Overview

overview

7

Static

static

3

bece0096e6...18.exe

windows7-x64

7

bece0096e6...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/08/2024, 14:37

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    bece0096e6106a556703933f3b18afc4_JaffaCakes118.exe

  • Size

    32KB

  • MD5

    bece0096e6106a556703933f3b18afc4

  • SHA1

    69adbc926ddeb86d792d4372ca3691959d60aa1e

  • SHA256

    e6ea34c2d425dd185fcc2dc09a9a8af25ea4f1d328fa3b2198903ba4f171c001

  • SHA512

    625a1b42017b67ea3c24ff88c87bb1a3e140e1d823225f7836402e78d0ab54f06d0f232645ccac2c7af22e787534fce2eb74838bdd70e0170a7bd94f6615b9ac

  • SSDEEP

    768:ssPg0f06K8wyexCf/12mG9eFN/lxQVcU2HLPW2:PKZye0HEexG8zW2

Score
7/10
discoverypersistenceupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 41 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bece0096e6106a556703933f3b18afc4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\bece0096e6106a556703933f3b18afc4_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4836
    • C:\Users\Admin\AppData\Local\Temp\iTV2HwOA\16136.exe
      "C:\Users\Admin\AppData\Local\Temp\iTV2HwOA\16136.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1800
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4940
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\iTV2HwOA\15965.gif
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4936
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4936 CREDAT:17410 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3332

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          471B

          MD5

          e0bb119b734bd28ccbf31009397367f5

          SHA1

          54b097cc98bfe23500e25603d088a6b3eee7c97a

          SHA256

          05dc8c8c93f13fcc388a93f5cf37bc6b3ce00112b91204a8349f6e5c739f3036

          SHA512

          37648d6d957b5ae64cc5a459d144ca693b63a83885b19221c153b0aba0bd7aff392ca75b375bd2d7a7f8be02de0bba804e50f3afd95e73a4357089cc32aba147

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          404B

          MD5

          7872d1e88023bf493c263ed587001829

          SHA1

          751edc53a8ce210cf69c59547de6b32abce09d67

          SHA256

          76e06ffe98b4c99234b4dda037220188c448ab865dc9d685ff7783c4444883b2

          SHA512

          46d0b7125a080b1b7bd82feaa881dd27b4d922968dce70eb0c4826ebdd55fe1612b367f646ea10bb46f311b408efcb07b63f17452d229b759c7cc4bcdf3eba73

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4329235D\suggestions[1].en-US
          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\iTV2HwOA\15965.gif
          Filesize

          132B

          MD5

          9d86d0ad08395cff7ed41b0277c27104

          SHA1

          ed245a57604afea6e4d85ef8aa590999efb85086

          SHA256

          3d0318b69a55942931dbd2a3ac0f1a3eaf1ec7bce8819595a50b8049ea5c6846

          SHA512

          6681e2f55ea7830b7300968cfc48085414143b5d34424f3bbfe87fb129e9b8630c4fa7b83ee4c970bbfc290a9e59931fcda02f062f1adf9a507755cb45a962f6

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\iTV2HwOA\16136.exe
          Filesize

          24KB

          MD5

          cae3babb106d88975993a857c5a260b5

          SHA1

          ed39b37a67023c1e07f0ac024e162c7d16fa976c

          SHA256

          1d3bf97dee148cd26adf6a30338fa1b4cd843712466fabb9fee153d917b53595

          SHA512

          26fd4398bf429879bd29942345dc0965078d215a4a9154f21fe94781650951ede822fa81cf8613dc931d7af837687698919e2c661019879a55e13c922e9ba9db

          Download Submit

        • memory/1800-11-0x0000000000400000-0x0000000000416000-memory.dmp

          Filesize

          88KB

          Download

        • memory/1800-25-0x0000000000400000-0x0000000000416000-memory.dmp

          Filesize

          88KB

          Download

        • memory/4836-0-0x0000000075172000-0x0000000075173000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4836-1-0x0000000075170000-0x0000000075721000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/4836-2-0x0000000075170000-0x0000000075721000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/4836-19-0x0000000075170000-0x0000000075721000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/4940-28-0x0000000000400000-0x0000000000416000-memory.dmp

          Filesize

          88KB

          Download