Overview

overview

9

Static

static

3

d408ab2f24...18.exe

windows7-x64

9

d408ab2f24...18.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    08-09-2024 09:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d408ab2f240c659b1d2b9917d98345e9_JaffaCakes118.exe

  • Size

    414KB

  • MD5

    d408ab2f240c659b1d2b9917d98345e9

  • SHA1

    db39b16507c275af9a411f1350de9b77d558c262

  • SHA256

    318c0595f19d2c2fcf40f9cdb7328eb31528296c1db6f08457efa0e4bdbd16a1

  • SHA512

    3ee9f9595f369c53b15ef8be156c8d17adebfc285b436f4fa22c04b9aa99dd1f3712bcdebcbdbf22e12afd3a22fe8b396abb5b020f5dfb40a61fe49bc96a771a

  • SSDEEP

    6144:aeNyES77DUhRMJj2/7JDJfo3/Sy5mRAZlwfSYppQ7omW0bI1fPKL1mDmt:aeNyEKLj2TJDJfE/lAGOppQ7lFofPhmt

Score
9/10
discoverypersistenceransomwarespywarestealerupx

Malware Config

Signatures

  • Renames multiple (176) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops file in Drivers directory 2 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 1 IoCs
    installer
  • Modifies data under HKEY_USERS 43 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 55 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1288
      • C:\Users\Admin\AppData\Local\Temp\d408ab2f240c659b1d2b9917d98345e9_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\d408ab2f240c659b1d2b9917d98345e9_JaffaCakes118.exe"
        2⤵
        • Drops file in Drivers directory
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2136
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2568
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2596
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aC67A.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2416
          • C:\Users\Admin\AppData\Local\Temp\d408ab2f240c659b1d2b9917d98345e9_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\d408ab2f240c659b1d2b9917d98345e9_JaffaCakes118.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2904
            • C:\Windows\SysWOW64\msiexec.exe
              "C:\Windows\System32\msiexec.exe" /i "C:\setup.msi"
              5⤵
              • Enumerates connected drives
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              PID:2784
            • C:\QvodSetupPlus3.exe
              "C:\QvodSetupPlus3.exe"
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:2736
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Adds Run key to start application
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1724
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2216
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2780
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2372
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2128
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Enumerates connected drives
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2660
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding C7C0B2333CA1C1A415E696F5D9E1C4E4
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2308
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2752
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000002A8" "00000000000005AC"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:2996

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\QvodSetupPlus3.exe
      Filesize

      149KB

      MD5

      ae856c5755a11fdd5f22f6803a2fb3ca

      SHA1

      67428e0b59abe9025c13faca71c3f221a0c101ad

      SHA256

      714da13a4d3f6b66c48bd1054a594f54f7a452d07e637d90be868991985e5771

      SHA512

      79e2f8d03b64f47e22fee1c766b43dabf10e7ee8e4debbd91efc1308f0f5cfffd12abd61776f86e9a9330229d1a9d18b3927c62e9fb0603bb85c46d30329da94

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aC67A.bat
      Filesize

      614B

      MD5

      a1662ddb40044e9e88b1ba3dcd4d63b9

      SHA1

      6f021d0b7a25ba2936c655d56343ca4d49981570

      SHA256

      16c2025b9469733d6fba7296e306dc38f4c12de811aafb2696fc14217850b602

      SHA512

      3133f858e31cbc0616e6d4d8f3c6a3c16b6cc0cbe2d53e82d2e3f2eb16a4982e8afe0f9572bc0a8b3ef50cf03829a153e2e0eeeb7335770395e1fc788d97b9ea

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\d408ab2f240c659b1d2b9917d98345e9_JaffaCakes118.exe.exe
      Filesize

      352KB

      MD5

      29294ee1401c61b3690d3edad19f9312

      SHA1

      d8de1eb8889fa3fd0bdc77af0ff2721cc678aff8

      SHA256

      92f3538af6aa89dd61a7dc69a786111e0ebc37f651abf144f9312561c8ad3b05

      SHA512

      5e4b1a7471d3b34b116365e9c2fc374379a0072df3f9318b6cad96f2fc19ccda63b5418d2ce657eabcc960a49f0b9c44e801d5122fdabd44f55c4ac42d3994d7

