Overview

overview

9

Static

static

3

b70bc828ed...18.exe

windows7-x64

9

b70bc828ed...18.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    22-08-2024 08:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b70bc828ed21d0b50168c79bf1502625_JaffaCakes118.exe

  • Size

    93KB

  • MD5

    b70bc828ed21d0b50168c79bf1502625

  • SHA1

    ae014f96cbfaf9285c65c5376bac35d0eec5d35b

  • SHA256

    aab369b4714433ba5488d95a152c5f965ae71bcc884f06b18c95f5bd38e04564

  • SHA512

    28403ecf3eacca779b4bcd38fcf358ba2c458714651e31b4d6f013a1fd5f31557ec2485686c567cb7165ccff9c2aec9be8fa151f83da60bfd0ba604418423ba5

  • SSDEEP

    1536:P7qnkAQtSaoGo5n4iLG0/WM6HGHSaYqemmjxe2uC+ysafJKN:eCSjGoLpWM6slmjxhu4JxK

Score
9/10
discoverypersistenceransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (177) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops file in Drivers directory 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1216
      • C:\Users\Admin\AppData\Local\Temp\b70bc828ed21d0b50168c79bf1502625_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\b70bc828ed21d0b50168c79bf1502625_JaffaCakes118.exe"
        2⤵
        • Drops file in Drivers directory
        • Adds Run key to start application
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3016
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3036
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2536
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2528
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2280

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RCX35BA.tmp
      Filesize

      92KB

      MD5

      60faff2759a02af6747f10c32b2fe1a0

      SHA1

      ec7a3e4379dffed7ec8ce6d0f85c93ad026e681a

      SHA256

      06c4c8ad8fc8798ec296cc81ddeca6a29b5fe82aa7b512f53a5eb3113838a951

      SHA512

      9cd1accdcd2f8f79e58654582d8553c9a89db9c83dc058c9362537c580c0dad61136560f66cad844cdd68dd191332b8be078b5226d45bc72b0b53a8176e82224

      Download Submit

    • C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\RCX35DC.tmp
      Filesize

      94KB

      MD5

      ee2b5d069d3d177150b25f668c15a0c7

      SHA1

      3fb438846266bc85eb7d91584b5ddc0835053754

      SHA256

      b1c97fbde778bdaecccc18c187809b3c9d4a45b98089860e12082712129493ef

      SHA512

      40574d56c06d001c194ac87122d6435e0f92d21b368a143223398530810cb4963207cac3a509133bcc77ffcf30a60ffd51c302131d5d577d24becdebca897a08

      Download Submit

    • C:\Program Files (x86)\Google\Update\1.3.36.151\RCX3645.tmp
      Filesize

      91KB

      MD5

      1daccbe2084e249a4ff6c4871492d396

      SHA1

      1e2086e4e192a7c8b776d0af1c8734a5739dac5d

      SHA256

      65b7421817d88faa6665753f7169d01029d3b7bc510366838a5aace1ae32f2bf

      SHA512

      b3322e9a995af7694121b52993024149cb0ed0368169caf7c00cc62d6edd62129562c77fb09904b573232f3ff7b95260e418a36125dd170577ddc5882b640a6f

      Download Submit

    • C:\Program Files (x86)\Mozilla Maintenance Service\RCX3699.tmp
      Filesize

      100KB

      MD5

      257962120c230c2ede42545441086b44

      SHA1

      c7b4b885d2831f6e3c93951e3aa19f362ede262a

      SHA256

      2435543fcdd6553dc1b32c71439090527524a1c7756e3ef592d12fed0bfddc5c

      SHA512

      f8c9534f273a4f05837b2940309cf39d9aeb3b284bbefa4cb2912caa699e80ec5e5ed57f399fc57aa982f9055bcaaed3a97ef231a1a6a602db8d651d4c74f7ff

      Download Submit

    • C:\Program Files\7-Zip\7z.exe.Exe
      Filesize

      637KB

      MD5

      ef16ac5a7b75266a1a1f45428ce1e10c

      SHA1

      7c811a13628369c1196983d903a142cce319f245

      SHA256

      67ea5963580abc1e52c63657665d88d614ca5bd626992e05f565926da8ddedbc

      SHA512

      28ae680ed56a536876d9a603f19da3b319f6507efd8bc228e6ec7896e4c236fd32b70eeecb725e13c92d95183643b1777241e8780f4745f3d5a2d0b861343119

      Download Submit

    • C:\Program Files\7-Zip\RCX2F5C.tmp
      Filesize

      91KB

      MD5

      073e639308ee66f5174a4d61cbab2f1f

      SHA1

      93e54b9a51a1e343859ddd65d4b8cafe21c6a39c

      SHA256

      06bb91d65f380e5ea92ccc4dc297d76df36030e4685e7efb16cee11d7afe6532

      SHA512

      338d70776e94086339e73327abd3951c19e9d85a5b26ed954575e0e28f6dae8d1b5c29612bc2c14191971ff7a548436424faedff1cb9c13b827ee4adbd0ec8e7

      Download Submit

    • C:\Program Files\Java\jdk1.7.0_80\bin\RCX2FB0.tmp
      Filesize

      92KB

      MD5

      b538d92874ff707a59722de50b8e9213

      SHA1

      abdb7a74962de2d39989e09a18a44039b641f834

      SHA256

      8785600de10f44287f7affa8745501a2c88c9fe3419ed3ba7137b6faf7665ed7

      SHA512

      652a5aafb845534141ac5eb34f679cc4c64cffb2184c9734b5ce9556eab66e699accecee1a49156c64b09289502472037e367565cb85a560500a3dd1b199c4bd

      Download Submit

    • C:\Program Files\VideoLAN\VLC\vlc.exe.Exe
      Filesize

      1.0MB

      MD5

      b3b56403fe03a949269e7e1bb5bf2429

      SHA1

      aa12433c05ab7dbda13f3c1535e065b61f848e96

      SHA256

      6d34bc54e3b6ab89e7e5f08f7b4ee0d82c2c5a4780c90fb3695e05b897c1293f

      SHA512

      e5e5acba84cbcb4824567f4cdc779340d4c9a706ba6ce0ea9be0576fadc4ca1dc886ee21fc4a7abebff7a5ceb0f7b6e8f82dc3d254b25f6062ae5cd9944d17e4

      Download Submit

    • memory/1216-4-0x00000000025A0000-0x00000000025A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3016-8-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/3016-944-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/3016-957-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

      Download