Overview

overview

7

Static

static

5

0e80b0bee6...18.exe

windows7-x64

7

0e80b0bee6...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    93s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2024 07:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e80b0bee69ae7943282e5f3989b9175_JaffaCakes118.exe

  • Size

    95KB

  • MD5

    0e80b0bee69ae7943282e5f3989b9175

  • SHA1

    23da5ada2910d9a8f477163617c2c73012cb56b6

  • SHA256

    c77cb5c5b68c9dd543c0939a7677aa68316215a07f53ee46887f77722364b196

  • SHA512

    a6d51cf7f632f3af5ebd4493e5f9b8188a18f728bc45e475d26a638775fafabd9c398c42950bd94f46f36d0a9bb41b2d3efd944c27e8f3aa7ff2816855327c29

  • SSDEEP

    1536:giALOEJuUuTdsiuGP0Lv78qUPIPWSxcM9+meQwTttEf5vLvkV+0jA+KRKugBA8Iq:rALOE6Td3u6E7RITSKM9+GwTvEhvLvKn

Score
7/10
adwarediscoverypersistencestealerupx

Malware Config

Signatures

  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e80b0bee69ae7943282e5f3989b9175_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0e80b0bee69ae7943282e5f3989b9175_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2920
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Windows\system32\fqswlye.dll,yxlfvib
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:4788

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\fqswlye.dll
    Filesize

    58KB

    MD5

    7026cc7e18c74445861da75bef61c9e8

    SHA1

    08e06719c76dd3691e5f6c3a0e740d21fa5ed42c

    SHA256

    87257500e6d36bb25f5a6f56d19fabc5e67e82eedcc85120cb516a255e12602f

    SHA512

    5484c82a5baddef413648d762618ff623957393f5f96e88844c7ed7c4127223a9f20763112f021313886c4cdfed2ce84a96e0656f4c0be9306b1eeee6bb409ef

    Download Submit

  • C:\Windows\SysWOW64\xxdohdc.dll
    Filesize

    70KB

    MD5

    fcdfe2453ddb9f6fe1d4544abe6439e3

    SHA1

    a02740c2bfc824f7059ff7a05139e5a93c94a079

    SHA256

    fca0c4f5f7912876efc311be1e78bafc617dc807aa84d47498609772fb31ea76

    SHA512

    0994aa16ab9eaf7b15888df3a8b38f23085f33bfb384451873a345966d5c7a5c50c43be628533adff3b978e132fe632024b1ef9504951e7f9a8517d19c7f379c

    Download Submit

  • memory/2920-0-0x0000000000400000-0x0000000000431000-memory.dmp

    Filesize

    196KB

    Download

  • memory/2920-6-0x0000000010000000-0x0000000010018000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2920-12-0x0000000000400000-0x0000000000431000-memory.dmp

    Filesize

    196KB

    Download

  • memory/2920-15-0x0000000010000000-0x0000000010018000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2920-18-0x0000000000400000-0x0000000000431000-memory.dmp

    Filesize

    196KB

    Download

  • memory/2920-20-0x0000000010000000-0x0000000010018000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4788-9-0x0000000010000000-0x0000000010016000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4788-11-0x0000000010000000-0x0000000010016000-memory.dmp

    Filesize

    88KB

    Download