Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    28/09/2024, 23:21 UTC

General

  • Target

    fd58ad7cc72e9286a618f127fa241946_JaffaCakes118.exe

  • Size

    4.5MB

  • MD5

    fd58ad7cc72e9286a618f127fa241946

  • SHA1

    ed076b20442a1902d5aef9b3d9a92366a8001227

  • SHA256

    46c6d88a45847cfe6c228d3f424e5bd9fafcd86cf22bb57026abfbe0c6d607bb

  • SHA512

    2ee4262a6c5416b6615df415e3c8b0564184732e70caf16e0914fd473ea447941ce835fa5def35f190874dcb01bee8883ad880a3998a2390db66e10c268e7711

  • SSDEEP

    98304:cN3Ofojo4j4QrWEvgeL2KIw5x7hCZKKTLUf:c1OfAsSWNe1I5ZtTLUf

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Disables Task Manager via registry modification
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fd58ad7cc72e9286a618f127fa241946_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fd58ad7cc72e9286a618f127fa241946_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2020
    • C:\ProgramData\UOGvxUCxGplRd.exe
      C:\ProgramData\UOGvxUCxGplRd.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2260
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Users\Admin\*.* " /s /d
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2096
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\ProgramData\Microsoft\Windows\Start Menu\*.* " /s /d
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:1732
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\*.* " /s /d
        3⤵
        • Drops desktop.ini file(s)
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2912

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Program Files\Google\Chrome\Application\chrome.exe

    Filesize

    2.8MB

    MD5

    095092f4e746810c5829038d48afd55a

    SHA1

    246eb3d41194dddc826049bbafeb6fc522ec044a

    SHA256

    2f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588

    SHA512

    7f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400

  • \ProgramData\UOGvxUCxGplRd.exe

    Filesize

    4.5MB

    MD5

    fd58ad7cc72e9286a618f127fa241946

    SHA1

    ed076b20442a1902d5aef9b3d9a92366a8001227

    SHA256

    46c6d88a45847cfe6c228d3f424e5bd9fafcd86cf22bb57026abfbe0c6d607bb

    SHA512

    2ee4262a6c5416b6615df415e3c8b0564184732e70caf16e0914fd473ea447941ce835fa5def35f190874dcb01bee8883ad880a3998a2390db66e10c268e7711

  • memory/2020-0-0x0000000000490000-0x00000000004F4000-memory.dmp

    Filesize

    400KB

  • memory/2020-1-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2020-2-0x0000000000476000-0x0000000000477000-memory.dmp

    Filesize

    4KB

  • memory/2020-3-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2020-14-0x0000000000490000-0x00000000004F4000-memory.dmp

    Filesize

    400KB

  • memory/2020-13-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2260-16-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2260-17-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.