Overview

overview

7

Static

static

3

fdf5cf61ae...18.exe

windows7-x64

7

fdf5cf61ae...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    90s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/09/2024, 06:23

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    fdf5cf61ae16a8491d38de55ecc19fc0_JaffaCakes118.exe

  • Size

    214KB

  • MD5

    fdf5cf61ae16a8491d38de55ecc19fc0

  • SHA1

    e3388050515d51b41616297fc5bb213f0658ccc5

  • SHA256

    fdbb53bea57607a065cca4eeb7b55f8678e5b21600497492ec67d0fc7926d985

  • SHA512

    38f2c18f696be69f08331e4aa507108528be4d0232586e919910c3cc80654ba926c1f24903258764cb1b6f6fdcc5d661245e9482fce043139e36a8481a10749d

  • SSDEEP

    3072:6/uSnUuEgbB3cTlji/6/nZ0f/2GS1c5mk16bzpqZsK8Lm6Zp:CbB3j/6y3xJ8k1kzmsK8L9Zp

Score
7/10
discoveryupx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Drops autorun.inf file 1 TTPs 48 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fdf5cf61ae16a8491d38de55ecc19fc0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fdf5cf61ae16a8491d38de55ecc19fc0_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:388
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Executes dropped EXE
      • Drops autorun.inf file
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4884
      • \??\c:\shell.exe
        c:\shell.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2552
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 296
          4⤵
          • Program crash
          PID:2324
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2552 -ip 2552
    1⤵
      PID:4952

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysWOW64\HelpMe.exe
            Filesize

            90KB

            MD5

            12412614862087bf9a7920eb7b0ba4bb

            SHA1

            beadbeb477126ff284eb3b5b2d5d9e2e61e20eda

            SHA256

            1a22cec2c0eb5b0ee14a499ecc0862f44e0b2fa9f3d9caddd1f51344c6310525

            SHA512

            35828cb0731f1277063a2dfa663a12807c301c0fef6aa3c0c6b61b71800c4f71e6356640f1adcebce842965d5139181450d7eddc19d6f284fe7c1bd4e4b560d5

            Download Submit

          • C:\shell.exe
            Filesize

            8KB

            MD5

            49e4ae66e3d8431281d63042eb2ba526

            SHA1

            52332e5af72945f86864c3035337288164d83c4d

            SHA256

            99741cb43cd7404aa00e59e0bad91c2da27d52fb91880a92604e075b71e39985

            SHA512

            5dc759bbf947de53cac80741725f1be2c127d6c9edcf0ad928f15c2b98417898550af23034447824bacb96ceb4fe672cebf0cfe5e70ef10371ddae2bf93f021e

            Download Submit

          • memory/2552-28-0x0000000000400000-0x0000000000402000-memory.dmp

            Filesize

            8KB

            Download

          • memory/4884-8-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/4884-29-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download