Overview

overview

7

Static

static

3

fdf5cf61ae...18.exe

windows7-x64

7

fdf5cf61ae...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    15s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29-09-2024 06:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fdf5cf61ae16a8491d38de55ecc19fc0_JaffaCakes118.exe

  • Size

    214KB

  • MD5

    fdf5cf61ae16a8491d38de55ecc19fc0

  • SHA1

    e3388050515d51b41616297fc5bb213f0658ccc5

  • SHA256

    fdbb53bea57607a065cca4eeb7b55f8678e5b21600497492ec67d0fc7926d985

  • SHA512

    38f2c18f696be69f08331e4aa507108528be4d0232586e919910c3cc80654ba926c1f24903258764cb1b6f6fdcc5d661245e9482fce043139e36a8481a10749d

  • SSDEEP

    3072:6/uSnUuEgbB3cTlji/6/nZ0f/2GS1c5mk16bzpqZsK8Lm6Zp:CbB3j/6y3xJ8k1kzmsK8L9Zp

Score
7/10
discoveryupx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops autorun.inf file 1 TTPs 48 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fdf5cf61ae16a8491d38de55ecc19fc0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fdf5cf61ae16a8491d38de55ecc19fc0_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Executes dropped EXE
      • Drops autorun.inf file
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2480
      • \??\c:\shell.exe
        c:\shell.exe
        3⤵
        • Executes dropped EXE
        PID:2676
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    PID:2760

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\HelpMe.jpg
    Filesize

    54KB

    MD5

    1e1af29558a59327acb8f5e4fad07d5d

    SHA1

    e9000fb7730178b6639806b62ca7c4ab84358d1c

    SHA256

    c162411b2781c6758d849eee1723ae2fa48afebd596bbdf9e3880ce941b441e8

    SHA512

    4cf16258e353cac843ab840ffaaa6b28df08d022a1e862fb8369e55a1dda5975c7e39d5cc70901da3f478ca3a436e969fbcfd78f5eb8241bcc2da4ff37ad67cc

    Download Submit

  • C:\shell.exe
    Filesize

    8KB

    MD5

    49e4ae66e3d8431281d63042eb2ba526

    SHA1

    52332e5af72945f86864c3035337288164d83c4d

    SHA256

    99741cb43cd7404aa00e59e0bad91c2da27d52fb91880a92604e075b71e39985

    SHA512

    5dc759bbf947de53cac80741725f1be2c127d6c9edcf0ad928f15c2b98417898550af23034447824bacb96ceb4fe672cebf0cfe5e70ef10371ddae2bf93f021e

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    90KB

    MD5

    12412614862087bf9a7920eb7b0ba4bb

    SHA1

    beadbeb477126ff284eb3b5b2d5d9e2e61e20eda

    SHA256

    1a22cec2c0eb5b0ee14a499ecc0862f44e0b2fa9f3d9caddd1f51344c6310525

    SHA512

    35828cb0731f1277063a2dfa663a12807c301c0fef6aa3c0c6b61b71800c4f71e6356640f1adcebce842965d5139181450d7eddc19d6f284fe7c1bd4e4b560d5

    Download Submit

  • memory/2168-8-0x0000000000270000-0x000000000028F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2168-13-0x0000000000270000-0x000000000028F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2480-19-0x00000000007B0000-0x00000000007B2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2480-40-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2760-20-0x0000000000160000-0x0000000000162000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2760-27-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2760-42-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download