Overview

overview

8

Static

static

7

dece8e327e...18.exe

windows7-x64

8

dece8e327e...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    13/09/2024, 20:01

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    dece8e327ece0f240afdbcef1456345b_JaffaCakes118.exe

  • Size

    16KB

  • MD5

    dece8e327ece0f240afdbcef1456345b

  • SHA1

    0e6c07f684c83120d150c1a72fb46a71b0f90e55

  • SHA256

    86c989534785cd8af2b858d14d551784abf32a1f91ad9b9fbf43da67f7329ca5

  • SHA512

    06fea16c324e13d22daeb3c270bb16d0dfe9392c5fd1d819e259f466530030c09e2fe31ac1087a012fd1b4b315d4dfbb34bd453ebd3594830308f17ec61c59e6

  • SSDEEP

    384:j7Ho1zZtx6RxPQNZ8uPClPMHGdRyfl+CN72mTH3Q4:cdtuHTYGdRyfQk71TXR

Score
8/10
discoveryupx

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 8 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 41 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    1⤵
      PID:592
    • C:\Users\Admin\AppData\Local\Temp\dece8e327ece0f240afdbcef1456345b_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\dece8e327ece0f240afdbcef1456345b_JaffaCakes118.exe"
      1⤵
      • Drops file in Drivers directory
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1976
      • C:\Windows\SysWOW64\NET.exe
        NET STOP Beep
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2636
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 STOP Beep
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2776
      • C:\Windows\SysWOW64\NET.exe
        NET START Beep
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2884
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 START Beep
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2880
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Windows\system32\me.bat
        2⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2552
        • C:\Windows\SysWOW64\attrib.exe
          attrib -h -s -r -a C:\Windows\system32\me.bat
          3⤵
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2952
    • C:\Windows\MyLover\MyLoverMain.exe
      C:\Windows\MyLover\MyLoverMain.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2712

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\MyLover\MyLoverMain.exe
            Filesize

            16KB

            MD5

            dece8e327ece0f240afdbcef1456345b

            SHA1

            0e6c07f684c83120d150c1a72fb46a71b0f90e55

            SHA256

            86c989534785cd8af2b858d14d551784abf32a1f91ad9b9fbf43da67f7329ca5

            SHA512

            06fea16c324e13d22daeb3c270bb16d0dfe9392c5fd1d819e259f466530030c09e2fe31ac1087a012fd1b4b315d4dfbb34bd453ebd3594830308f17ec61c59e6

            Download Submit

          • C:\Windows\MyLover\MyLoverSYS.dat
            Filesize

            4KB

            MD5

            3bbf4bbec9e7720a9a53c8911dfa3aab

            SHA1

            f50695daf4f0b366b12e9c065519295d03cf6d3f

            SHA256

            c0bed2920e25a28af51029d5deaafff82d0955f8bd8e7ea21d2bdbd3e177c7c0

            SHA512

            b9263452daa0247d8c9f75cdc1b837a56d526804d9c559e2790c78371307f9e3d0ec9a584d8463acd02d57ce75f523e3c2e4dab2a4d4e2ed0e0ddd22d335fb36

            Download Submit

          • C:\Windows\SysWOW64\me.bat
            Filesize

            151B

            MD5

            af1819d02253eb07879565c52c99b6b0

            SHA1

            68ad70fba4ba1ad46e135f2a157e915b5ee9baa2

            SHA256

            ec7e9f0327a1f9d949038f1a129a0228ea5fb652e7247df0fef9ea1234fb735c

            SHA512

            979b31ac7297a6dacdb6d6fe1de0794a3647b7f96214b0fc66365b42d33b1fabc9f3395ed32527c68de44dc54fdaacbfd983dc6077391201cb868efa0b947c1c

            Download Submit

          • \Windows\MyLover\MyLoverDll.dat
            Filesize

            11KB

            MD5

            f502f7533e37157b70d6871ef93bc65d

            SHA1

            a2b7b7cefa310c41018371147ba64c2deb53e0c3

            SHA256

            55c96bbe5490b47a82b7dda9dd751c137fec4aa39dbd5ec01c29c5ca1685019c

            SHA512

            272872e7022cfba8448a0cbaef5473db3d949c2eeff0521c870045190f12f8641b37bae26170916eb117887f15f4c169fc0e1c7443e1a58db6203fb44a3bc24a

            Download Submit

          • memory/592-27-0x00000000002D0000-0x00000000002D1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1976-0-0x0000000000160000-0x000000000016B000-memory.dmp

            Filesize

            44KB

            Download

          • memory/1976-13-0x0000000000160000-0x000000000016B000-memory.dmp

            Filesize

            44KB

            Download

          • memory/1976-12-0x0000000000162000-0x0000000000163000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2712-15-0x0000000000160000-0x000000000016B000-memory.dmp

            Filesize

            44KB

            Download

          • memory/2712-30-0x0000000000160000-0x000000000016B000-memory.dmp

            Filesize

            44KB

            Download