Overview

overview

7

Static

static

3

dce7ff4ab5...18.exe

windows7-x64

7

dce7ff4ab5...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240910-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/09/2024, 19:29

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    dce7ff4ab542325ac31ce8b0254bb2da_JaffaCakes118.exe

  • Size

    403KB

  • MD5

    dce7ff4ab542325ac31ce8b0254bb2da

  • SHA1

    12797eb7857ab2ff0df28298675191cf29564847

  • SHA256

    af0e20447620ad599bb8456a42460009c54dfd83b43c8782cc18efc9ae51bf96

  • SHA512

    88196bc9b8b0d81af87ce3d7118c7b037dc1211b39e10f1d8b3040e3518dbf84f8ebc48f71dc264fb8718863f9565eb6e45ea4f8b19dad1ca45b228659a8877f

  • SSDEEP

    6144:Z6iqDO98V293jBB9QHY7JutekbWm82AACER+/92QLJuzz+Esth3Y63oPx7XoIVDC:BcETjqiutegWXVm+/Zr3t4Px7XoCD+j

Score
7/10
discoverypersistenceupx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dce7ff4ab542325ac31ce8b0254bb2da_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\dce7ff4ab542325ac31ce8b0254bb2da_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1824
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 724
      2⤵
      • Program crash
      PID:4860
    • C:\ProgramData\aJ01812PgHdI01812\aJ01812PgHdI01812.exe
      "C:\ProgramData\aJ01812PgHdI01812\aJ01812PgHdI01812.exe" "C:\Users\Admin\AppData\Local\Temp\dce7ff4ab542325ac31ce8b0254bb2da_JaffaCakes118.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:4892
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 724
        3⤵
        • Program crash
        PID:928
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1824 -ip 1824
    1⤵
      PID:2960
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4892 -ip 4892
      1⤵
        PID:3748

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\aJ01812PgHdI01812\aJ01812PgHdI01812.exe
              Filesize

              403KB

              MD5

              4d6d3e4b7fb43b2a21114d434fb11b87

              SHA1

              165c9f98d15d63d884202697855493ec7a8b8190

              SHA256

              eb333ae27388ae9badc057485ba9712c67932c64e64d94fa56e687494b67e8ee

              SHA512

              5ed8e950d463235367199bfb2b645052933759375151e935a01b8c86986b1d43be3cbfe281d4c41a1397063abddb599f22523cfb508811a99bba0b002cd83889

              Download Submit

            • memory/1824-0-0x0000000002350000-0x0000000002353000-memory.dmp

              Filesize

              12KB

              Download

            • memory/1824-1-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/1824-14-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/4892-15-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/4892-18-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/4892-24-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/4892-31-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download