Overview

overview

7

Static

static

3

eaa6e62eb9...18.exe

windows7-x64

7

eaa6e62eb9...18.exe

windows10-2004-x64

Analysis

  • max time kernel
    31s
  • max time network
    40s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2024 05:15

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    eaa6e62eb9d2658f4a42c1f3aa9cac39_JaffaCakes118.exe

  • Size

    444KB

  • MD5

    eaa6e62eb9d2658f4a42c1f3aa9cac39

  • SHA1

    2a1b9d9ef3883e086eb71b06f92fc0b333cbd843

  • SHA256

    80ade822a526d5c55756a34405afa7c7d73bcc3840a734d16b8b87143f68568d

  • SHA512

    37a92c9ba293535f872f7a8966ff8fac960e225a536c3ce30ec2926da57420264d86200ee333c54532658fc984282041ec17a0fe2685e385899c637cda0cea78

  • SSDEEP

    12288:WG4/ICycu4oFU7VKRsr9jIirCPAweoHjyR5Rqq5w+HSCc:PcuP5UCFPAKmPRKQ

Score
7/10
discoverypersistenceupx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eaa6e62eb9d2658f4a42c1f3aa9cac39_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eaa6e62eb9d2658f4a42c1f3aa9cac39_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\ProgramData\bM09100PcFdM09100\bM09100PcFdM09100.exe
      "C:\ProgramData\bM09100PcFdM09100\bM09100PcFdM09100.exe" "C:\Users\Admin\AppData\Local\Temp\eaa6e62eb9d2658f4a42c1f3aa9cac39_JaffaCakes118.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2580

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\bM09100PcFdM09100\bM09100PcFdM09100.exe
    Filesize

    444KB

    MD5

    d80723114e0bc43cc9739f0afc0a8f29

    SHA1

    b3e2ebb9f82899348ba99e2a3f4bd8645fa364dc

    SHA256

    988bfeaedb34e308de97d4d10abbd7062632da0dbb6ed6205a09f37decad57fc

    SHA512

    14a632dbc73ce5ac16255dfdd98db085fac071265ec8366786a2279337d8169caa789d9cf7b0873e009cf1510bd19f7c221579a160819c94f4a56cf440b1deca

    Download Submit

  • memory/2580-17-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

    Download

  • memory/2580-25-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

    Download

  • memory/3048-1-0x0000000000400000-0x00000000004BF000-memory.dmp

    Filesize

    764KB

    Download

  • memory/3048-2-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

    Download

  • memory/3048-14-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

    Download

  • memory/3048-15-0x0000000000400000-0x00000000004BF000-memory.dmp

    Filesize

    764KB

    Download