Overview

overview

8

Static

static

5

38b9796d25...18.exe

windows7-x64

8

38b9796d25...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    94s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2024, 05:58

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    38b9796d251b0a5a51f82df94d4887cc_JaffaCakes118.exe

  • Size

    934KB

  • MD5

    38b9796d251b0a5a51f82df94d4887cc

  • SHA1

    779febb870645fb9c4e839927b4ffe9e31667d6c

  • SHA256

    ac1dfe3059d67ac1888c99204e1db1a816cb76fca4f03a6fedc5ff5d9369d5ce

  • SHA512

    53d913bb6bfa12b372c1307848705409aac35ee493d5730dfb7c416d40b018623d1c5b364bd65c2fdd4018302be7d145c3e69a90b479cc678897d12d84887313

  • SSDEEP

    24576:xTyYEQJnYrA/I+iOGoI/y+y6+bIaF82i4sIomr:MY58QICGBt+0Qyf2

Score
8/10
discoverypersistenceupx

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Manipulates Digital Signatures 1 TTPs 36 IoCs

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 64 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\38b9796d251b0a5a51f82df94d4887cc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\38b9796d251b0a5a51f82df94d4887cc_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:436
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s actxprxy.dll
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:2392
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s shdocvw.dll
      2⤵
      • System Location Discovery: System Language Discovery
      PID:320
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s smhtml.dll
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4064
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s urlmon.dll
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:2660
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s msjava.dll
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3092
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s XPrxy.dll
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4444
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s oleaut32.dll
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:3464
    • \??\c:\windows\system\Script56.exe
      c:\windows\system\Script56.exe /Q
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Manipulates Digital Signatures
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:1312

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL
          Filesize

          90KB

          MD5

          513f69829f80c63b9c41fbd5c2e7b236

          SHA1

          495ef59bf409f1bc2029c7f21b04bdc4fbaab0c6

          SHA256

          39f60eb0bbebaa9717ebe7e7af75842ed65992ca25a236002c2322054223dfd2

          SHA512

          621644d668ebe3ecd0279ba5219b59224b8234bcc23444d639bab03e56a3721ea590e1fc6bf6d6d1f33fcd595cc910c2c13b952e26c1c0c471f9e2399cdad26b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cscript.exe
          Filesize

          96KB

          MD5

          c1494c32fcdfc3fc5bd269986d596071

          SHA1

          db65668159940108f68772f76644dd86d39c9ddc

          SHA256

          89fc1a4266b24bf5002080b676ff08d76abadc7503aa1ab7a7d95f93343cab75

          SHA512

          c1293560fa095787f742e37c343ed0b5e060dbbd711aee1bc53b93335bb1d8446901630799334f8087a825957b1fe29436a4e3f1a9d63637524cb137052e999b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dispex.dll
          Filesize

          28KB

          MD5

          c193b6164b7cf695f042dba1a00997a3

          SHA1

          11da456d83eaa6564ced7769c65efac6a24a93f1

          SHA256

          11c5c88f25102f9527cd72062c3a20840ddfddf62a869287eca977063dd3e08e

          SHA512

          8a3964d6808a3ceb8e40a2a73780e4277bddcfed173fca3b099a72e641d49e3c25b51b5f5c9fceffd8fdd3743488a35dc893245eacdd66cc7eb8420505383d56

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jschs.dll
          Filesize

          13KB

          MD5

          96216cfa8f541578fabc12aec983aeb1

          SHA1

          86f96931cb83e90e2dae9900fa0c5340e8a2a194

          SHA256

          08d159b1ece14fbdeb0cff2c8b117e7f244610dd55566d859c2fdf9e674976ed

          SHA512

          504bb9e61bc69fbc49c94f7bc4f221498065b673911565b810b162d7be7da669765c76955c684b4cd58c86001f53e39dc96510f516726fc798b64247da71fcd4

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jscript.dll
          Filesize

          454KB

          MD5

          e360e9fa0d2bc67603ad8aa4328136c6

          SHA1

          1638d154e201029403bcd1540b60f02357a3c6d6

          SHA256

          cd1818ed991851cd055382cc868b746ba84d3668ae0d47e76b42a4a307f593cb

          SHA512

          a7be35c690a14d80e27ebd64ee07b1512e5dd2ae925a808eb7c655a29047bdbcb312200067f6b45e816c28aea60fe6ea5b91c724c2dbc151a8f69c22ae219f0d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scochs.dll
          Filesize

