748465cec094

  • SSDEEP

    24576:HwU/UwhWvS3u9OvUisQM6GcC1pfnnnDolPNl3HpM5b:HZU8W81vdMcUfnnDIZpMB

Score
7/10
discoverypersistenceupx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 10 IoCs
  • UPX packed file 21 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 25 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 19 IoCs
  • Suspicious use of SendNotifyMessage 19 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a37e2dafe191e2b5032816242f442fee_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a37e2dafe191e2b5032816242f442fee_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2392
    • C:\Program Files (x86)\F32411\shdocvw.exe
      "C:\Program Files (x86)\F32411\shdocvw.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3024
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Program Files (x86)\F32411\runer.bat""
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2760
        • C:\Windows\SysWOW64\reg.exe
          reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v shdocvw /t REG_SZ /d " C:\Program Files (x86)\F32411\shdocvw.exe " /f
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:2744
      • C:\Program Files (x86)\F32411\svchost.exe
        "C:\Program Files (x86)\F32411\svchost.exe" /stealth
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1048
        • C:\Program Files (x86)\F32411\svchost.exe
          "C:\Program Files (x86)\F32411\svchost.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:1816
      • C:\Program Files (x86)\F32411\updater.exe
        "C:\Program Files (x86)\F32411\updater.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2924

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\F32411\lst.txt
    Filesize

    7KB

    MD5

    5c75256ff15177fadac5c895c962b733

    SHA1

    e90e0c7a8be93e60dc3410157c38d7d3f732b88f

    SHA256

    62f1c6afca91811f41c42ddb85464a4ddf0787793a079a68587c1a0f0b53c5d3

    SHA512

    f2c18915b819fe7d8362a1875a360e36402245eff7e3980f628b0c0a07194378a0c7096e14ffe111bbfe56b46f8cae9c2a1b7993eda08e997da308cd313bf9cb

    Download Submit

  • C:\Program Files (x86)\F32411\runer.bat
    Filesize

    156B

    MD5

    f3e9a25858e6789aab82f2505bdcdce9

    SHA1

    f468def17a25dd1eb7a607cfbfcc722a67614211

    SHA256

    bb83f3eeb4e33ed9200a691c9eec50788ae778cf983b7c92a1393f9dcfe1c49b

    SHA512

    87dd5519576a7a339b1626e6f1c3a669f5ae30582db4cd365e0ff1fc9d40343eab03239bac14a2f04bebb214087c0f946946a70c91e16af45d2437e0c88c724f

    Download Submit

  • C:\Program Files (x86)\F32411\shdocvw.exe
    Filesize

    960KB

    MD5

    a37e2dafe191e2b5032816242f442fee

    SHA1

    d71d8488eaf31ab93eefd44833f93a32c063f479

    SHA256

    a828fe824249c9965db6d964a6fbb701f148aada1b56d9a39b58129beb537371

    SHA512

    de25c76803ebd5296ed06fde3c648168da225150d5bf09766747beee0351b34ffb4e8832f333b46cda0b1ae426175565674e78d6838a6d874eaa748465cec094

    Download Submit

  • C:\Program Files (x86)\F32411\svchost.exe
    Filesize

    535KB

    MD5

    57c3d3cd8d2c2863ce09cd1f41836718

    SHA1

    4ad095d123bc76f1082bbc66d20bb8836df712cd

    SHA256

    3932741f0829f9756acd0ef8c549b6b0676f0f61293ea3ce91440370ca8f8dd4

    SHA512

    380788dccd69b8261a47bfe0dc7498ab72e32ba614f534e50de64366c3a7627fcd04f49df590196ad19bb8e1b0d3bb5f1749f3da4029690e2363f1661ebd8f42

    Download Submit

  • C:\Program Files (x86)\F32411\svchost.ini
    Filesize

    2KB

    MD5

    105e7661bdd36e28fc3c27c4341102b2

    SHA1

    03a755308fbf950ddc1d0688cc23459a21c5b68c

    SHA256

    fb4aefac91000329578fd8d0c10ec6447089f6f6e188ef179fa1eb46cf2ce725

    SHA512

    71f8317580e8def23bd46bfd56d4866afb79e5cd8047f495b7e67a03f36e36b279c07fdabd35c075b67adfb2ca17c569337379bdc5d8a205a5baa84aae2345fc

    Download Submit

  • C:\Program Files (x86)\F32411\svchost.lst
    Filesize

    3KB

    MD5

    6633c83586f4a151e96f5f16a6ed5f2d

    SHA1

    67b3a005850bd38d5307e33265cf01996a9c0bc3

    SHA256

    8487b174b6af820bc7ace695729df7e2ee56f9f012b9ac6667fa58b0d75c8444

    SHA512

    4e9fc8d78e979d6f4cf5eeef656f4d07105f619912fa3dcc53e86952606ca3ebda3bb0eebec849fbbe295a612ce49e8590ad8c48424facefbc1e059468895f37

    Download Submit

  • C:\Program Files (x86)\F32411\updater.exe
    Filesize

    202KB

    MD5

    fc438aff60f8040bfee7713a4ea2fc5d

    SHA1

    02104d5d1c56897fe1de0f63db35aa9094af533d

    SHA256

    697bd104278f0bc1ae965a3fe415db2d19729ac15bc7f68e826401067537894c

    SHA512

    d2e55a0006e1f35e44124a6911c394849c59c6d4dd6e1dfaa3c9298589186465b88b394c406ab4150ae86d8a61f61329d4bf3879cc81323c19e152e9babe4f17

    Download Submit

  • \Program Files (x86)\F32411\Plugins\Uploading.plg
    Filesize

    35KB

    MD5

    b53aa2d38566d4e21c3c914c2aa650f6

    SHA1

    2d1e2add2c7b0dcc5cb1cc124a4bece34854d11d

    SHA256

    925deb907ac4b6988c3da7acd5a12456bd544d40327ba26d1841ce0d9d4ed1c4

    SHA512

    35d3899d58c4cb8d66566903091a587a32c572bd86da48642b3405218624a2384d3360fc528aeb43f3b77ec1170b16c116be2bf49fe79a7608c59caf81f8c95a

    Download Submit

  • memory/1048-115-0x0000000000400000-0x000000000057F000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1048-131-0x0000000000400000-0x000000000057F000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1048-129-0x00000000008C0000-0x00000000008D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1816-150-0x0000000000400000-0x000000000057F000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1816-157-0x0000000000710000-0x000000000072D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/1816-151-0x0000000000400000-0x000000000057F000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1816-153-0x0000000000710000-0x000000000072D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/1816-143-0x0000000000710000-0x000000000072D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/1816-164-0x0000000000400000-0x000000000057F000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1816-133-0x0000000000400000-0x000000000057F000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2392-0-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/2392-10-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/2924-126-0x0000000000380000-0x00000000003F4000-memory.dmp

    Filesize

    464KB

    Download

  • memory/2924-149-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/2924-127-0x0000000000380000-0x00000000003F4000-memory.dmp

    Filesize

    464KB

    Download

  • memory/3024-112-0x0000000005FA0000-0x0000000006014000-memory.dmp

    Filesize

    464KB

    Download

  • memory/3024-119-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/3024-108-0x0000000005FA0000-0x000000000611F000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/3024-109-0x0000000005FA0000-0x000000000611F000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/3024-12-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download