Overview

overview

10

Static

static

3

eeb69150b3...18.exe

windows7-x64

10

eeb69150b3...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-09-2024 00:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe

  • Size

    484KB

  • MD5

    eeb69150b3638eaccfcb813a73e1d96a

  • SHA1

    ec679dd60d4bf98fded42e2bab1c332a35fc66ac

  • SHA256

    1a9f1aca4450bc87896768a88e8df473a21a70fef8816152695cbe4971de5c86

  • SHA512

    80401963eea507bd26cf65004c150e7640827fa726f69d1958d4b6f13dd7e499f106e4bfb464ec5cc2f85610db724dde4e9207b11509f99eb231f68d207fb94c

  • SSDEEP

    12288:wP9GBWQch+L/ZgHP+v7xK0DmFwUfIp7JVyvWt1aBnSFAPHzeO:wPoBHch+uudKNffiv1aVSaPTeO

Score
10/10
discoveryevasionpersistencespywarestealerupx

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 14 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 53 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\csrss.exe
    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
    1⤵
    • Executes dropped EXE
    • Drops desktop.ini file(s)
    • Suspicious use of UnmapMainImage
    PID:332
  • C:\Users\Admin\AppData\Local\Temp\eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1488
    • C:\Users\Admin\AppData\Local\Temp\eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2912
      • C:\Users\Admin\V6oUpCF0mC.exe
        C:\Users\Admin\V6oUpCF0mC.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1712
        • C:\Users\Admin\rbqak.exe
          "C:\Users\Admin\rbqak.exe"
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:2800
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del V6oUpCF0mC.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2664
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            5⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2844
      • C:\Users\Admin\ayhost.exe
        C:\Users\Admin\ayhost.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2584
        • C:\Users\Admin\ayhost.exe
          "C:\Users\Admin\ayhost.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:2596
      • C:\Users\Admin\byhost.exe
        C:\Users\Admin\byhost.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1608
        • C:\Users\Admin\byhost.exe
          "C:\Users\Admin\byhost.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2760
          • C:\Windows\explorer.exe
            0000003C*
            5⤵
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1768
      • C:\Users\Admin\cyhost.exe
        C:\Users\Admin\cyhost.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2772
        • C:\Users\Admin\cyhost.exe
          C:\Users\Admin\cyhost.exe startC:\Users\Admin\AppData\Roaming\conhost.exe%C:\Users\Admin\AppData\Roaming
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2228
        • C:\Users\Admin\cyhost.exe
          C:\Users\Admin\cyhost.exe startC:\Users\Admin\AppData\Local\Temp\dwm.exe%C:\Users\Admin\AppData\Local\Temp
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2300
      • C:\Users\Admin\dyhost.exe
        C:\Users\Admin\dyhost.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2788
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del eeb69150b3638eaccfcb813a73e1d96a_JaffaCakes118.exe
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2728
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1504
  • C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
    1⤵
    • Loads dropped DLL
    PID:2116
  • C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -Embedding
    1⤵
      PID:1676

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\7F8A.22D
      Filesize

      600B

      MD5

      518f4ad23760f768b5d296fd1bb735dc

      SHA1

      068f8c0f083da374cfc3b574271dd73c41ecfdf6

      SHA256

      01f642997ff42a562edb589bb21702e5251be74c78797a913ccc0f0dc993f8bb

      SHA512

      a82afdce3fe311564752ab14f1ff412ea3f6c5d479b8301b629f39927e6a6627536d283832d12f92400ee9d84c42a84ff23fc91f0e042268eec36c434137a5fd

      Download Submit

    • C:\Users\Admin\AppData\Roaming\7F8A.22D
      Filesize

      996B

      MD5

      672666ab2d2929853b204ccf02f3eb66

      SHA1

      7b00de31bd181c8e85d05d4fb238ade350da9073

      SHA256

      281993d9a987acb5dab321a9e2a66965da01dbea5f249486378b11386aad1ac6

      SHA512

      3199a753537ac368251535b3ef8b75947cf286c061cf691dab74c0f55ae62f4e38d596e7185ff30dd91d6d8566a40f12870bce00b0eac2bbee3dfa7a310c6f74

