Overview

overview

7

Static

static

3

438b904a47...18.exe

windows7-x64

7

438b904a47...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    14/10/2024, 18:16

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    438b904a47606eb7014625cafce93402_JaffaCakes118.exe

  • Size

    941KB

  • MD5

    438b904a47606eb7014625cafce93402

  • SHA1

    064b7d60d5599d11a2594bf375722b0eb928810c

  • SHA256

    865e33fcc9b37a6996eafba738453bf597e8c981288cc00607a64de222cce501

  • SHA512

    4fcdce0301dde956c96d0f6b2034d75c00bae15e542384282ebad379039a7d7edf79563ea76b2f3c0ab6340cb45976730344226daa30283fead5e438aecdf4ca

  • SSDEEP

    24576:KoCO4OOw/MZSu9hGJFo9IyaDnGSFJ/nUmqUta5ct9nmU4:KDO4Od/k4bdyaievTZt9m

Score
7/10
adwarebootkitdiscoverypersistencestealerupx

Malware Config

Signatures

  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 64 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 13 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies data under HKEY_USERS 31 IoCs
  • Modifies registry class 64 IoCs
  • Runs net.exe
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\438b904a47606eb7014625cafce93402_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\438b904a47606eb7014625cafce93402_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Users\Admin\AppData\Local\Temp\spools.exe
      "C:\Users\Admin\AppData\Local\Temp\spools.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2756
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32 /s C:\Windows\System32\ffcifile.dll
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:1248
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32 try5831.dll , InstallMyDll
        3⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1876
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c 375519961O57540.bat
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2648
    • C:\Users\Admin\AppData\Local\Temp\lqbzse.exe
      "C:\Users\Admin\AppData\Local\Temp\lqbzse.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2644
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /C ping.exe 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\lqbzse.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        PID:2952
        • C:\Windows\SysWOW64\PING.EXE
          ping.exe 127.0.0.1
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1668
    • C:\Users\Admin\AppData\Local\Temp\syseter.exe
      "C:\Users\Admin\AppData\Local\Temp\syseter.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2712
    • C:\Users\Admin\AppData\Local\Temp\svehost.exe
      "C:\Users\Admin\AppData\Local\Temp\svehost.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2584
      • C:\Users\Admin\AppData\Local\Temp\svehost.exe
        "C:\Users\Admin\AppData\Local\Temp\svehost.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2516
    • C:\Users\Admin\AppData\Local\Temp\selvice.exe
      "C:\Users\Admin\AppData\Local\Temp\selvice.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:2492
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Windows\system32\jtpilluzg.bat
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1140
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 3 127.0.0.1
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1624
    • C:\Users\Admin\AppData\Local\Temp\explor.exe
      "C:\Users\Admin\AppData\Local\Temp\explor.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2964
    • C:\Users\Admin\AppData\Local\Temp\llly99.exe
      "C:\Users\Admin\AppData\Local\Temp\llly99.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1736
      • C:\Users\Admin\AppData\Local\Temp\Messenger\setup.exe
        "C:\Users\Admin\AppData\Local\Temp\Messenger\setup.exe" llly
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:1896
        • C:\Windows\SysWOW64\zwtpm.exe
          C:\Windows\system32\zwtpm.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Writes to the Master Boot Record (MBR)
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1816
        • C:\Windows\SysWOW64\adgkn.exe
          "C:\Windows\system32\adgkn.exe" /service
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:2660
        • C:\Windows\SysWOW64\net.exe
          net start Comeventps
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2536
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 start Comeventps
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2728
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32 "C:\Users\Admin\AppData\Local\Temp\Messenger\ThunderSafe.dll" /s
        3⤵
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:2076
  • C:\Windows\SysWOW64\adgkn.exe
    C:\Windows\SysWOW64\adgkn.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    PID:2820
    • C:\Windows\SysWOW64\zwtpm.exe
      "C:\Windows\SysWOW64\zwtpm.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2272

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\375519961O57540.bat
          Filesize

          2KB

          MD5

          940ca2e852210dd0872ab75bec1addd0

          SHA1

          0dbe38290db000c0a8b799d76757b08d93dd1a20

          SHA256

          a5b770b308595e60dc9d1bef309f7644a588acbbe58757ab1b0093f3cbd6b5fb

          SHA512

          ca1880398c17ae9208e98663a8a143035624700b57482b419e995526ace1d497f25383e75e3d2730d2a05d8ed0c3dbd2fc128df79266152f4d1d53f344295eb7

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Messenger\ThunderSafe.dll
          Filesize

          64KB

          MD5

          d81f3cbf6c783710fd329acaeb62c11e

          SHA1

          6c234055592ea63431b51a96d2604800b9a659a1

          SHA256

          9d5c34bda05603f6e283b76c0a55179ea548349117363ba719a10d19d930b819

          SHA512

          8a034efe5601e4c48000c2ff2ff14db95b0a1c748cb2ed2e2f06adcb21b5d43af92f613379da803c226c7ed2e15d9c6300f1b42f76ab041d12f8ed8b38d879fc

