Overview

overview

7

Static

static

5

266df45768...18.exe

windows7-x64

7

266df45768...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/10/2024, 22:30

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    266df457680dbb2703b81c68ae19769a_JaffaCakes118.exe

  • Size

    135KB

  • MD5

    266df457680dbb2703b81c68ae19769a

  • SHA1

    fc830bbe22a2cc47c4c9dd9519496d4fe9f6ca71

  • SHA256

    ca6c591318dbbd36b8c994df6e860ea608e6755c40a23c377fc5f2c6b0719656

  • SHA512

    fa3d0ab60d597b6c673fbde149df21498898e52ad9261504d9a7725627bb72f39f2f912cd6fc616238ab1aa191cf98f70f1fda1b5c8bde3bc2c0286de581d95f

  • SSDEEP

    3072:fYirQae1xlrVwqNAd8f7IpX+/GDCypO0Fy9:fXQaKxIqNAd8DIpX++uypO0FO

Score
7/10
discoverypersistenceupx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Modifies WinLogon 2 TTPs 13 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\266df457680dbb2703b81c68ae19769a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\266df457680dbb2703b81c68ae19769a_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2796
    • C:\Users\Admin\AppData\Local\Temp\mmtask0.exe
      "C:\Users\Admin\AppData\Local\Temp\mmtask0.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Modifies WinLogon
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2972
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\system32\explorer.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2544
    • C:\Users\Admin\AppData\Local\Temp\mmtask1.exe
      "C:\Users\Admin\AppData\Local\Temp\mmtask1.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2668

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\mmtask0.exe
          Filesize

          43KB

          MD5

          8c013abdafa94cbe994f89e5cf4f305a

          SHA1

          8bf39c61ae43813f8d9a50127f227282415e23cc

          SHA256

          0f5dfbef0841983ba865c5e0b8d145b39d2001152416c800e916dc2d06da5960

          SHA512

          cc7735a34f014dd99ab7a7646b57478b9862d13ff7e97660e2f026793a2f3d9ca65e3ff07fc51d681d848cbf6a3c2bcd6aa9093399125fcdd7010073a7206c2f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\mmtask1.exe
          Filesize

          80KB

          MD5

          83dc2617f82f6066dace3bafea4c9471

          SHA1

          131aeb2e3b4b38a038ee046337ced57d91e714ce

          SHA256

          bfa542cca1fbadf9ec4b5a268302152b0cc9dededadb3f067001c725207d8821

          SHA512

          3ce9e0f8bc389dbf32caefa5dcf42afbd126cdd380563a7b63d3c11fa06c8a16bfc60046984dcac0d2bd4bdbc4d46d7b8bfcd383db273ac7adb858d7782cd487

          Download Submit

        • memory/2796-1-0x0000000000400000-0x000000000040A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2796-20-0x0000000000400000-0x000000000040A000-memory.dmp

          Filesize

          40KB

          Download