Overview

overview

10

Static

static

3

ed3ae0057a...18.exe

windows7-x64

10

ed3ae0057a...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240910-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/09/2024, 08:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ed3ae0057a325f3001da26fb75886b1e_JaffaCakes118.exe

  • Size

    484KB

  • MD5

    ed3ae0057a325f3001da26fb75886b1e

  • SHA1

    f1ce0dd833a9af4e97cd1f1bbbe6358ff1c40660

  • SHA256

    b7dd05c858d1ceee2b84c51c01b029855ae08881e89205917ff9b51f916503e8

  • SHA512

    19433f8447831f217024402bec52573f249d63553e9b8e3da501204b028e62e978d9b48b5136f40bb8bd32eebe32eae67ebf07c8f8e50ad133cbb52b3f8d6423

  • SSDEEP

    12288:WP9GBWQch+L/ZgHP+v7xK0DmFwUfIp7JVyvWt1aBnSFAPHzeO:WPoBHch+uudKNffiv1aVSaPTeO

Score
10/10
discoveryevasionpersistenceupx

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 54 IoCs
    persistence
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed3ae0057a325f3001da26fb75886b1e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ed3ae0057a325f3001da26fb75886b1e_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4668
    • C:\Users\Admin\AppData\Local\Temp\ed3ae0057a325f3001da26fb75886b1e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\ed3ae0057a325f3001da26fb75886b1e_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1060
      • C:\Users\Admin\V6oUpCF0mC.exe
        C:\Users\Admin\V6oUpCF0mC.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4180
        • C:\Users\Admin\nlcaax.exe
          "C:\Users\Admin\nlcaax.exe"
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:2988
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del V6oUpCF0mC.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4552
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            5⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2380
      • C:\Users\Admin\ayhost.exe
        C:\Users\Admin\ayhost.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1908
        • C:\Users\Admin\ayhost.exe
          "C:\Users\Admin\ayhost.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:1620
      • C:\Users\Admin\byhost.exe
        C:\Users\Admin\byhost.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4032
        • C:\Users\Admin\byhost.exe
          "C:\Users\Admin\byhost.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1592
          • C:\Windows\explorer.exe
            000000D0*
            5⤵
              PID:4528
        • C:\Users\Admin\cyhost.exe
          C:\Users\Admin\cyhost.exe
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4304
          • C:\Users\Admin\cyhost.exe
            C:\Users\Admin\cyhost.exe startC:\Users\Admin\AppData\Roaming\conhost.exe%C:\Users\Admin\AppData\Roaming
            4⤵
            • Executes dropped EXE
            PID:3572
          • C:\Users\Admin\cyhost.exe
            C:\Users\Admin\cyhost.exe startC:\Users\Admin\AppData\Local\Temp\dwm.exe%C:\Users\Admin\AppData\Local\Temp
            4⤵
            • Executes dropped EXE
            PID:4716
        • C:\Users\Admin\dyhost.exe
          C:\Users\Admin\dyhost.exe
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1652
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del ed3ae0057a325f3001da26fb75886b1e_JaffaCakes118.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1660
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:440

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\E15E.2A5
      Filesize

      996B

      MD5

      674d023753ac7aa84e7ca038f2bb3654

      SHA1

      70b761c6669fd722090516d6fed5b605948f3ad8

      SHA256

      2d27b532667b7b9d44d3b4c4e91a21058ce25df0e9653f1a59d60adf20638ff9

      SHA512

      e5e5065c4bd5c73bab7ef3251f8e6cf4fe9aeddc29a9eb9634dbc0c47c83633ddc20385cc4c5e58d1b58a1e99b01430f4937419ab6e9ae8f16286c4a20c50c48

      Download Submit

    • C:\Users\Admin\AppData\Roaming\E15E.2A5
      Filesize

      1KB

      MD5

      99f9bb581984c7ef3f7a7a7542dae511

      SHA1

      41e0c739c6cdca34a6885286426c35329e5673f9

      SHA256

      dbbe2ea86e17131c4f2d419bdd0dfcf41ab9e39e284de6635ef1317afdcb85c1

      SHA512

      bf5ae1bb3276e13f31077858996c6d990b2338c9364a866babf68dbfc12a8f0cdbdcb0caa9baf9c003804f80f3061250f423d0e18aa704de510042bfb1c99b33

      Download Submit

    • C:\Users\Admin\AppData\Roaming\E15E.2A5
      Filesize

      600B

      MD5

      2e98d11a4631b76a4c08969d97cc86f6

      SHA1

      b2c51cc9ca4262f4aee5671b950e8eb0ae4c5685

      SHA256

      e398d9c28a51a3a0df85a28206e233bc3ba1dca2a9e7eb0013ea77d1c051aa17

      SHA512

      0abb4d5fbc4f1c801e55636e7775909bec5fad4831d9d8ab7e983f24764b8e54d6262e51c28f002100ab9b5a62d99015946fdaf2da75d60a725a1f4918bded00