          9KB

          MD5

          fa27899a21067617b2bb775e691e7c17

          SHA1

          503ddb6497bc0d399ac070a52d266c428cd10e8a

          SHA256

          a1d00d9bb3e9040f13ddecaa2326640b02023ea0c780f4f3888689eb6ad2104f

          SHA512

          26d619fcbd63ff6185095d2d04673fe393292f2c54ea50c203bdfebdac12033d6907be4d0e20ea61ccf304a3495ffd5c2525260be1de6ba1a07fe13e50009150

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scripchs.inf
          Filesize

          8KB

          MD5

          ce56edf4ec29c283d4e88fb40c1e14b4

          SHA1

          fda29d9b2ec76fb8725f7ec33857bc9bb6fdef9c

          SHA256

          2935dee89a05adef511f5e4ee493a8a86eeb234629ce8c040ba6c58f8c38c859

          SHA512

          dc6b0d6de360232c02eb62ae688cc68237f39a2036b56b21eb2c54e08c9a3bd273d020567d74ac719ab26890d781d2069107e8dabc317d5cce74c5a889ecac95

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scrobj.dll
          Filesize

          148KB

          MD5

          055353c41855329c198bb46106320bdb

          SHA1

          953edf51209c81807bb950dfe41ae08a5d824b4d

          SHA256

          ccbe15552148680c31a2963710a80103b3ae07d1c23c8a4bc3947374fc31834c

          SHA512

          150af17035d23bd8da9799106848fced252157820f1f21710a9274a69534a9b01cd92f271a80a1b6f587d1666e5225341a20b12c5553f476149466efe189da02

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scrrnchs.dll
          Filesize

          10KB

          MD5

          6f1a32d143b5f4f4a3cb135021995e21

          SHA1

          09c91c8496c979f4e09d1e91a4d7f4e9aed3e234

          SHA256

          4dfdde35373e0b2dcfa99bc5ea1516b28c6c9ddd16c2b81fa8e7d3f56ce020ce

          SHA512

          ce365e8e766013f8107ac48d7c2e8474d590eb04c4ba57b46092014060a98d0f44aaf9e43b2d673b8ec6b1a139c2481375c70e623d866486b8380c40cc0d7413

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scrrun.dll
          Filesize

          148KB

          MD5

          a73bec00e9c23dcd34ca8c2055e950e7

          SHA1

          aa23cef84c2049aa196e60b3bec7d8bd4984b973

          SHA256

          8138579cecc8ca4d4ffcaab3876e6c3cd78ad22164903e98932db9f3fe6c77f8

          SHA512

          6749c99468974d72326c826d178a4fd47cc5e0e35fc72d29521cf86303dce4608c9eb523cdfd20f85ce239b91c9c3989efdd49944a9e51182f7da8397b9eb486

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vbschs.dll
          Filesize

          11KB

          MD5

          11c397da07b995fe8f99a33b5bf89569

          SHA1

          5b56d64e26ed0a229498c6739e78edadbb66e686

          SHA256

          df8f8dc202332b62be4550c1c677d5b1ab94257637de81797d2638b9330c2c4c

          SHA512

          7040feda58e22533fa239481aa512188b94ce52874a096fa4c0d1b632e944a93da9d333057ce59ad0baeedd5b4ef107df39014b8ec6a2bb8555fdf88d4d11750

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vbscript.dll
          Filesize

          428KB

          MD5

          05744121db054560ea28f7178861e6b0

          SHA1

          551cea7603a441fb7016532138cf89f81008804f

          SHA256

          7bd9ce993f7c559c2fcfb17b708535c03fea1300b5fb2f312fd503dcf23268dc

          SHA512

          7845c2ea3d402de0462c8a7ca36de590e3a561815452d670caf1750dc887f5664d5702274a48a86ed72a8158779007d8f43fccd0b4b11b6a2b268549f8e6bfb6

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wscript.exe
          Filesize

