Overview

overview

7

Static

static

3

af907426c6...18.exe

windows7-x64

7

af907426c6...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    20/08/2024, 14:21

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    af907426c62eb0e580899eaa6e91fca8_JaffaCakes118.exe

  • Size

    32KB

  • MD5

    af907426c62eb0e580899eaa6e91fca8

  • SHA1

    9287f6df2a92399d059e39a3553939f48503a70d

  • SHA256

    afedc4db8b072902a500ea88700f53644aeb80763faf04c1fd652f7289a486fa

  • SHA512

    bdbf5cc9f1c017f41d640e51d22a7346164d0533a730ed505039ee75055fe2b9940f97ebad8638e76bdcc76acf5a71864b0649b707bdf3eff84042111028e7d0

  • SSDEEP

    192:wxAirqGVgGpnGP1oyn79Yv/QWn5pBjChrRLUPqD92jIps3F4IWehPwhZaYqxiAMC:GqGV3nw1LW5pBjChrBWo9K3F/WeW6xV

Score
7/10
discoveryupx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\af907426c62eb0e580899eaa6e91fca8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\af907426c62eb0e580899eaa6e91fca8_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\T1.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1936
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\lzg1.tmp Run
        3⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2368
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 248
          4⤵
          • Program crash
          PID:1096

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\T1.bat
          Filesize

          151B

          MD5

          71e26d5791161a29c8f7817799bea839

          SHA1

          0ffc34097b388723ae49d79b23224c5b889b86b2

          SHA256

          91f776099eedb7b4f413521ad88330f8e6875f43f9c3d2dffbb5633043f6db35

          SHA512

          d8d6cbbf2dce96c4161880bb071c71eeb0c99a5f28eabfc51f830e845494a7b915ffaa49b70c0b74795bd1efeaab91b03fcc703528bf62f20e359fe0294c283c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\lzg1.tmp
          Filesize

          11KB

          MD5

          2f03dafe83cb95c3f2f6ea914dbf5a14

          SHA1

          158bf71c4fd21779292d8f15f1cf770f43d62a8b

          SHA256

          2274a6016fd369da9f8951c6c1ef1ed79c4eb7a264e38735a9f948c019925ba0

          SHA512

          9664fa55c2df62846bf8b065530a05a89093e3961ccfc5427375d32a717bd876f0c526fa71542e347c609aa3f56b861c6674f5c7acaaf5405b33439b85f92076

          Download Submit

        • memory/2368-13-0x0000000010000000-0x000000001000B000-memory.dmp

          Filesize

          44KB

          Download