Overview

overview

7

Static

static

7

b52e74ca48...18.exe

windows7-x64

7

b52e74ca48...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    21/08/2024, 21:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b52e74ca48c5dbb15ebf25aac105df78_JaffaCakes118.exe

  • Size

    499KB

  • MD5

    b52e74ca48c5dbb15ebf25aac105df78

  • SHA1

    ed0ae2ab4b361bbbd2590980c5217cc0071faa09

  • SHA256

    83decab6036e5fcbbf51b0f916d7579c39d41e46c5de5a0caaa7a426edd406a6

  • SHA512

    e25bf999464e8d8d9fb8c8c8d76b5bb94dfc93d248fb7dc7b9bb0dd1d7e668c4eaca319e155c78fbd90b1e94bb1180c3d068231177b9d2c73168f3da545c6200

  • SSDEEP

    12288:inr7h990geYudDLMzNvNrKlnnFILzBxwNOoS:irjeYuFcNl4nFCs

Score
7/10
discoverypersistenceupx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b52e74ca48c5dbb15ebf25aac105df78_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b52e74ca48c5dbb15ebf25aac105df78_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2836
    • C:\ProgramData\jJ06509FiBdK06509\jJ06509FiBdK06509.exe
      "C:\ProgramData\jJ06509FiBdK06509\jJ06509FiBdK06509.exe" "C:\Users\Admin\AppData\Local\Temp\b52e74ca48c5dbb15ebf25aac105df78_JaffaCakes118.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2624

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\jJ06509FiBdK06509\jJ06509FiBdK06509
    Filesize

    192B

    MD5

    3d296bcdc715e4430194be2e9cfa9c39

    SHA1

    91e54ff2a3c21ade72171757bfdac727426675fd

    SHA256

    401dd8f7950717ad1d689be0ac681214f7b4ab7a31d465800469876a7093cd4e

    SHA512

    8e55feede8e51a02ae450e89c34c10c182f217506c78b1ba54766e20ee0d5cb35771560b31eb934c6230edeadce2cb3eb89245ebf3a7e8899c407955313fa056

    Download Submit

  • \ProgramData\jJ06509FiBdK06509\jJ06509FiBdK06509.exe
    Filesize

    499KB

    MD5

    3e94574bc829271ef014278125d6d747

    SHA1

    3123fa35e7d72afe80b28bc8441a607c9f5cc3cf

    SHA256

    81ac33bc2de8ddeb2c7624505c9707ec38433462a70e2bb3ae02f360acd18536

    SHA512

    ba907a7467297dbca9eb2999faa375547c5c035862a4a1376716961d3b85e82bb13175b0ca28a47af2d4f4c0de26eae2be7c5b58cd676afe9bac5b80ee70fe87

    Download Submit

  • memory/2624-18-0x0000000000400000-0x00000000004C8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/2624-40-0x0000000000400000-0x00000000004C8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/2624-30-0x0000000000400000-0x00000000004C8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/2624-17-0x0000000000400000-0x00000000004C8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/2836-16-0x00000000029B0000-0x0000000002A78000-memory.dmp

    Filesize

    800KB

    Download

  • memory/2836-0-0x0000000000400000-0x00000000004C8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/2836-5-0x0000000000400000-0x00000000004BF000-memory.dmp

    Filesize

    764KB

    Download

  • memory/2836-21-0x0000000000400000-0x00000000004BF000-memory.dmp

    Filesize

    764KB

    Download

  • memory/2836-20-0x0000000000400000-0x00000000004C8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/2836-1-0x0000000000330000-0x00000000003D5000-memory.dmp

    Filesize

    660KB

    Download

  • memory/2836-2-0x00000000004D0000-0x0000000000523000-memory.dmp

    Filesize

    332KB

    Download