Overview

overview

10

Static

static

3

c434692ff5...18.exe

windows7-x64

10

c434692ff5...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    16s
  • max time network
    21s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    27-08-2024 02:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c434692ff5c51b4fb171e9a4b6120a0f_JaffaCakes118.exe

  • Size

    561KB

  • MD5

    c434692ff5c51b4fb171e9a4b6120a0f

  • SHA1

    c7771fafc0a7c92feb897ea90e07e08266036161

  • SHA256

    c31016c52dacd5a736cfbfd1e9fafbd29e0dec1154262aea2377b20074f86f8f

  • SHA512

    41546501c33cb49d7259f50ccb2ef3bc1c77b115147ff7a2b8a66d29c4dc7c8b250e7852b0f12ae2f885ab09288c650269e951e05e5bfd63166613575240a9c7

  • SSDEEP

    12288:h352MQJltd8RnLapnMphyNQFV/GK868v1M7RtZG:B5kluneJMya/GKP6Ow

Score
10/10
anubisbankerdiscoveryinfostealertrojan

Malware Config

Extracted

Family

anubis

C2

http://localhost:8080/

Signatures

  • Anubis banker

    Android banker that uses overlays.

    bankertrojaninfostealeranubis
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Declares services with permission to bind to the system 1 IoCs
  • Requests dangerous framework permissions 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c434692ff5c51b4fb171e9a4b6120a0f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c434692ff5c51b4fb171e9a4b6120a0f_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2296
    • C:\Users\Admin\AppData\Local\Temp\7z2.exe
      "C:\Users\Admin\AppData\Local\Temp\7z2.exe" x "C:\Users\Admin\AppData\Local\Temp\stubfile.7z" -o"C:\Users\Admin\AppData\Local\Temp\" -y
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2984

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\stub.apk
    Filesize

    261KB

    MD5

    907e167bab28358e03413f4a32ff91f1

    SHA1

    b72068b03565bcb8ac2322a8d8def67c975f488f

    SHA256

    3c302715512ce87b98ffb0e7ecb8c8638d25c5b0462fd127bb1c638e99b37938

    SHA512

    003120d75bc469ed2e196946ff7ec6d002e9916f5eb35f303738934f7632ff316e1c527688d742952c17f9db143d1d73803fd1727933e1f26d8fd9ec1dad1de6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\stubfile.7z
    Filesize

    173KB

    MD5

    cda2a5aac4fcb466f42e311fa1082a3d

    SHA1

    cc9197bef10ed6b24161613bcfa41f1dd9b6e29d

    SHA256

    4f0945e90196e2fbeb939fb75b04969767e48f78c06920fd6962712fa3202faa

    SHA512

    9e4d8567a0569e7aed2058c6b972e972eabf38060005202bfb37799a18324da981e2176b9cdedb6272d3ab7db3dffd196984f93f9c711e664f164891e31e2a9f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\7z2.exe
    Filesize

    458KB

    MD5

    619f7135621b50fd1900ff24aade1524

    SHA1

    6c7ea8bbd435163ae3945cbef30ef6b9872a4591

    SHA256

    344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

    SHA512

    2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

    Download Submit

  • memory/2296-0-0x000000007416E000-0x000000007416F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2296-1-0x0000000000C90000-0x0000000000D24000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2296-2-0x0000000074160000-0x000000007484E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2296-3-0x0000000004C10000-0x0000000004CB4000-memory.dmp

    Filesize

    656KB

    Download

  • memory/2296-15-0x0000000074160000-0x000000007484E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2296-16-0x000000007416E000-0x000000007416F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2296-17-0x0000000074160000-0x000000007484E000-memory.dmp

    Filesize

    6.9MB

    Download