Overview

overview

10

Static

static

3

e16b08738b...18.exe

windows7-x64

7

e16b08738b...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/09/2024, 01:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e16b08738be492e6c3229c9e61863eac_JaffaCakes118.exe

  • Size

    330KB

  • MD5

    e16b08738be492e6c3229c9e61863eac

  • SHA1

    84d2c9513518d3a66401689a247796f91cc04e2c

  • SHA256

    fa5100b151ad9b4b12ae1fed0061b371d973de153186a30a59283cccebab8fa4

  • SHA512

    486a07685294f163544535b03dcea0e43c2eff206300aed78302ed27326da63ea8b50daeb2733e2f666f391cae1ba7520d0580b23014a37c9b7d4165cbbc2fb3

  • SSDEEP

    6144:Mak9hyxEXYGc7q7vqO0HIe/uKuEy4odsEZGPbAFeEtaIwUeOnqfWjsOy9HKuBddP:MkxEXT73e/784odshzAFeEtadXERjQhR

Score
10/10
defense_evasiondiscoveryevasionpersistenceupx

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 52 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Script User-Agent 3 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e16b08738be492e6c3229c9e61863eac_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e16b08738be492e6c3229c9e61863eac_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1036
    • C:\Users\Admin\tgHb8Ps4s67hU1.exe
      tgHb8Ps4s67hU1.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3480
      • C:\Users\Admin\deodo.exe
        "C:\Users\Admin\deodo.exe"
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:376
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del tgHb8Ps4s67hU1.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4940
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4372
    • C:\Users\Admin\uvagu.exe
      uvagu.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:396
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 476
        3⤵
        • Program crash
        PID:4044
    • C:\Users\Admin\uvagv.exe
      uvagv.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3524
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\uvagv.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4944
    • C:\Users\Admin\vuenat.exe
      vuenat.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:992
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c del e16b08738be492e6c3229c9e61863eac_JaffaCakes118.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1864
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 396 -ip 396
    1⤵
      PID:3688

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\deodo.exe
      Filesize

      136KB

      MD5

      d32fa8f09d33dc67a954f2ad8cabbb0c

      SHA1

      25f4bf09cdb8a18df77d61c5445581227492de1a

      SHA256

      2aa43ff620d7a83501f526829359194695644427297c95c87a086a59190a8413

      SHA512

      dbe1ed70a9154f4ca9c2e66053deaea9b673a6d887a35ee8a0a573041083f872475e06b19ef19bfcd8ecf8ba7ade13dcb9eb8f76d2768a3cfc599ca9bcddc4b0

      Download Submit

    • C:\Users\Admin\tgHb8Ps4s67hU1.exe
      Filesize

      136KB

      MD5

      6bdd49bd16ed7d274a506a4623a7324c

      SHA1

      adb1dbfec1ab4cf5d295583aceae854e018c4cd5

      SHA256

      7ecc55ba0798b3e82040db98b2d829d8e2b711cc65afc8631a77b34286df4504

      SHA512

      9cad4c183d11c8b99f24d4dd4dfdf448e8b56a812d33f187b9d0c5d4ab877d7f8db97ba383c7b6d8f7f2c7a6cc1a8f8b7e61b382c515ebec3225e93edf63e101

      Download Submit

    • C:\Users\Admin\uvagu.exe
      Filesize

      169KB

      MD5

      3d7ac3d1e203119cf457c54c31fe6409

      SHA1

      076780968b04ae9e32bc083792a0a41cdb8b610b

      SHA256

      7790a6c1455c0ad261241dae96219aa2d4938c982265c535d8982b125c29500b

      SHA512

      8850d265ba97e94b20871b847a794803e77c83bfe08bf0ad129b904c820e24509af39c3defd2044c91774fb96fba7a0cbf0241fea4c264c32514ed13ce48afb4

      Download Submit

    • C:\Users\Admin\uvagv.exe
      Filesize

      29KB

      MD5

      632038ebc994f8988d0d87111dd24291

      SHA1

      677bad0be66dc8a022cdefc799ada5eb71c2019a

      SHA256

      74582cd0b16d9f8bcebaf7007a1815d1cccbdca8ec4145928fd2b66330f449f4

      SHA512

      b26464a173fb1c4fedfd396416c3301e00f2f3a03d8358dd3d4b89ffac9e9b41aee859ed1ae0b8ce69d88959a635e34e107f3fa0a5dc83f7809ac77294a72f18

      Download Submit

    • C:\Users\Admin\vuenat.exe
      Filesize

      268KB

      MD5

      ea19fc0324fdf40ffbd464c64da58238

      SHA1

      5bc22065b775053c5dd2f4a914562b976ee07909

      SHA256

      5068c64698059ca3bd5a3300620638007eb729909bb83ce49a20437f25b401c4

      SHA512

      fa5cdaa4d3e57929abea7eb2966ff5cf057774dca7823e04731d044873856e0c6ffc737fd4e6104cfde5a7fbdd3eaedc96ef78e56eab125bfc03ef871f8c87a6

      Download Submit

    • memory/3524-24-0x0000000002790000-0x0000000003190000-memory.dmp

      Filesize

      10.0MB

      Download

    • memory/3524-25-0x0000000000420000-0x000000000042A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3524-26-0x0000000000420000-0x000000000043B000-memory.dmp

      Filesize

      108KB

      Download