      Download Submit

    • C:\Users\Admin\AppData\Roaming\7F8A.22D
      Filesize

      1KB

      MD5

      5bd0cd0d1caec0dada6e2749363770b3

      SHA1

      8bca73d2c185c6bb90f93b32ccd342d4928d7bef

      SHA256

      2c6b1f95c38d2dad742fa5148684f3df942edee952d7084ae28da3b674cc2721

      SHA512

      3da9aa20213e9a8ddecdbcfee5efb5a15a2940ceff52af23ace3bc711c030aea0c5ab3264b863fdae830f31520a923d63bd388e903ceb084e24869c615fecd78

      Download Submit

    • C:\Windows\system32\consrv.DLL
      Filesize

      53KB

      MD5

      68689b2e7472e2cfb3f39da8a59505d9

      SHA1

      5be15784ab1193dc13ac24ec1efcabded5fe2df4

      SHA256

      f304eb2cf6479a4fb36fef81c6df4d0225e251002e8f06f26ee196210bf3d168

      SHA512

      269999061cd54b23b92d385689682e687ae9030bc5d26d79dd5e99f72fa4b4eef41f5a7b555325bd558771db92e2feb8a67fb40c87223be9e23ccb498b3bbc88

      Download Submit

    • \Users\Admin\V6oUpCF0mC.exe
      Filesize

      332KB

      MD5

      b96dc0230580570446ab648e20a7e3b3

      SHA1

      27483df87ef7093d51062fb2d2fc9944f94c23fb

      SHA256

      2c65220c1c3ec6cb3282759e1d583b598ad43bf09484239325ae06b961bf0af0

      SHA512

      b8dd8743eb45f9dcc0d74b5cf450ef2950482e5c33dcdb5ab9494ad2e396d7ea5ebd80d477fca52a25a46cede6e2c31eb2647612090fda72d7e61e49913c042f

      Download Submit

    • \Users\Admin\ayhost.exe
      Filesize

      68KB

      MD5

      2c7c2d4e9c03a1818621def0e1281a81

      SHA1

      c92b29a7f6e9998c7a86b9b57cff15f28647a127

      SHA256

      9fb6cf502b6a872ed2e58666672db9fdc0eb57e6ff5a5677b6dbc8de42193f3e

      SHA512

      431cadf9b1d4de1dd0c5efebd5bae2af2ac0f6c98a2d71a5f7bc72e2421ecf77d67616d805bb643680192de6c8921e894a48a538276492567524c4267a4e4a66

      Download Submit

    • \Users\Admin\byhost.exe
      Filesize

      136KB

      MD5

      1d0f81b6e185ec95e716d2a0b2ba69a1

      SHA1

      09399ffa69ae8bfd9794104bc4b7b4f481980e3a

      SHA256

      abe89315434ce50001a90c9bdd662a0c42fa90d95acdf5baed5823d760e4f878

      SHA512

      6c4ecc1346bfc9952d7a1a2cb30ed5076bec24db099bb3fe20a248b19f56c075ff592d03100a1a3660ad5f47dfaff6a64b6b2bebe1bcbc7ce747f968a4c7e6b1

      Download Submit

    • \Users\Admin\cyhost.exe
      Filesize

      168KB

      MD5

      234bf3937f8fe09351acc53c059b40d2

      SHA1

      256f162b65eacc7a1fee35722fbfdbd55bba93c7

      SHA256

      86c568452305c3943eb7d1530cef65c75f6fac39d178082783db8b12fc8eef2b

      SHA512

      6c768729abebd0b9bde9712ee827262c433ac928bb638b9176ef7f4085c2d2b4fdfa3cacffdb7da477d23a1e0ce32e63cba2ab9ace1f45dfcc8109b2c68812b7

