Overview

overview

8

Static

static

7

ea868a4618...18.exe

windows7-x64

8

ea868a4618...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    124s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2024, 03:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ea868a461814748d42fb6dfeb3af0387_JaffaCakes118.exe

  • Size

    450KB

  • MD5

    ea868a461814748d42fb6dfeb3af0387

  • SHA1

    da3c75ad058310f0c63384895cddc1656835bdea

  • SHA256

    df9dd0b789c3a5f138ff1f504515c232ef9b0c82bc3e8e05f8ffb428105820d2

  • SHA512

    cfb7f6f9c469901d93ca9a18cf38d884c7d6e36dc3bfb1d05a49967a35f05238a08f183b0a8990be9f8e9fbc60a2781c22afb9b53fd931171612d03b4e27a339

  • SSDEEP

    6144:UZ8ywEn1YXLGqCh1zeMpprEA3jkIJzxOlhT03EbdF49lSK/gnfE3N:uwa11qe1igrV3bJz0l9b89kKAE3N

Score
8/10
discoveryevasionpersistenceprivilege_escalationspywarestealerupx

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • ACProtect 1.3x - 1.4x DLL software 8 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 10 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 23 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ea868a461814748d42fb6dfeb3af0387_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ea868a461814748d42fb6dfeb3af0387_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2464
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c netsh firewall set opmode disable
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5084
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall set opmode disable
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:3448
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c C:\FirePassword.exe "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4524
      • C:\FirePassword.exe
        C:\FirePassword.exe "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:996
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c C:\FirePassword.exe "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u2dtxjrp.Admin"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2488
      • C:\FirePassword.exe
        C:\FirePassword.exe "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u2dtxjrp.Admin"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:4232
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4160,i,4356837537417149674,16553092232944545509,262144 --variations-seed-version --mojo-platform-channel-handle=3820 /prefetch:8
    1⤵
      PID:4336

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\FirePassword.exe
      Filesize

      80KB

      MD5

      b199ac8e35357580b48f7b33868e67a2

      SHA1

      f72aeaa3b66d8388bdf7116317b12084393624b6

      SHA256

      410bebeacf59ec783bff358437305cb4b982bcbc6c06a4a3389f3e8432d2751e

      SHA512

      ed50383a66f42df530b1c28d882f86bc27cdd42404250912e3a0fc72df46eabb19ac7a13e424fbd83ba82d2ddc508fee582182f1009059b6195acbe35f1831a8

      Download Submit

    • C:\nspr4.dll
      Filesize

      72KB

      MD5

      72414dfb0b112c664d2c8d1215674e09

      SHA1

      50a1e61309741e92fe3931d8eb606f8ada582c0a

      SHA256

      69e73fea2210adc2ae0837ac98b46980a09fe91c07f181a28fda195e2b9e6b71

      SHA512

      41428624573b4a191b33657ed9ad760b500c5640f3d62b758869a17857edc68f90bc10d7a5e720029519c0d49b5ca0fa8579743e80b200ef331e41efde1dc8c9

      Download Submit

    • C:\nss3.dll
      Filesize

      172KB

      MD5

      7ddbd64d87c94fd0b5914688093dd5c2

      SHA1

      d49d1f79efae8a5f58e6f713e43360117589efeb

      SHA256

      769703fb1ba6c95fb6c889e8a9baaea309e62d0f3ca444d01cc6b495c0f722d1

      SHA512

      60eaad58c3c4894f1673723eb28ddb42b681ff7aafe7a29ff8bf87a2da6595c16d1f8449096accdb89bd6cda6454eb90470e71dde7c5bd16abd0f80e115cfa2d

      Download Submit

    • C:\plc4.dll
      Filesize

      8KB

      MD5

      c73ec58b42e66443fafc03f3a84dcef9

      SHA1

      5e91f467fe853da2c437f887162bccc6fd9d9dbe

      SHA256

      2dc0171b83c406db6ec9389b438828246b282862d2b8bdf2f5b75aec932a69f7

      SHA512

      6318e831d8f38525e2e49b5a1661440cd8b1f3d2afc6813bb862c21d88d213c4675a8ec2a413b14fbdca896c63b65a7da6ec9595893b352ade8979e7e86a7fcf

      Download Submit

    • C:\plds4.dll
      Filesize

      6KB

      MD5

      ee44d5d780521816c906568a8798ed2f

      SHA1

      2da1b06d5de378cbfc7f2614a0f280f59f2b1224

      SHA256

      50b2735318233d6c87b6efccccc23a0e3216d2870c67f2f193cc1c83c7c879fc

      SHA512

      634a1cd2baaef29b4fe7c7583c04406bb2ea3a3c93294b31f621652844541e7c549da1a31619f657207327604c261976e15845571ee1efe5416f1b021d361da8

      Download Submit

    • C:\softokn3.dll
      Filesize

      155KB

      MD5

      e846285b19405b11c8f19c1ed0a57292

      SHA1

      2c20cf37394be48770cd6d396878a3ca70066fd0

      SHA256

      251f0094b6b6537df3d3ce7c2663726616f06cfb9b6de90efabd67de2179a477

      SHA512

      b622ff07ae2f77e886a93987a9a922e80032e9041ed41503f0e38abb8c344eb922d154ade29e52454d0a1ad31596c4085f4bd942e4412af9f0698183acd75db7

      Download Submit

    • memory/996-33-0x0000000060140000-0x000000006016D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/996-15-0x0000000060170000-0x00000000601D7000-memory.dmp

      Filesize

      412KB

      Download

    • memory/996-23-0x0000000060220000-0x0000000060229000-memory.dmp

      Filesize

      36KB

      Download

    • memory/996-22-0x0000000060140000-0x000000006016D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/996-26-0x0000000060260000-0x00000000602BF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/996-34-0x0000000060260000-0x00000000602BF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/996-24-0x0000000060210000-0x000000006021A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/996-32-0x0000000060220000-0x0000000060229000-memory.dmp

      Filesize

      36KB

      Download

    • memory/996-31-0x0000000060210000-0x000000006021A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2464-0-0x0000000000400000-0x0000000000489000-memory.dmp

      Filesize

      548KB

      Download

    • memory/2464-53-0x0000000000400000-0x0000000000489000-memory.dmp

      Filesize

      548KB

      Download

    • memory/2464-57-0x0000000000400000-0x0000000000489000-memory.dmp

      Filesize

      548KB

      Download

    • memory/4232-43-0x0000000060140000-0x000000006016D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/4232-46-0x0000000060260000-0x00000000602BF000-memory.dmp

      Filesize

      380KB

      Download

    • memory/4232-51-0x0000000060140000-0x000000006016D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/4232-45-0x0000000060220000-0x0000000060229000-memory.dmp

      Filesize

      36KB

      Download

    • memory/4232-44-0x0000000060210000-0x000000006021A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4232-42-0x0000000060170000-0x00000000601D7000-memory.dmp

      Filesize

      412KB

      Download