Overview

overview

7

Static

static

5

07aec88dbd...18.exe

windows7-x64

7

07aec88dbd...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-10-2024 22:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    07aec88dbd6f50818f91f10b50b0d5c8_JaffaCakes118.exe

  • Size

    49KB

  • MD5

    07aec88dbd6f50818f91f10b50b0d5c8

  • SHA1

    5798c5a082dd9834e0ef5a689f1cfbcc2789b483

  • SHA256

    ee3d024268256495132ffac481e2d5bad2657a4dfe8cb0abb1f1536e769adf9e

  • SHA512

    2a7f160c755cc1b683254f8d40679695dab10f7cad1c2d68fd44d7b2b19a71f98894ef1cf0baa3cf14449b0d3db6a8360d05e0deacf805f59ae0277f4ec3662b

  • SSDEEP

    768:RBr8s7p2cyC54FnTCaJGctkuxPXv0+NKTXlVtyhx0K1/OcCIpw+6PBvPpAwlY:R2sVVKTkcDZKTX3t01CIX6ZvGwlY

Score
7/10
discoverypersistenceupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 5 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\07aec88dbd6f50818f91f10b50b0d5c8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\07aec88dbd6f50818f91f10b50b0d5c8_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3420
    • C:\Windows\SysWOW64\taskdir.exe
      taskdir.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4152

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\taskdir.dll
    Filesize

    4KB

    MD5

    f3d0c43986004a77e4b3425ac7b780a5

    SHA1

    21ccfb692a61b78a422eccb6429153db18f81757

    SHA256

    2097bcb221365f0523b6ff64ec6965dc8e541b44291261374c0f92354c7b9e6c

    SHA512

    e5e2c03b9a3281af5df3ee80721ef6756b1ba6a39c90d164ce1bc5b5487dcb4f005675596a00f941d9917bc3ea57049a00d8c806bd52b02ad9e2db8d8b13bd7c

    Download Submit

  • C:\Windows\SysWOW64\taskdir.exe
    Filesize

    49KB

    MD5

    07aec88dbd6f50818f91f10b50b0d5c8

    SHA1

    5798c5a082dd9834e0ef5a689f1cfbcc2789b483

    SHA256

    ee3d024268256495132ffac481e2d5bad2657a4dfe8cb0abb1f1536e769adf9e

    SHA512

    2a7f160c755cc1b683254f8d40679695dab10f7cad1c2d68fd44d7b2b19a71f98894ef1cf0baa3cf14449b0d3db6a8360d05e0deacf805f59ae0277f4ec3662b

    Download Submit

  • C:\Windows\SysWOW64\zlbw.dll
    Filesize

    45KB

    MD5

    f42601d4ac18bb06d830b6f8e4500adf

    SHA1

    66ff00d72ed68fa417638b514610c7cf611ddb90

    SHA256

    2c54ec6433444a5173a38c75f46c8bec63f90c3ed6efea20beac76c67bc27c95

    SHA512

    8011e932f363fd5730a2cf27ca36a8b62e1c1e61d188bb08b6aad927e2b1a06f8b2ee1c26fff4863fa99d1675fc72d4159b331a3ae25acee0b18e3e41dcb741f

    Download Submit

  • memory/3420-14-0x0000000000500000-0x0000000000505000-memory.dmp

    Filesize

    20KB

    Download

  • memory/3420-7-0x0000000000500000-0x0000000000505000-memory.dmp

    Filesize

    20KB

    Download

  • memory/3420-5-0x0000000000500000-0x0000000000505000-memory.dmp

    Filesize

    20KB

    Download

  • memory/3420-0-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/3420-13-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/3420-1-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/4152-20-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/4152-21-0x00000000005D0000-0x00000000005D5000-memory.dmp

    Filesize

    20KB

    Download

  • memory/4152-18-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/4152-22-0x00000000005D0000-0x00000000005D5000-memory.dmp

    Filesize

    20KB

    Download

  • memory/4152-23-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/4152-31-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download