Overview

overview

7

Static

static

7

dde6b4d3aa...18.exe

windows7-x64

7

dde6b4d3aa...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-09-2024 06:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dde6b4d3aad336665f3b531c5cc940b9_JaffaCakes118.exe

  • Size

    1.0MB

  • MD5

    dde6b4d3aad336665f3b531c5cc940b9

  • SHA1

    111f4002cb2caf6773f80d60453b820579185db6

  • SHA256

    b7c1be4f147752472c3a6baa3dceae26290ed2e13680627126b5b69bde77e690

  • SHA512

    c9436db506d7d2ad836234962ea603fa8ac82a173dcc67789efb6f5e7eb1a7369bec3d871015d808ff519fdeb272df6373e9b01511d1647098c5a78ef192d1db

  • SSDEEP

    6144:eu7pZ0pfwcgLEhqh0riJUkIdz9fi7NxUJ4OCzoS:3psKE8hJn4qtzoS

Score
7/10
discoverypersistenceupx

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1160
      • C:\Users\Admin\AppData\Local\Temp\dde6b4d3aad336665f3b531c5cc940b9_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\dde6b4d3aad336665f3b531c5cc940b9_JaffaCakes118.exe"
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2380
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\pnOrz.bat" "
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2440
          • C:\Windows\SysWOW64\reg.exe
            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Run32.dll" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Run32.exe" /f
            4⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:2204
        • C:\Users\Admin\AppData\Roaming\Run32.exe
          "C:\Users\Admin\AppData\Roaming\Run32.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2252
          • C:\Users\Admin\AppData\Roaming\Run32.exe
            C:\Users\Admin\AppData\Roaming\Run32.exe
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2708
            • C:\Users\Admin\AppData\Roaming\cunt.exe
              "C:\Users\Admin\AppData\Roaming\cunt.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2816
              • C:\Users\Admin\AppData\Roaming\cunt.exe
                C:\Users\Admin\AppData\Roaming\cunt.exe
                6⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:1912

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\pnOrz.bat
      Filesize

      134B

      MD5

      52dd81881fa3a9e2f376bb73bde15b00

      SHA1

      9440375fb9fb0368f982754f76e2efd295b25463

      SHA256

      a937077f0e234149b1e15e413d33c9f55ad3f427be87d806719c96b3b95209a2

      SHA512

      80c8f687f6c58bd0549c29e7df64fa5585fa877ac5505a72772ba0cae44b01397bd4e2c217681f8662ea5aff69f115c3fbc306c6b1c3e33d9089aa4f887d2fb0

      Download Submit

    • \Users\Admin\AppData\Roaming\Run32.exe
      Filesize

      1.0MB

      MD5

      dde6b4d3aad336665f3b531c5cc940b9

      SHA1

      111f4002cb2caf6773f80d60453b820579185db6

      SHA256

      b7c1be4f147752472c3a6baa3dceae26290ed2e13680627126b5b69bde77e690

      SHA512

      c9436db506d7d2ad836234962ea603fa8ac82a173dcc67789efb6f5e7eb1a7369bec3d871015d808ff519fdeb272df6373e9b01511d1647098c5a78ef192d1db

      Download Submit

    • memory/1160-45-0x0000000002CD0000-0x0000000002CDD000-memory.dmp

      Filesize

      52KB

      Download

    • memory/1912-79-0x0000000000400000-0x000000000040D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/1912-74-0x0000000000400000-0x000000000040D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/1912-75-0x0000000000400000-0x000000000040D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/1912-73-0x0000000000400000-0x000000000040D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/1912-71-0x0000000000400000-0x000000000040D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/2252-50-0x0000000000400000-0x0000000000509000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2380-38-0x0000000000400000-0x0000000000509000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2380-0-0x0000000000400000-0x0000000000509000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2380-34-0x00000000034F0000-0x00000000035F9000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2708-59-0x0000000002120000-0x0000000002229000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2708-44-0x0000000000400000-0x000000000040D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/2708-49-0x0000000000400000-0x000000000040D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/2708-41-0x0000000000400000-0x000000000040D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/2708-77-0x0000000000400000-0x000000000040D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/2816-61-0x0000000000400000-0x0000000000509000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2816-72-0x0000000000400000-0x0000000000509000-memory.dmp

      Filesize

      1.0MB

      Download