          112KB

          MD5

          f5aff05c4b08ef753084d19690cfb5f3

          SHA1

          8fd83a7cabc99b10ec0fe9b80024cd9b57f2d594

          SHA256

          ff55af695f614fed069a5407ec33cfa0b701b61aab78930f077a887908e9744d

          SHA512

          032c3a6e6774307fa261bcfcea0e52aa2af46c52425142b46fece2f7f77e3743797c82160dc4ccb9e8454b791bf5035abff35b233c9a5cb18b30bac84182af31

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wscript.hlp
          Filesize

          7KB

          MD5

          5029918b96997a3fc0fcc59c9cea38c7

          SHA1

          4885c3b5bc135d1984d9c23a93db3adc08ed6cc9

          SHA256

          b5a6f79888ecb817d1a218b507262aaad6553362ba3719290a4750f1b9d6abd7

          SHA512

          b56c93119cb3a4a6d29633132e642a7218128cbf84ed25ecc29c798681879b466d68235a4a9c65b1227624d23a8da1c4dc15739609e4efd53a997b9fc7687bca

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wshchs.dll
          Filesize

          52KB

          MD5

          fd70a58379688f01c1bd0a93cd4d73a8

          SHA1

          da6a7a557b642020ef20224cc80688e7bbe9a945

          SHA256

          445a59b4229c3f27ccd31998691fc7712112bca37fbc3b82e42881c3f1ab4e1f

          SHA512

          a7217fb4ccbf35fdd1790321e9cee0fe225d99172b22b9ece4539193020ee3c53b3ffb5d220b0a771c32fd6ec1c63d9669b151acf32f753207ae03fc78f751e6

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wshcon.dll
          Filesize

          28KB

          MD5

          1fd9724f26ccf867a087af0c318053ac

          SHA1

          50b198b178280ebccb1fce8a4977110eb561d303

          SHA256

          b377da2144bdedea8c7e3bd8e2f867cf8d6cb608609c5f8491ef19f7a5d37a5c

          SHA512

          0f1d129de626174dc8f04c18187b8bf2e0fa38f6e9ba9ae45cc7cb28f738721e39a1222afde58e556f5895d8597c1535b439758cc0d79b3b7fbb30741097c4ac

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wshext.dll
          Filesize

          64KB

          MD5

          1905f39172a4864f8abad9337bdcad22

          SHA1

          cf6e84595529d4be8c1c017ce3a891c46045ba30

          SHA256

          6d85ecedec85ee047cbaf19da675402288318db63b8df3adcdd0aeac3f46edd4

          SHA512

          fe031cf9a59750815a4a192fd5a876af880efffa734cd08fb7b28b965091a1b7c6182fb2dd006515c5fc938f9b0c240250491b62b44910830e5b8fc631ea90af

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wshom.ocx
          Filesize

          96KB

          MD5

          ab23681c2fa65c460b1e5d5db034fdd0

          SHA1

          1e7fce121c2045b0fa49607570aca5e4edb1da7e

          SHA256

          661882a3222b5a4a85a7db9487fd6170da9b662f765ad97ce17e81d90b677516

          SHA512

          74dd8401edf214e79bf09bfd034c4b46f8b5fc41d042e9ca1af73addf8a0e29bd61836d02f7ff83ee36a92efffd0855da507ae4f55aceb0cf79681f55db5ad7b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\aut9E43.tmp
          Filesize

          684KB

          MD5

          9bf6dfe7cc420b1ba1d56cba882726aa

          SHA1

          4de5ac44b843cc74580d851911a7908fb350efaf

          SHA256

          71acd4d01c8d87fd70f47fb9ce777a2b2ebf3ff857d65b1afe344b275e18194c

          SHA512

          55507d144bcebcb49538be7c41e3d1f6d8cf01ee899b88b6b61c94277699be22531d34e262b5da31e1f43fab7e161664df6b8671345e70684b2300d7c49e2504

          Download Submit

        • memory/436-83-0x0000000000400000-0x00000000004A4000-memory.dmp

          Filesize

          656KB

          Download

        • memory/436-0-0x0000000000400000-0x00000000004A4000-memory.dmp

          Filesize

          656KB

          Download

        • memory/436-448-0x0000000000400000-0x00000000004A4000-memory.dmp

          Filesize

          656KB

          Download