Overview

overview

10

Static

static

7

ad514e36f0...18.exe

windows7-x64

10

ad514e36f0...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    20-08-2024 01:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ad514e36f03dda43c9056cb30891c4e6_JaffaCakes118.exe

  • Size

    38KB

  • MD5

    ad514e36f03dda43c9056cb30891c4e6

  • SHA1

    ffe7381ee1a4716f11de48b300b36f9f9059c11a

  • SHA256

    14ebec94b490fffbfe2800f04e1bdb77a582f9ca30c5923e0fb278b34897100c

  • SHA512

    bfe4e6d358fd157916488bc37d2a891ecbf3f16617cb7d888eca40577512e95e59c036ff65cc9d791ea28799441cb34fab1e45dbe07a2e69b0e9b76411b4660f

  • SSDEEP

    768:Vo1g8s6A481XR9wBzLkD6Re6JGnY8zrBAxAlYoC8UtDT04U:Voud6XKRyBXkzdYqFMAlYNPT7U

Score
10/10
discoveryevasionexecutionspywarestealerupx

Malware Config

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 11 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad514e36f03dda43c9056cb30891c4e6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ad514e36f03dda43c9056cb30891c4e6_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2988
    • C:\Windows\SysWOW64\net.exe
      net stop cryptsvc
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:824
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop cryptsvc
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2256
    • C:\Windows\SysWOW64\sc.exe
      sc config cryptsvc start= disabled
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:292
    • C:\Windows\SysWOW64\sc.exe
      sc delete cryptsvc
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2064
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Users\Admin\AppData\Local\Temp\1724116141.dat, ServerMain c:\users\admin\appdata\local\temp\ad514e36f03dda43c9056cb30891c4e6_jaffacakes118.exe
      2⤵
      • Deletes itself
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:812

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1724116141.dat
    Filesize

    41KB

    MD5

    dc762f58edc6ffef1bcb3eada8345bb9

    SHA1

    d0a24048bdbc7d30ef1ec656d66c32a9bfd0dfd0

    SHA256

    09ddc0b01f571447050adaf23527e5b751c822a54d6b93ca7a8f089ba0156e8c

    SHA512

    a67d815d42a17b0d78f6d185f953dbf0395798be0ab9920285dec21051f81507f983c723d0c31332d9e1683bfc251d29b059b29c2e15c49d3161761893c2c9c6

    Download Submit

  • memory/2988-0-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2988-12-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2988-14-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download