Overview

overview

7

Static

static

5

fe850b9cb6...18.exe

windows7-x64

7

fe850b9cb6...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    100s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-09-2024 12:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fe850b9cb64952e4ef425c2483f6e1e5_JaffaCakes118.exe

  • Size

    506KB

  • MD5

    fe850b9cb64952e4ef425c2483f6e1e5

  • SHA1

    859d625c454b1d706d45eff9b710032f4738b3cf

  • SHA256

    89aa030be1bc8c352c1e639992143bf0f0b0471344dd24fa4a0c24d46971f996

  • SHA512

    5d9e401b244ba9cc8bcdebe40595b5fbba7ea0cd57039209dae0c120b087d9abefb9ea82db06b278e817e845f8f29a8234c5bcd451f734fdffac5901481d5e7f

  • SSDEEP

    6144:jaUhMk70XLC1t9N9/W76hVj+VD3hbcd5SVtY/nWMSqKMXGY/uqp:jqkeLCP9NyEma3l4fM

Score
7/10
discoveryupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 6 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe850b9cb64952e4ef425c2483f6e1e5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fe850b9cb64952e4ef425c2483f6e1e5_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3688
    • C:\Windows\Rpikea.exe
      C:\Windows\Rpikea.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      PID:3356
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 904
        3⤵
        • Program crash
        PID:312120
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3356 -ip 3356
    1⤵
      PID:312088

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Rpikea.exe
      Filesize

      506KB

      MD5

      fe850b9cb64952e4ef425c2483f6e1e5

      SHA1

      859d625c454b1d706d45eff9b710032f4738b3cf

      SHA256

      89aa030be1bc8c352c1e639992143bf0f0b0471344dd24fa4a0c24d46971f996

      SHA512

      5d9e401b244ba9cc8bcdebe40595b5fbba7ea0cd57039209dae0c120b087d9abefb9ea82db06b278e817e845f8f29a8234c5bcd451f734fdffac5901481d5e7f

      Download Submit

    • C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job
      Filesize

      390B

      MD5

      802777cb21d8b3d8759f849c4752ec1f

      SHA1

      034a3550fa81ea7770c9f24f17396315a9f34b74

      SHA256

      b851912b37b50aa696475c02f57eb9a80d15e8ad1854d35d808983d13200cd8f

      SHA512

      1dc04f7caf8ae582c403c7163299291884b383d0a7757abd751eff539b0b065f13781c3d29daa7aa3262cb2e510613bff303a4205b8ec77a7bce6de1fe4f2253

      Download Submit

    • memory/3356-136942-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/3356-136938-0x0000000000400000-0x0000000000480000-memory.dmp

      Filesize

      512KB

      Download

    • memory/3356-136936-0x0000000000400000-0x0000000000480000-memory.dmp

      Filesize

      512KB

      Download

    • memory/3356-22-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/3356-18-0x0000000000400000-0x0000000000480000-memory.dmp

      Filesize

      512KB

      Download

    • memory/3356-14-0x0000000000400000-0x0000000000480000-memory.dmp

      Filesize

      512KB

      Download

    • memory/3688-6-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/3688-0-0x0000000000400000-0x0000000000480000-memory.dmp

      Filesize

      512KB

      Download

    • memory/3688-4726-0x0000000000400000-0x0000000000480000-memory.dmp

      Filesize

      512KB

      Download

    • memory/3688-8192-0x0000000000401000-0x0000000000402000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3688-16737-0x0000000000400000-0x0000000000480000-memory.dmp

      Filesize

      512KB

      Download

    • memory/3688-3-0x0000000000400000-0x0000000000480000-memory.dmp

      Filesize

      512KB

      Download

    • memory/3688-136937-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/3688-2-0x00000000004F0000-0x00000000004F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3688-1-0x0000000000401000-0x0000000000402000-memory.dmp

      Filesize

      4KB

      Download