Overview

overview

7

Static

static

7

bea5b3ff1e...18.exe

windows7-x64

7

bea5b3ff1e...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    134s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/08/2024, 13:04

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    bea5b3ff1e868daddb151fa9011d8597_JaffaCakes118.exe

  • Size

    77KB

  • MD5

    bea5b3ff1e868daddb151fa9011d8597

  • SHA1

    ce81cb8751cd6c61cfd598053d503f8b9b7a877f

  • SHA256

    82a2245afdb9698bde2c651b73cf7a09bfd9f80762e276513a239f80f8f541f9

  • SHA512

    0e8c652f645766dcb9d0a5448271c7aff68cc50684eb4a008c8242b130fc8245a6086cc8263449f8c69b4184a3f1d8d4a09112a0c8b53a47c39260217ee29278

  • SSDEEP

    768:3KYCreZjBgMQEno9r8UZX8pBsHAh5QubmFsizF8e:u0nQjmBsHAbqFsi6e

Score
7/10
discoveryupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 42 IoCs
    adwarespyware
  • Modifies registry class 29 IoCs
  • Runs .reg file with regedit 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bea5b3ff1e868daddb151fa9011d8597_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\bea5b3ff1e868daddb151fa9011d8597_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2664
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c regedit /s c:\reg.reg
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4548
      • C:\Windows\SysWOW64\regedit.exe
        regedit /s c:\reg.reg
        3⤵
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:4336
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.520921.com/1
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4056
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4056 CREDAT:17410 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1724
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c regedit /s c:\reg2.reg
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2012
      • C:\Windows\SysWOW64\regedit.exe
        regedit /s c:\reg2.reg
        3⤵
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:4640
    • \??\c:\windows\SysWOW64\wscript.exe
      c:\windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\Killme.vbs
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:4612

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          471B

          MD5

          e0bb119b734bd28ccbf31009397367f5

          SHA1

          54b097cc98bfe23500e25603d088a6b3eee7c97a

          SHA256

          05dc8c8c93f13fcc388a93f5cf37bc6b3ce00112b91204a8349f6e5c739f3036

          SHA512

          37648d6d957b5ae64cc5a459d144ca693b63a83885b19221c153b0aba0bd7aff392ca75b375bd2d7a7f8be02de0bba804e50f3afd95e73a4357089cc32aba147

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          404B

          MD5

          bc0c034bf2c1b43950d1defb6195b229

          SHA1

          6b599b7c672525144334a63c32e9eebb976ea239

          SHA256

          f85c3598a2c8792e673a036bbadcb19600bdb5c6c5b8f193dc67da728a7a5549

          SHA512

          12a72849237fb941d316354afa4160b290537d9ae9c60c9aac8eb0444e06372c44c347a90459a89a4b3efd16d58c6320299f3c1d2f2efebc98d866ed48710aca

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NUB8HZ4Z\suggestions[1].en-US
          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Killme.vbs
          Filesize

          289B

          MD5

          3dc24f7968ee4550516cbdc82f5211e4

          SHA1

          568dd769f6825493a99697362f88537668f2cb0f

          SHA256

          cc67cde513016bc30148a21a794dd46f5f872e1177c90e33ff44db4e9df29aec

          SHA512

          9e90a92bac0fafe29f3d2c3776ae2dfc9b737064d45e3bf0767d16dbe2ba891d2e5664ba41434eb2f50aecaf00820c27eae8dbc5f5dde824a9277a5ef917b6f8

          Download Submit

        • \??\c:\reg.reg
          Filesize

          195B

          MD5

          d074af1950aed38a9507428f23df9ad2

          SHA1

          0313b03e880b283cfacf64aea25c54259d388201

          SHA256

          5f3cd51950de3b9c7f8bb8a14cf5c39f3d480270d89a7c8fabb54900c9c34ca8

          SHA512

          484029eb461a182a9b088f9912047d455749381eab696d15af719f020f4982b6a331b20f1ab5437a8f9312724770ac26791f83d20c79e0e1b1340e53d1122fbc

          Download Submit

        • \??\c:\reg2.reg
          Filesize

          450B

          MD5

          2944837920fafc0892eb196e7d774b23

          SHA1

          31269a61616a0064576e0e6a93e23722cf5a2057

          SHA256

          1c2c0c933e0023e7a24cdd4dd5bf363b00449094d3dc9ff3e7188d893e2580dc

          SHA512

          027b5677254eb8582a672cee88cd5c82dce09170fdc2fd47e9dfaacbd29b691719a5c7ecacbae1fb8c3a5d4a5243e9d3aad64be63e9c788e01f6dfd24f0e003f

          Download Submit

        • memory/2664-0-0x0000000000400000-0x0000000000415000-memory.dmp

          Filesize

          84KB

          Download

        • memory/2664-9-0x0000000000400000-0x0000000000415000-memory.dmp

          Filesize

          84KB

          Download