Overview

overview

8

Static

static

7

bcf6410367...18.exe

windows7-x64

8

bcf6410367...18.exe

windows10-2004-x64

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    23-08-2024 20:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bcf6410367ba7373803b194377926e3e_JaffaCakes118.exe

  • Size

    24KB

  • MD5

    bcf6410367ba7373803b194377926e3e

  • SHA1

    5b04538ea1ee3618e5769553e3550bf1421199e1

  • SHA256

    be60b72472e99274278f5fab37e61de17639b68bcd89dfd27c11b5cfae422dbc

  • SHA512

    c9ce20b4e78355fcd7d89acc39a9dc706fdee09debc10058dcf96816d8216cf25cec1c2a749a0d8cd7b468c0df2c8861448b20ffcc577531e99fbba3203fc92d

  • SSDEEP

    384:y0FLg2MOlzoGG8bIuewoxPUm0x1bUVvsSAQYkfBH9EI+z4VPsxVrXm:JFLJoGBa0x1bUVvsSAQNfBH9Ek6xV

Score
8/10
discoveryupx

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 11 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bcf6410367ba7373803b194377926e3e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\bcf6410367ba7373803b194377926e3e_JaffaCakes118.exe"
    1⤵
    • Drops file in Drivers directory
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\259482952.dll testall
      2⤵
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2752
    • C:\Windows\SysWOW64\259487476.exe
      "C:\Windows\system32\259487476.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 212
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:1720
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\kl78a.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2964

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\259482952.dll
    Filesize

    14KB

    MD5

    962cab8783e4346bf2fd5ac1530a820e

    SHA1

    e5fa0795fafc737f13746ef09b63549bf965a627

    SHA256

    d443d789343c7509885062da36ca881c436bb4a0ff2e1facde138727b5c5699a

    SHA512

    5047c747925f6fc792b6929d19706fed5517a002a8bbf5a7c69d3142e5614b80b53c02b585846002a17e8433cf7c415852bda4abeaa77745c4048c376c6301af

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\kl78a.bat
    Filesize

    2KB

    MD5

    b440fe9b5686af21d932535002c2cc9d

    SHA1

    18f11a7381198986def57381752a287244486db7

    SHA256

    340673e7e396319403fac45cb87c5557398abae057ca5403e90ef7cb95588ebd

    SHA512

    79a96b611a7e7f48d4afa5dc9a1cef0d389b0f46126dde0c31bf649fea823dc75de349d6072f9fa3fab269206702d90569e506f1f9b917a395b05cf875b35c67

    Download Submit

  • \Users\Admin\AppData\Local\Temp\ope7761.tmp
    Filesize

    1.7MB

    MD5

    b5eb5bd3066959611e1f7a80fd6cc172

    SHA1

    6fb1532059212c840737b3f923a9c0b152c0887a

    SHA256

    1ffb68a66f28f604adcae9c135f8dcf301316ab7fda8ebd294583c56dd26f7cc

    SHA512

    6c0743e0ff4922e859ba66b68040ab994dbae33e80c63ce8c993ad31a0c7aad6c6467484da1550063214953cd641dbf597438dd0c02f24164505d88ca80ea1b6

    Download Submit

  • \Windows\SysWOW64\259487476.exe
    Filesize

    12KB

    MD5

    adad2af653609e721ae9f1ceb893f152

    SHA1

    30b29a0fa15bb5cf0cf48c683cebad42d463575d

    SHA256

    7b2e4ac04e9bf236f3edbd21d18ef964a8203b6235fc4cfef04241271f5865ef

    SHA512

    10809d33e61968eff0d9c622d9741e6219877d1931306fbd55a7afd3a1cc3cee57dee690edfc2953e4164647812b4b054f793e4d7b28c9278881af343555f162

    Download Submit

  • memory/2752-7-0x0000000010000000-0x0000000010006000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2752-8-0x0000000010001000-0x0000000010002000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3024-0-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3024-11-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3024-41-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download