Overview

overview

10

Static

static

3

bb6193012c...18.exe

windows7-x64

10

bb6193012c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/08/2024, 10:36

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    bb6193012cbb778a7f50179459827929_JaffaCakes118.exe

  • Size

    9.3MB

  • MD5

    bb6193012cbb778a7f50179459827929

  • SHA1

    403a943e2924fbcd7da71de674cf75e83048c5df

  • SHA256

    97b7f4befd9c908ab3ba2aa80d5b64ec6468d740add89c6dae8b9b089e8b2abd

  • SHA512

    3be40208819c4f2f86eaf4fba8ec10c9f6f07b101da848f636c048dd71bb9e73d6edc8d5d367451fc5bb287e573e6af567b0da78030a7caa3f6a45b84d9b3a14

  • SSDEEP

    3072:X/NvCCDFcKR1px064LZui6fAMyDdnewv/Yb:laCBc61px0652MIewvQb

Score
10/10
defense_evasiondiscoverypersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs
    defense_evasion
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\bb6193012cbb778a7f50179459827929_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\bb6193012cbb778a7f50179459827929_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3236
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c move /y "C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\bb6193012cbb778a7f50179459827929_JaffaCakes118.exe" "C:\Program Files\Common Files\Program Shared\Isass.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      PID:3248
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon" /v Shell /t reg_sz /d "Explorer.exe, C:\Program Files\Common Files\Program Shared\Isass.exe" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4336
      • C:\Windows\SysWOW64\reg.exe
        reg add "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon" /v Shell /t reg_sz /d "Explorer.exe, C:\Program Files\Common Files\Program Shared\Isass.exe" /f
        3⤵
        • Modifies WinLogon for persistence
        • System Location Discovery: System Language Discovery
        PID:3776
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon " /v Shell /t reg_sz /d "Explorer.exe, C:\Program Files\Common Files\Program Shared\Isass.exe" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4280
      • C:\Windows\SysWOW64\reg.exe
        reg add "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon " /v Shell /t reg_sz /d "Explorer.exe, C:\Program Files\Common Files\Program Shared\Isass.exe" /f
        3⤵
        • Modifies WinLogon for persistence
        • System Location Discovery: System Language Discovery
        PID:2012
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Program Files\Common Files\Program Shared\Isass.exe"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3092
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Program Files\Common Files\Program Shared\Isass.exe"
        3⤵
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:740
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Program Files\Common Files\Program Shared"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4972
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Program Files\Common Files\Program Shared"
        3⤵
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:1332

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/3236-0-0x0000000002A80000-0x0000000002A81000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3236-1-0x0000000000400000-0x0000000000D45000-memory.dmp

          Filesize

          9.3MB

          Download

        • memory/3236-3-0x0000000000400000-0x0000000000D45000-memory.dmp

          Filesize

          9.3MB

          Download