Overview

overview

10

Static

static

5

120902d5c3...18.exe

windows7-x64

10

120902d5c3...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/10/2024, 05:32

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    120902d5c338ec0b0455905ddcb44124_JaffaCakes118.exe

  • Size

    298KB

  • MD5

    120902d5c338ec0b0455905ddcb44124

  • SHA1

    71a54806200eb0e547e305bd9edaa51f2d05c2dd

  • SHA256

    a0f0a34fbf6aed8db005fa2821a4b91798e50ca6f406ab01cee346db98929558

  • SHA512

    6ac17f5f35a5263b837b664174eedebf55b25c82742ad611c68009f5fef4d412acd2cf00c03263d777e31d4ac3ee42bd3e811822ab51aa124154cd3293e6a4f8

  • SSDEEP

    6144:EuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLqIY5:v6Wq4aaE6KwyF5L0Y2D1PqLw

Score
10/10
discoveryevasionupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 18 IoCs

    AutoIT scripts compiled to PE executables.

  • UPX packed file 22 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\120902d5c338ec0b0455905ddcb44124_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\120902d5c338ec0b0455905ddcb44124_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Windows\svhost.exe
      C:\Windows\svhost.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2360
      • C:\Windows\svhost.exe
        C:\Windows\svhost.exe
        3⤵
        • Modifies visibility of file extensions in Explorer
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1196

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Documents and Settings.exe
          Filesize

          298KB

          MD5

          598bbab590a2edc7141dfeaccef0eeab

          SHA1

          4d10e2b246a9df77ecd12dd233822386ee6eaa6a

          SHA256

          a7e1dbc268636c726541bf67e6f41e40099113f68168e42f3b3a909ab96a1ba8

          SHA512

          aa97ea967e335703e702f4242d260a8c8f3ad2a006bb462a345350f6f51abc700bf0b152069c4fbf10baeb33009944c34e66a536010f5d6162919483ea8c0447

          Download Submit

        • C:\Windows\Driver.db
          Filesize

          82B

          MD5

          c2d2dc50dca8a2bfdc8e2d59dfa5796d

          SHA1

          7a6150fc53244e28d1bcea437c0c9d276c41ccad

          SHA256

          b2d38b3f122cfcf3cecabf0dfe2ab9c4182416d6961ae43f1eebee489cf3c960

          SHA512

          6cfdd08729de9ee9d1f5d8fcd859144d32ddc0a9e7074202a7d03d3795bdf0027a074a6aa54f451d4166024c134b27c55c7142170e64d979d86c13801f937ce4

          Download Submit

        • C:\Windows\svhost.exe
          Filesize

          298KB

          MD5

          942cd65ba2b5985e32ffa0dae2ba5c1b

          SHA1

          6e8a12fed6f146f25905d63492888e842eecd33f

          SHA256

          19e54a9d3d6cd8bcf7aa7738c7dad8f467498ea55325a95786313c61182a2b17

          SHA512

          20daf5197e8589168c6e4fcf106d33347cd2f50886bab622e09447d68c097615183b618ac827f9c0a731f3da802adc4d7c89ec0625608d150d0fe3e2f3da1bce

          Download Submit

        • memory/1196-10226-0x0000000000400000-0x00000000004C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/1196-5752-0x0000000000400000-0x00000000004C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/1196-15959-0x0000000000400000-0x00000000004C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/1196-14814-0x0000000000400000-0x00000000004C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/1196-13669-0x0000000000400000-0x00000000004C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/1196-1164-0x0000000000400000-0x00000000004C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/1196-1163-0x0000000000400000-0x00000000004C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/1196-12518-0x0000000000400000-0x00000000004C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/1196-2311-0x0000000000400000-0x00000000004C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/1196-3459-0x0000000000400000-0x00000000004C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/1196-4605-0x0000000000400000-0x00000000004C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/1196-11371-0x0000000000400000-0x00000000004C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/1196-6901-0x0000000000400000-0x00000000004C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/1196-7932-0x0000000000400000-0x00000000004C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/1196-9077-0x0000000000400000-0x00000000004C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/1992-0-0x0000000000400000-0x00000000004C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/1992-1513-0x0000000000400000-0x00000000004C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/1992-703-0x0000000000400000-0x00000000004C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/2360-7-0x0000000002EE0000-0x0000000002FA2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/2360-803-0x0000000000400000-0x00000000004C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/2360-5-0x0000000000400000-0x00000000004C2000-memory.dmp

          Filesize

          776KB

          Download