      Download Submit

    • C:\Windows\Installer\MSIEC71.tmp
      Filesize

      48KB

      MD5

      9067aad412defc0d2888479609041392

      SHA1

      36cfffc3bafeb24f88ad5886ca5787ca008b6ba9

      SHA256

      99f4e00b6908057a2fe5067ff6c8b6e32b5c07558ab79139dc4b998f1da4b517

      SHA512

      e69f259d78b02e6c1a5d9c45898b59372329a5288fff655dd741353f112b2b8eed18b01caa2bf312a91f5e314e1c0b036321b37c8efbebdcf3650ba6b12dee6a

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      62KB

      MD5

      9210d7ba9fc214c04004fd8eee351604

      SHA1

      364b7974f7a0a3aba64aac0fc14a28e8fd9138b5

      SHA256

      d93e0cd4cded534c5f40ca98cba496528ccc6c4981e6f2b92784f408fe436701

      SHA512

      5bd25bed793b9c68f8e937160f5fbb7c52886e1676e3ed1fdc8026520e1b10098951e4ec72d70aa8ffa69b87d8328cb517a0e2ac4ce3849dfdb5249a707d6540

      Download Submit

    • C:\Windows\system32\drivers\etc\hosts
      Filesize

      832B

      MD5

      7e3a0edd0c6cd8316f4b6c159d5167a1

      SHA1

      753428b4736ffb2c9e3eb50f89255b212768c55a

      SHA256

      1965854dfa54c72529c88c7d9f41fa31b4140cad04cf03d3f0f2e7601fcbdc6c

      SHA512

      9c68f7f72dfa109fcfba6472a1cced85bc6c2a5481232c6d1d039c88b2f65fb86070aeb26ac23e420c6255daca02ea6e698892f7670298d2c4f741b9e9415c7f

      Download Submit

    • C:\setup.msi
      Filesize

      293KB

      MD5

      d1eab229dacabc6f0525bf355c03da28

      SHA1

      ce5a01c87dac27de72db9d44458466efd17c1bf4

      SHA256

      cf1bf1d59753496c8f620e0d47249baa9a6ba49d6b887f5c6940eae8a79288a6

      SHA512

      013da24222f3fee9c9bb23dbf167c17621a80f4544680d9d09a645473b935ff17ebec6726fe3a83fed880ad0313afa6b9c33d983f7bca53509aee885405d0a97

      Download Submit

    • memory/1288-51-0x00000000029D0000-0x00000000029D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1724-54-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1724-22-0x0000000000020000-0x0000000000040000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1724-21-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2136-18-0x0000000000230000-0x000000000026F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2136-0-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2136-19-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2136-17-0x0000000000230000-0x000000000026F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2136-1-0x0000000000020000-0x0000000000040000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2736-44-0x0000000000240000-0x0000000000297000-memory.dmp

      Filesize

      348KB

      Download

    • memory/2736-696-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

      Download

    • memory/2736-47-0x0000000003610000-0x0000000003814000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2736-45-0x0000000000240000-0x0000000000297000-memory.dmp

      Filesize

      348KB

      Download

    • memory/2736-42-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

      Download

    • memory/2736-702-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

      Download

    • memory/2736-56-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

      Download

    • memory/2736-699-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

      Download

    • memory/2736-71-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

      Download

    • memory/2736-72-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

      Download

    • memory/2736-74-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

      Download

    • memory/2736-683-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

      Download

    • memory/2736-684-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

      Download

    • memory/2736-46-0x0000000003610000-0x0000000003814000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2736-697-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

      Download

    • memory/2904-39-0x0000000001F70000-0x0000000001FC7000-memory.dmp

      Filesize

      348KB

      Download

    • memory/2904-55-0x0000000001F70000-0x0000000001FC7000-memory.dmp

      Filesize

      348KB

      Download