Overview

overview

10

Static

static

3

ce22598996...18.exe

windows7-x64

10

ce22598996...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-09-2024 23:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ce2259899671d148533d4bdccdbc1d71_JaffaCakes118.exe

  • Size

    672KB

  • MD5

    ce2259899671d148533d4bdccdbc1d71

  • SHA1

    620de396cb9a36b6a7985e420330e54c7228c515

  • SHA256

    8ef289e5ba81d4cd3344db901ec8c7d524e63c1f792a017c26a29ab8a2665401

  • SHA512

    85e5587dfe7e0e42a6ae4d0890d96c1d1ad589b7ff309605cc680cb1957e1d948b6a973ad5702d28222898744ab67b82cee81fc952d3c96a7638358b7e5b37b7

  • SSDEEP

    12288:Q8aki2l5o9IWzqYB79Kj+HIgXIP+CM/kmkB9a/KhQdEjPXhXzAQHL+5M:Q8aGl5o9DzqD+HIgXIP+CMcmk+ihaE10

Score
10/10
discoveryevasionpersistencespywarestealerupx

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application 2 TTPs 53 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 61 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ce2259899671d148533d4bdccdbc1d71_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ce2259899671d148533d4bdccdbc1d71_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4808
    • C:\Users\Admin\o7BM97.exe
      C:\Users\Admin\o7BM97.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:316
      • C:\Users\Admin\baiboj.exe
        "C:\Users\Admin\baiboj.exe"
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2360
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del o7BM97.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1496
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4524
    • C:\Users\Admin\2lej.exe
      C:\Users\Admin\2lej.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2956
      • C:\Users\Admin\2lej.exe
        "C:\Users\Admin\2lej.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1508
      • C:\Users\Admin\2lej.exe
        "C:\Users\Admin\2lej.exe"
        3⤵
        • Executes dropped EXE
        • Maps connected drives based on registry
        • Suspicious behavior: EnumeratesProcesses
        PID:2984
      • C:\Users\Admin\2lej.exe
        "C:\Users\Admin\2lej.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3336
      • C:\Users\Admin\2lej.exe
        "C:\Users\Admin\2lej.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:536
    • C:\Users\Admin\3lej.exe
      C:\Users\Admin\3lej.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1092
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 440
        3⤵
        • Program crash
        PID:2852
    • C:\Users\Admin\4lej.exe
      C:\Users\Admin\4lej.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3592
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c tasklist&&del ce2259899671d148533d4bdccdbc1d71_JaffaCakes118.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3140
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2628
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1092 -ip 1092
    1⤵
      PID:1584

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\2lej.exe
      Filesize

      104KB

      MD5

      16dee3b2526f2591566d5acb4e39c1b6

      SHA1

      b7ebc0bc99c16961c66a8634f047040f6a6e191a

      SHA256

      482ecb5e733b52063af8058b50c0395994d40d0d1ae64bfb497c7175e5a0b9ee

      SHA512

      366a3cc656d5d60700435b08067c45ecbce9bd17ea8c004f5e1353a501e22f32221a85d55ab04fe3a8891368a9a8943d59e0bdd7d1bcaa37012e98919f5f38dd

      Download Submit

    • C:\Users\Admin\3lej.exe
      Filesize

      274KB

      MD5

      ed235833d2c87096550929d34a90549a

      SHA1

      768b653681a3e5e0634142d843be6b42d8a63e25

      SHA256

      9d83b3f9840540e75dcc7e3048cc99badf3c7edbe64f8e0089037fd8efffd22a

      SHA512

      d4e553d83c0f56f1a84944fe953180bea6f82325fa7a928afc1d0e1aa6b3b3a090255dd9a7f9fe5ed73f2c53a151136a0d096eb6e7da47e34ae6520211d08a84

      Download Submit

    • C:\Users\Admin\4lej.exe
      Filesize

      212KB

      MD5

      44baadf67b4c153723984395a762d621

      SHA1

      d26cf53e3b13e2eac2015d86809f5cf87ffb3eac

      SHA256

      e0b4c4fab8bfca05a631f97cee76bf6002d0c3558a4498a7fdafb0c52e79482f

      SHA512

      05eb8c92f3b88e644c38df9f0a20cc0879ef593a4bfe729dc08c9d9261136bec088d6350915e54fe2edd4cc994ac6ca7a5e946f329a53d214b18773a49d32273

      Download Submit

    • C:\Users\Admin\baiboj.exe
      Filesize

      184KB

      MD5

      c9234c556736df4448df1a4966989b21

      SHA1

      ee36e6190c3202e01aa960584ba19a62e14d4083

      SHA256

      a1dc8ac98cfa0bd302126d55bd8338579ccf083deaca55cc6295677689a9635b

      SHA512

      6c32d62cedb8120d87e62e56e2ff4163d975bfd3b6e43a5c2b479854cdf740772ccebe45a45081a668dcb99efd0a7ed5e3eb7657d9c61f143bf714f35a40c7bd

      Download Submit

    • C:\Users\Admin\o7BM97.exe
      Filesize

      184KB

      MD5

      ffbabbd48507f45874b310f39bad694a

      SHA1

      a75bd0b2afadec2f9a073e56cbceefa03b8514b1

      SHA256

      3341e193c1d7a0905d9fe312ea89c6df17e554e5fe0b87caadebb139e3733f54

      SHA512

      fcf8b2f7e1cd72ead4f917377ea94dac68c8fc5640048db833310ce7b44c066628654b439fe1fbbfa2b67c032e66b6197bea2beacaf73edc518b424017c2b1e8

      Download Submit

    • memory/536-64-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/536-63-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/536-71-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/536-60-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1092-77-0x0000000000400000-0x000000000046A000-memory.dmp

      Filesize

      424KB

      Download

    • memory/1508-47-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1508-92-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1508-83-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1508-49-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1508-51-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2984-52-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2984-55-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2984-57-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2984-84-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2984-58-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/3336-66-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/3336-59-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/3336-65-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/3336-85-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/3592-82-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download