Overview

overview

7

Static

static

3

028a372b68...18.exe

windows7-x64

7

028a372b68...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/09/2024, 17:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    028a372b6824baeda7c68457ed544458_JaffaCakes118.exe

  • Size

    132KB

  • MD5

    028a372b6824baeda7c68457ed544458

  • SHA1

    c62f0b1274c4d85df1663f7a18b3ffc5138d86ed

  • SHA256

    95cc38f9960a3cff8ec30454cbeedae1cbefa8ea808fbc8b312335f2b3d5c2f7

  • SHA512

    1365ebc6daa00fcfa484dafe002b6d4562fd6d451d66cdbb4123d0bbe460f8b65d325ef7b93eef619d4e322ec95fe38657b71375b0a1b21186d5a33a8f423c71

  • SSDEEP

    1536:bHFjwOqUuflO+6peVdM/d2yv6n0APB8qFE0OSqHW2PYoPPrCLaC46lxIDCwMZOD7:ryOqxY+6pejzNB8A4xAo784KmMMDLH

Score
7/10
discoverypersistenceupx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\028a372b6824baeda7c68457ed544458_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\028a372b6824baeda7c68457ed544458_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1600
    • C:\Users\Admin\AppData\Local\Temp\028a372b6824baeda7c68457ed544458_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\028a372b6824baeda7c68457ed544458_JaffaCakes118.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:340
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VHFJE.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2420
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "indiagamcaaa" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\india gamcaa\indiagamcaa.exe" /f
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:1952
      • C:\Users\Admin\AppData\Roaming\india gamcaa\indiagamcaa.exe
        "C:\Users\Admin\AppData\Roaming\india gamcaa\indiagamcaa.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2024
        • C:\Users\Admin\AppData\Roaming\india gamcaa\indiagamcaa.exe
          "C:\Users\Admin\AppData\Roaming\india gamcaa\indiagamcaa.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2936

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\VHFJE.bat
    Filesize

    158B

    MD5

    033ff48e13742ca54269e0846484b830

    SHA1

    082ce1eed215dda59ea75a8227f8cd0e1b15d36f

    SHA256

    597efbff7588882d8866604df4e7a4f715418a7d9bae4736029412fda3bfa455

    SHA512

    8727692731b3788a5f8a5b5d4e79f009a8953d9a236f66e4cdc963c82c9aff3b6e833a491f78f88d55d8bad4d46f5d81e279974600ddbe5ea2c42003f043adda

    Download Submit

  • \Users\Admin\AppData\Roaming\india gamcaa\indiagamcaa.exe
    Filesize

    132KB

    MD5

    da0b064c5f92b5ce403342a8d01ce37e

    SHA1

    1c680426a06fc5123c6c818b892ae30639c95507

    SHA256

    369c0947acb54ba7e1f48e72538fce0c5a8b9c312351975bc1a23ebca3c24bbe

    SHA512

    a002d3ad8c9cbe6f86751ee271e557266397f7af5b9d2f07637bc1e38bda12846f9b3fbe85a0c8f3af8fa20104196f9485c1f05fb0c5e8d8b21d13f5388e73f7

    Download Submit

  • memory/340-197-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/340-453-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1600-2-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1600-20-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1600-10-0x0000000000260000-0x0000000000261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1600-8-0x0000000000260000-0x0000000000261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1600-64-0x0000000002580000-0x0000000002581000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2936-457-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2936-459-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download