Overview

overview

10

Static

static

3

eeefe3b965...18.exe

windows7-x64

10

eeefe3b965...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-09-2024 02:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eeefe3b9656746910979793242de3d78_JaffaCakes118.exe

  • Size

    564KB

  • MD5

    eeefe3b9656746910979793242de3d78

  • SHA1

    cfa7f86f0040673390d22f6cdc472b0e68cdacb3

  • SHA256

    294eddc5f6c3221e033a74b33877a95d1365e7fb2fb02f42dcd5916f96e4d835

  • SHA512

    1c17f9feca015db32a369849df76c9ba3c6e5590393d5c9e055bd5585fa80568b26ab0f27ff48aa574bc7e915a665d85c6a99c9ce30ba4095b5728279285454d

  • SSDEEP

    12288:6iEPVIq0TcwMi7tBNMLpJVeVvsZWILqY02JwwA1x33GwTuIj+w:6iRq0TcwvypSVvsfLNzJwwAkX

Score
10/10
discoveryevasionpersistencespywarestealerupx

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unexpected DNS network traffic destination 2 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application 2 TTPs 52 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eeefe3b9656746910979793242de3d78_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eeefe3b9656746910979793242de3d78_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4224
    • C:\Users\Admin\Za0Fr02eH4.exe
      C:\Users\Admin\Za0Fr02eH4.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3540
      • C:\Users\Admin\puinaow.exe
        "C:\Users\Admin\puinaow.exe"
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:4532
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del Za0Fr02eH4.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4976
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:3136
    • C:\Users\Admin\2eaz.exe
      C:\Users\Admin\2eaz.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1964
      • C:\Users\Admin\2eaz.exe
        "C:\Users\Admin\2eaz.exe"
        3⤵
        • Executes dropped EXE
        PID:5016
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 80
          4⤵
          • Program crash
          PID:4600
      • C:\Users\Admin\2eaz.exe
        "C:\Users\Admin\2eaz.exe"
        3⤵
        • Executes dropped EXE
        • Maps connected drives based on registry
        • Suspicious behavior: EnumeratesProcesses
        PID:1448
      • C:\Users\Admin\2eaz.exe
        "C:\Users\Admin\2eaz.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3556
      • C:\Users\Admin\2eaz.exe
        "C:\Users\Admin\2eaz.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3460
      • C:\Users\Admin\2eaz.exe
        "C:\Users\Admin\2eaz.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2996
    • C:\Users\Admin\3eaz.exe
      C:\Users\Admin\3eaz.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2008
      • C:\Users\Admin\AppData\Local\5f231aed\X
        *0*bc*6b23386d*31.193.3.240:53
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4944
        • C:\Windows\explorer.exe
          "C:\Windows\explorer.exe"
          4⤵
          • Modifies registry class
          PID:4848
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del eeefe3b9656746910979793242de3d78_JaffaCakes118.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4024
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3992
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5016 -ip 5016
    1⤵
      PID:3856

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\2eaz.exe
      Filesize

      184KB

      MD5

      b5e4ef8f155546bb96b2725ec36f8dd9

      SHA1

      7e1301b8759c39f37993c7145d233f9fd45fa1c9

      SHA256

      c5ce89c5116fe9796e3324b2045fc53369e099bf92d22d7303a55ae67d0a5755

      SHA512

      b6ba29f78fd3ad4895a9aa6d30f46ecabee67d5ff38a3c0dfc5f5dd5bb170ec2bbf47dd963285fcc90097804523ba12fd41418005f7abf3367875ac21f23e904

      Download Submit

    • C:\Users\Admin\3eaz.exe
      Filesize

      254KB

      MD5

      0c0be014832905bc4bb981a03f279d6e

      SHA1

      16e8d3cf157ed3afb5041df2bbe97f4422c5a1dc

      SHA256

      13b0b4e5adf34babefd24eb5886a2b9a5d0d2e6cce61a77c2cbd501e22d36f48

      SHA512

      1be55754d1ab77f9ef9c588599428f5754a6cc349471e5f63ca98a5a5d54e40210616937e9f53abe4912b5aa637620b85cb0665e3b60661fd1ca046f7da65060

      Download Submit

    • C:\Users\Admin\AppData\Local\5f231aed\X
      Filesize

      38KB

      MD5

      72de2dadaf875e2fd7614e100419033c

      SHA1

      5f17c5330e91a42daa9ff24c4aa602bd1a72bf6e

      SHA256

      c44993768a4dc5a58ddbfc9cb05ce2a7d3a0a56be45643d70a72bcf811b6c381

      SHA512

      e2520a53326a7d3b056e65d0cf60e9d823ffb34ca026cdddc7ea3a714f8396c53c37e13a887fc86a7dd7076c97fdfad53c3f5a68342ebc1bdec948c76bda8df3

      Download Submit

    • C:\Users\Admin\Za0Fr02eH4.exe
      Filesize

      212KB

      MD5

      c613e1456c877e1487154fbafe1a298e

      SHA1

      af8c9d76cfb43659ced915b12bba47d0bba11ba0

      SHA256

      b21afd7848d64eadace47bc6f278f4ec2f89b8a42d9be9f55123b0e2de7320f9

      SHA512

      a675e9cd0f4ad741ddaacc15b4a119ab862009b1c62a97ac43a760c6ca5c2ea10e8f00928cd89489759aeea3f91a505b842536a5c221bb6a7b2ecf9a33fc3663

      Download Submit

    • C:\Users\Admin\puinaow.exe
      Filesize

      212KB

      MD5

      e1659e37ad4496dac60a13996d81dff4

      SHA1

      fb95477af8ddfd39ce088e8bd908e0936b48dd71

      SHA256

      84fcde2bb6c4a48a856cdbf8fdb2c2245c616bd492595e558962dff7fc5cc628

      SHA512

      b278674eecc7242a2a8c1661c210d8979c3d7734d39924fe0019db10563ff5f9ad2b57839282601efcfca3583b77db5fdde4bc89ead15f6f1e358118adcbb3a4

      Download Submit

    • memory/1448-48-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/1448-85-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/1448-51-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/1448-52-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2008-84-0x0000000030670000-0x00000000306C6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2996-68-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2996-65-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2996-72-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2996-69-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3460-57-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/3460-61-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/3460-62-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/3460-87-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/3556-55-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/3556-60-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/3556-56-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/3556-53-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/3556-86-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download