Overview

overview

10

Static

static

3

abfb5b91e1...18.exe

windows7-x64

10

abfb5b91e1...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/08/2024, 17:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    abfb5b91e191cb0d210ce1271ee435b9_JaffaCakes118.exe

  • Size

    476KB

  • MD5

    abfb5b91e191cb0d210ce1271ee435b9

  • SHA1

    fe990cbf26400817220ad23ee8ac4995d1388de5

  • SHA256

    02f51e8906ccc227e701515da3f91b600f6e56e9deec811a6ce25ebc3b7af106

  • SHA512

    5500efd0e53ba7cfc0dbcdb34409ceaeab24f05846a05bac9266887c131ce05572e9f1e7bc3262cada6fa60dc4a4b287c00b03a6b2f0fa8db413382c7e28e7fd

  • SSDEEP

    12288:ak8HAXwdAnc2i+zinpRUF2oMPze+0gKG3UPPxf:azgXwd7F+zinj2lM6+0gL

Score
10/10
discoveryevasionpersistenceupx

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 52 IoCs
    persistence
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\abfb5b91e191cb0d210ce1271ee435b9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\abfb5b91e191cb0d210ce1271ee435b9_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2068
    • C:\Users\Admin\ana7e3.exe
      C:\Users\Admin\ana7e3.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3224
      • C:\Users\Admin\siiqed.exe
        "C:\Users\Admin\siiqed.exe"
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4140
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del ana7e3.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4460
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1552
    • C:\Users\Admin\axlog.exe
      C:\Users\Admin\axlog.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2600
      • C:\Users\Admin\axlog.exe
        "C:\Users\Admin\axlog.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2124
    • C:\Users\Admin\dxlog.exe
      C:\Users\Admin\dxlog.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4352
    • C:\Users\Admin\fxlog.exe
      C:\Users\Admin\fxlog.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:548
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
          PID:3676
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del abfb5b91e191cb0d210ce1271ee435b9_JaffaCakes118.exe
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4080
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2332

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\ana7e3.exe
      Filesize

      228KB

      MD5

      290efbf2f76c4ef6f2a4b21f68b29888

      SHA1

      3a6454771d5975be4bb806738dca76ca4f8faaca

      SHA256

      e61900f8b18ceb66802b0058a24677f6396df1c0ab8a4ac2281fd47929fbaf24

      SHA512

      c23a40effe75396e7a4d3eea5ffdf0807c076598fda76ea399e320731c56835bee19e3ef4413d7965c17e976cf9a06d0694f4fbfbb4917cb28b0fb3627e5b008

      Download Submit

    • C:\Users\Admin\axlog.exe
      Filesize

      76KB

      MD5

      925c20785e84c26666346a44251104c8

      SHA1

      2dd55917d669a1165284e1344965a7c35c5c552f

      SHA256

      7f8af46b5be6d1240777d240352f20c33e41f41f0334c02643aa7890c5d88f1a

      SHA512

      67b2a7d986793d1d18d63a5697c0a6f018211b3c01b481ff95663fd874ba14c8bc96f3695022d4637e4819ad669eb3d08e3f267c9631af2c4871982a49df958b

      Download Submit

    • C:\Users\Admin\dxlog.exe
      Filesize

      48KB

      MD5

      64babba1f00427096c6142b81e05c9b0

      SHA1

      9afad4f72b5bdd4ef164d02f824c7b2be5d732c6

      SHA256

      5d2419c5555890192f5b966fb24316778d1ce27728aecab0557225945ea2d6c2

      SHA512

      7abf1d9d83066d1c938a040cacb9da852ca0f7660520840b045d761d2781b7ba1263ecad9178d17026c63c26e45cafad59d3f18afc6d349fb51c06936ec785b0

      Download Submit

    • C:\Users\Admin\fxlog.exe
      Filesize

      270KB

      MD5

      790180622412379c23115e59fb7022be

      SHA1

      012b064113171c300519a4f7f10beb15c1c285b2

      SHA256

      f00f2d7ae9eb7ee10636f29acd947da0f1235574c6dcd918e5dc5358287fd613

      SHA512

      039c8da89d65d58ae021ce4532c842fcda357d5b2580b28d124c76d29a67374414dacf574bf209c044e04819d52e6c4521ed24546b4bfb06aead7a3cfc1e99d4

      Download Submit

    • C:\Users\Admin\siiqed.exe
      Filesize

      228KB

      MD5

      23dbcccdf0e4caabec773777a47d37b3

      SHA1

      7f185991ad0f6b6e37bc61215e4182f30380ee92

      SHA256

      0c1bf768a07c6ee793328d258df0e8c1ff51b6d779fb4d87f5231344726c102d

      SHA512

      15976f87e779014898d72b08a309c4e7b7229c580e97d213a2f7fe6c6f6db6f525c8778660d739ac20c1b88b1702e6fade8f6e1bb929c033eb512bac9fb2e6ba

      Download Submit

    • memory/548-76-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

      Download

    • memory/2124-47-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2124-51-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2124-50-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2124-53-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download