Overview

overview

9

Static

static

3

135eb3d6a2...18.exe

windows7-x64

9

135eb3d6a2...18.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/10/2024, 12:31

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    135eb3d6a24ae21ab77b853ec81e2478_JaffaCakes118.exe

  • Size

    1.9MB

  • MD5

    135eb3d6a24ae21ab77b853ec81e2478

  • SHA1

    317e7d9c46e4c2adf53bee6ea70338dd9c0eba6b

  • SHA256

    572ef34af7cfb4b7c89fece60a7a69c94baa041dce64995c838724c2538cdeca

  • SHA512

    88d07cd37d28c5096a9a5e9c428efe67d6b2f10365da86bd7f8ddd585e878e9ff25ed263afeb6012a4a5ddd5be36b1a76a2a67b7eec836634e34fd2df1969573

  • SSDEEP

    49152:VkjzvtGW9pBlW6QnGubnkxTDpaO91swCI9CKmGobmGox:VkH1GWHBk6QGuTkxTtX91sI9CKAe

Score
9/10
discoveryevasion

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Deletes itself 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\135eb3d6a24ae21ab77b853ec81e2478_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\135eb3d6a24ae21ab77b853ec81e2478_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:320
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k sougou
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:2392

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Ljhk\Fbdjvyakb.dll
          Filesize

          1.5MB

          MD5

          687a36f1d36c64fb7f13a8bf8bc6a334

          SHA1

          8ee85fb6fd9cdee131b43e6dd9692c2f3fec997b

          SHA256

          ca3b162bb91ac7a440c1caa42d7764b140cfbe7e5af221288460c7f1da99f147

          SHA512

          085c012d89b091b6babaa09ea78813677dd3357dd04363774312043a884b6661d0691fe8c4a2442a1b521208854082abbce1a9634df4f6605f5472c10ebf8f72

          Download Submit

        • C:\windows\xinstall445500.dll
          Filesize

          210KB

          MD5

          83e04167e4dad43c3bfe965c96684b1c

          SHA1

          e504474608e15f1b1d29cb4f1717baca91072e64

          SHA256

          8eb4f4b3cef6fe7efa591e3da9bda6fcfd1ef5d105f2b46af1fa3bd98f49e967

          SHA512

          6e54c2276290fb41f89d1a5f895613a7cefd5526d6547b2c956ab9782c38eccd428c73c96e3de81d0d7acb0db00bc9858a7b96cd22f3ca33995932146877e529

          Download Submit

        • \??\c:\Win_lj.ini
          Filesize

          114B

          MD5

          4f9d2b525b77c26305a713f7fabeab21

          SHA1

          01b24c8490a50d9251abbf5ee47db3e4a51a0cf1

          SHA256

          0ee716c03a352007593e1b88cbcac8c5d3dd64e5c087e41d7686e78da7aa8778

          SHA512

          9c91df22713350091fe647bc65c774ef5dc43b9b6a176d274a9e0a66b68b9a0023ee61aaead621caf9c359cbac3689dfe3577010f1496e3f13c7c6dcac316d68

          Download Submit

        • \??\c:\program files (x86)\ljhk\fbdjvyakb.dll
          Filesize

          7.0MB

          MD5

          72569caf4691f49c6c60185b4b7d4276

          SHA1

          cc672ac63463fb4b1f2cf5b0d5968f491915e2e0

          SHA256

          3b0ecb46b23ee7b6cb7f416be89455ae7e3c02d1e577bb24900aff30fc82edd5

          SHA512

          7ba2bd893dad26b24a51fea5f1fe6d003849bbb71e78e26240ec789a0a82774a7c4cbd615adebfeae084f9ca83e38f07d84757a3e27af6626f729bd9d33907e0

          Download Submit

        • memory/320-12-0x0000000010000000-0x0000000010037000-memory.dmp

          Filesize

          220KB

          Download

        • memory/320-19-0x0000000000260000-0x0000000000261000-memory.dmp

          Filesize

          4KB

          Download

        • memory/320-8-0x0000000000400000-0x00000000007A0000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/320-10-0x0000000000400000-0x00000000007A0000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/320-0-0x0000000000400000-0x00000000007A0000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/320-4-0x0000000004450000-0x0000000004452000-memory.dmp

          Filesize

          8KB

          Download

        • memory/320-3-0x0000000077310000-0x0000000077312000-memory.dmp

          Filesize

          8KB

          Download

        • memory/320-5-0x0000000000401000-0x0000000000406000-memory.dmp

          Filesize

          20KB

          Download

        • memory/320-21-0x0000000010000000-0x0000000010037000-memory.dmp

          Filesize

          220KB

          Download

        • memory/320-20-0x0000000000400000-0x00000000007A0000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/320-22-0x0000000000401000-0x0000000000406000-memory.dmp

          Filesize

          20KB

          Download

        • memory/320-2-0x0000000000260000-0x0000000000261000-memory.dmp

          Filesize

          4KB

          Download

        • memory/320-1-0x00000000020E0000-0x00000000021F7000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2392-24-0x0000000010000000-0x0000000010037000-memory.dmp

          Filesize

          220KB

          Download

        • memory/2392-27-0x0000000010000000-0x0000000010037000-memory.dmp

          Filesize

          220KB

          Download