      Download Submit

    • C:\Users\Admin\V6oUpCF0mC.exe
      Filesize

      332KB

      MD5

      b96dc0230580570446ab648e20a7e3b3

      SHA1

      27483df87ef7093d51062fb2d2fc9944f94c23fb

      SHA256

      2c65220c1c3ec6cb3282759e1d583b598ad43bf09484239325ae06b961bf0af0

      SHA512

      b8dd8743eb45f9dcc0d74b5cf450ef2950482e5c33dcdb5ab9494ad2e396d7ea5ebd80d477fca52a25a46cede6e2c31eb2647612090fda72d7e61e49913c042f

      Download Submit

    • C:\Users\Admin\ayhost.exe
      Filesize

      68KB

      MD5

      2c7c2d4e9c03a1818621def0e1281a81

      SHA1

      c92b29a7f6e9998c7a86b9b57cff15f28647a127

      SHA256

      9fb6cf502b6a872ed2e58666672db9fdc0eb57e6ff5a5677b6dbc8de42193f3e

      SHA512

      431cadf9b1d4de1dd0c5efebd5bae2af2ac0f6c98a2d71a5f7bc72e2421ecf77d67616d805bb643680192de6c8921e894a48a538276492567524c4267a4e4a66

      Download Submit

    • C:\Users\Admin\byhost.exe
      Filesize

      136KB

      MD5

      1d0f81b6e185ec95e716d2a0b2ba69a1

      SHA1

      09399ffa69ae8bfd9794104bc4b7b4f481980e3a

      SHA256

      abe89315434ce50001a90c9bdd662a0c42fa90d95acdf5baed5823d760e4f878

      SHA512

      6c4ecc1346bfc9952d7a1a2cb30ed5076bec24db099bb3fe20a248b19f56c075ff592d03100a1a3660ad5f47dfaff6a64b6b2bebe1bcbc7ce747f968a4c7e6b1

      Download Submit

    • C:\Users\Admin\cyhost.exe
      Filesize

      168KB

      MD5

      234bf3937f8fe09351acc53c059b40d2

      SHA1

      256f162b65eacc7a1fee35722fbfdbd55bba93c7

      SHA256

      86c568452305c3943eb7d1530cef65c75f6fac39d178082783db8b12fc8eef2b

      SHA512

      6c768729abebd0b9bde9712ee827262c433ac928bb638b9176ef7f4085c2d2b4fdfa3cacffdb7da477d23a1e0ce32e63cba2ab9ace1f45dfcc8109b2c68812b7

      Download Submit

    • C:\Users\Admin\dyhost.exe
      Filesize

      24KB

      MD5

      9814ec05c8857737f599ba75b1610fb1

      SHA1

      aa9d9b016c2feda03cf6ad1bbca332070eb9b295

      SHA256

      a68f44fa166ade605dfd2e5827a8ca3fa21141eda423c096d1f41d9bf172e597

      SHA512

      c9daf5d8015ab4d5e0c333b986e04a917a596aef6d61baf43f53e5da346e3e665cd16eb5da35726713689dca991a03fbfa137b7f3f879c77779a477a89a0268d

      Download Submit

    • C:\Users\Admin\nlcaax.exe
      Filesize

      332KB

      MD5

      ea0b69471b2171c24bd6f811d8919b13

      SHA1

      c3a3884d7828684a21e3c7977aee477c115163de

      SHA256

      88ccf9d521cae7258abb83d3f75dc87be7bb5825f4c8426c8b6cc554eadc774a

      SHA512

      dc9f78a168a59f51c3fc2159ad56acd5507d571d8f0739900df4135a7c2e44fafc2639a4b9df159589e7674b1a835a04723b849936d31e971919308cea93e478

      Download Submit

    • memory/1060-87-0x0000000000400000-0x00000000004BE000-memory.dmp

      Filesize

      760KB

      Download

    • memory/1060-2-0x0000000000400000-0x00000000004BE000-memory.dmp

      Filesize

      760KB

      Download

    • memory/1060-283-0x0000000000400000-0x00000000004BE000-memory.dmp

      Filesize

      760KB

      Download

    • memory/1060-6-0x0000000000400000-0x00000000004BE000-memory.dmp

      Filesize

      760KB

      Download

    • memory/1060-4-0x0000000000400000-0x00000000004BE000-memory.dmp

      Filesize

      760KB

      Download

    • memory/1592-64-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/1592-66-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/1620-57-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1620-56-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1620-54-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/3572-85-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

      Download

    • memory/4032-68-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4304-162-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

      Download

    • memory/4304-279-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

      Download

    • memory/4304-149-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

      Download

    • memory/4304-285-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

      Download

    • memory/4716-156-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

      Download