Overview

overview

10

Static

static

7

ee2166b863...18.exe

windows7-x64

10

ee2166b863...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    20-09-2024 17:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ee2166b8636b702cb6ad74f693740d21_JaffaCakes118.exe

  • Size

    55KB

  • MD5

    ee2166b8636b702cb6ad74f693740d21

  • SHA1

    b7837cda490ee29ebae1b138e2b1c51aa6ce5ae5

  • SHA256

    64f14c276382a6c83ca4655b659a344af2481f8bbadfcaf17012cff9f026585f

  • SHA512

    320c6e97724391d024cc30699d3612de9126770934dc4eca62aed48a666fb179b257aae9236e3a1187c289da1cc109d6c275e14e5dd945743c9115e07300c29e

  • SSDEEP

    768:U4uctBneusEz+xwg8HC/6NETIjtOdKEpQNQmqulk25TVXGWS6+L3vOLDgM9jzSC8:R1Tenk+2jHNEWkY42Q8fTVzSl3vOLfp

Score
10/10
adwaredefense_evasiondiscoveryevasionpersistencestealerupx

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 2 IoCs
    evasion
  • Drops file in Drivers directory 64 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Deletes itself 1 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs
    defense_evasion
  • Loads dropped DLL 5 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Modifies WinLogon 2 TTPs 8 IoCs
    persistence
  • Drops file in System32 directory 10 IoCs
  • Drops file in Windows directory 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: LoadsDriver 64 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ee2166b8636b702cb6ad74f693740d21_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ee2166b8636b702cb6ad74f693740d21_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Modifies WinLogon
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe linkap.dll,linkap C:\Users\Admin\AppData\Local\Temp\ee2166b8636b702cb6ad74f693740d21_JaffaCakes118.exe
      2⤵
      • Modifies firewall policy service
      • Drops file in Drivers directory
      • Deletes itself
      • Impair Defenses: Safe Mode Boot
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: LoadsDriver
      • Suspicious use of WriteProcessMemory
      PID:2324
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 600
        3⤵
        • Program crash
        PID:1672

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\drivers\adp94xx.sys
    Filesize

    8KB

    MD5

    5489130e7d7fc91bf6f1851a314debe8

    SHA1

    10293bf8d3a0e0ad1eb2e4e9ca1dae64e933e386

    SHA256

    e3cff378c0550b53c02825aa488e06cdd6149c3e60fbf90e491979fe6371b2b8

    SHA512

    27bfaa804a06e6e483b80ff9731a1ebe888d905a1cc6d8acdccefd17802d9173121d116b9eac3406b16364ac53fbdb49b34683df73b5f023744deb91fcddc9ff

    Download Submit

  • C:\Windows\SysWOW64\mod_st.dat
    Filesize

    14KB

    MD5

    52692e5fb55ea8509fc327d3f0ba4860

    SHA1

    2e63c68d9dc9e36902ca606d242ec0fe2e3554e6

    SHA256

    dc34ceade186993bedfb89d533cd007566d635eaad42c83d9563a531db968ad2

    SHA512

    2e80bac87991812beec4fdce3a62a9069040d367cdad6a0472b4acc849f48ecf47a826a4a0ef583fb64a6364de9b578426e890ee6f1bacd3a47872f39004ba4a

    Download Submit

  • \Windows\SysWOW64\linkap.dll
    Filesize

    23KB

    MD5

    3fefeb19a84f953402a5c19274240c80

    SHA1

    e380a2cc450ee81bff6164f44456179e4b514c72

    SHA256

    3d08e0d24ffa4783f0218f59a04bb4ef12338c1d8627499b195e8d5abd4e97be

    SHA512

    85e9fefad893e2c90aba33cca189a165ba33e62f1f312cf6304add017ed82d5ea24d1eff6c93c8b921cc198cbd154f347e568670bc78975dc15194430b0996eb

    Download Submit

  • memory/2324-16-0x0000000010000000-0x0000000010041000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2324-18-0x0000000010000000-0x0000000010041000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2324-19-0x0000000010000000-0x0000000010041000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2324-232-0x0000000010000000-0x0000000010041000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2324-233-0x0000000010000000-0x0000000010041000-memory.dmp

    Filesize

    260KB

    Download

  • memory/3024-0-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/3024-8-0x0000000010000000-0x0000000010041000-memory.dmp

    Filesize

    260KB

    Download

  • memory/3024-20-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/3024-22-0x0000000010000000-0x0000000010041000-memory.dmp

    Filesize

    260KB

    Download