      Download Submit

    • \Users\Admin\dyhost.exe
      Filesize

      24KB

      MD5

      9814ec05c8857737f599ba75b1610fb1

      SHA1

      aa9d9b016c2feda03cf6ad1bbca332070eb9b295

      SHA256

      a68f44fa166ade605dfd2e5827a8ca3fa21141eda423c096d1f41d9bf172e597

      SHA512

      c9daf5d8015ab4d5e0c333b986e04a917a596aef6d61baf43f53e5da346e3e665cd16eb5da35726713689dca991a03fbfa137b7f3f879c77779a477a89a0268d

      Download Submit

    • \Users\Admin\rbqak.exe
      Filesize

      332KB

      MD5

      7dfae1f740f5c0d57653dc493f16b7fd

      SHA1

      08494781b798dfe068b1fdbdfcc1d63c8510ecb6

      SHA256

      e08744b627c4dc4e05a300c9317e317421a16f5b775f4b0615aed272b0bf35ea

      SHA512

      6a6799910101adbbf34e7b0a9c46df8ba09444ff3ed64af8fee1272b96c0ed5cf1c9dba8979a40306705661ef163b170df83c694ab40131f1ff36211c018b67e

      Download Submit

    • \Windows\assembly\GAC_32\Desktop.ini
      Filesize

      4KB

      MD5

      ff7d5ec20bf73c02317e7a740fffe018

      SHA1

      365ac8cfe5b939854cc1c341caf051bcc45f9372

      SHA256

      1e230847d7034f5ab3bf010f569315e00673859af0574fc9f915636ed905779a

      SHA512

      30854c0d703fd7c6cbc0769d9be4125baa2577ec529d5e48177a434685b66752fd79c50f0321324e23eeb985738f403347748afefae7d8a3bfad388a5b512a44

      Download Submit

    • \Windows\assembly\GAC_64\Desktop.ini
      Filesize

      5KB

      MD5

      3e7a118b119428247edfc5d5ef3761bc

      SHA1

      140e4cb00107678160411f016c4c17611580a209

      SHA256

      97c19f4103a16798202e50a501375d0bf3d7ec1bb654dda230337e85b01b1ec5

      SHA512

      b0e27a4d7aa62f937f275b9f413f75857846ae670bf3aed6e55c1db865485fda89e33dcdffa02ae2ab25f48d5f63f869232f9e6d69f9cdc8a5c93f39de09a925

      Download Submit

    • memory/332-121-0x0000000000EB0000-0x0000000000EC2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1768-108-0x0000000000130000-0x0000000000149000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1768-103-0x0000000000130000-0x0000000000149000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1768-98-0x0000000000130000-0x0000000000149000-memory.dmp

      Filesize

      100KB

      Download

    • memory/2228-139-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

      Download

    • memory/2300-216-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

      Download

    • memory/2596-53-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2596-58-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2596-69-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2596-61-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2596-66-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2596-63-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2596-59-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2596-70-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2596-55-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2760-87-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2760-95-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2760-85-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2760-89-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2760-92-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2760-83-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2760-81-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2772-214-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

      Download

    • memory/2912-14-0x0000000000400000-0x00000000004BE000-memory.dmp

      Filesize

      760KB

      Download

    • memory/2912-11-0x0000000000400000-0x00000000004BE000-memory.dmp

      Filesize

      760KB

      Download

    • memory/2912-141-0x0000000000400000-0x00000000004BE000-memory.dmp

      Filesize

      760KB

      Download

    • memory/2912-12-0x0000000000400000-0x00000000004BE000-memory.dmp

      Filesize

      760KB

      Download

    • memory/2912-2-0x0000000000400000-0x00000000004BE000-memory.dmp

      Filesize

      760KB

      Download

    • memory/2912-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2912-9-0x0000000000400000-0x00000000004BE000-memory.dmp

      Filesize

      760KB

      Download

    • memory/2912-6-0x0000000000400000-0x00000000004BE000-memory.dmp

      Filesize

      760KB

      Download

    • memory/2912-4-0x0000000000400000-0x00000000004BE000-memory.dmp

      Filesize

      760KB

      Download

    • memory/2912-347-0x0000000000400000-0x00000000004BE000-memory.dmp

      Filesize

      760KB

      Download