          Download Submit

        • C:\Windows\SysWOW64\Windows.ime
          Filesize

          76KB

          MD5

          03eed954eb652553833bc37789eb7ea8

          SHA1

          81902061f69267aeaed071e6350d4175cc09efb2

          SHA256

          d431163e1e279add41454e1775224522bfc504ae8f48713d8ce339485b0418e3

          SHA512

          eee85107ee564b390f7532e17081e3ff41c59d3cdead5c3d7a276e509df4d7c81365727ac75ca637f14a3a63d048b6dcd3bcd1763fec4b1ff306e0b256e119b3

          Download Submit

        • C:\Windows\SysWOW64\ffcifile.dll
          Filesize

          64KB

          MD5

          cc04edaa32516285bcf38748de8178d7

          SHA1

          ad6a0a6a3b2474f2a2e112c1cd1e6e423b89063d

          SHA256

          6b831bc318f65ad40e1167168b911eb287e54688ea490f2787cbcb2a37468aa2

          SHA512

          82b5e21c7d8f42231264c06d318913f51f742c2f9344aa4405b6d5880a379fe58e9828f6bebdf5fe014b9fac9ee6359f57c385a2e2e214a07d91ca398b9fd52b

          Download Submit

        • C:\Windows\SysWOW64\jtpilluzg.bat
          Filesize

          100B

          MD5

          16b8d95406120fe1822a5feb0afb9d5c

          SHA1

          70bc41829b485313a2069e164cb426d478471fe6

          SHA256

          dc4791faf83e81ec3676d6d0902b93d8b9a3fa32f01076a236a7a320646d1b00

          SHA512

          85f217aac6fb3af21e828feba82910060508edf8b828ccb1b4ada06e279f4de9d536ae424f6f83d26049409d74021cfc966d173408681b37816a3cf5b056378c

          Download Submit

        • C:\Windows\SysWOW64\s3d332.dat
          Filesize

          124B

          MD5

          601084dcd00cf19cda4c028fd05f893e

          SHA1

          f8bf40b53f13102e3b967cedc8bfa317833719c2

          SHA256

          3ad0dc663672f4855528fafe372b612d0e3287025ede534bfb2587ccc0fa26a1

          SHA512

          71c588ab1e00f5aa2c57fd15a9af2edc42f9c7ea07c01a4c0552103befd7519973ec356e64651f7b30741046b3a3a854d0bcdb81faf62eb1c53abf433db81d51

          Download Submit

        • \Users\Admin\AppData\Local\Temp\Messenger\setup.exe
          Filesize

          20KB

          MD5

          c12683fd67e76a66d1ba39ac22168925

          SHA1

          71f94e7f54d81fba8ce6ca9b3a6a6522cf16509e

          SHA256

          bfbb15e180aea39014a0d272ebedb5d5a6d9c69d9984918a8c786de53c4b06f6

          SHA512

          f4369e9206c1a14fa804f62e8c072cc7c9ba4c3da7341d7b7da559175da314d8f0a60931cd7587cf5a83d5b67b66ef15022a400e0280dd8d861900318f5104b4

          Download Submit

        • \Users\Admin\AppData\Local\Temp\explor.exe
          Filesize

          132KB

          MD5

          cde45741b07efa0306ed1bfe449e4ef8

          SHA1

          0fa6a767e9e7a702597505e9c3df3704969f1147

          SHA256

          7b90a225985d188ff8592828b688580609f0107d39d5225b7111606d8226da1c

          SHA512

          ad98c6328f5d8d406090208a31483bd2a529aa4259a577d980a283d88868a0200060bc24d45a458a6d1a521e60504e782d7a37f101fda93a3fc9af5b144d76f7

          Download Submit

        • \Users\Admin\AppData\Local\Temp\llly99.exe
          Filesize

          132KB

          MD5

          a328e8d509296cf76a99ccf1034ed0ee

          SHA1

          7cb55bc2580fb0801e279134982c8ee8ed13df90

          SHA256

          7a69c78e0778963e59760a4b48ee87ebc7d70d2de528d0afa283b0123897b283

          SHA512

          20bba80316e4fd0bd300baa0d329bed4bb6ef75925a845c3309a73ed980ea3bf93ced57bcb111d6ae81edd548ded4a56ed1bdbb89f998939b690ee9fd21ed5cc

          Download Submit

        • \Users\Admin\AppData\Local\Temp\lqbzse.exe
          Filesize

          68KB

          MD5

          12cf4395bf1f403eac6ee869a4ef2986

          SHA1

          3ff5e92318a07e7fadf2353034425fefcbdd1159

          SHA256

          1dc2d790e98851a12d32d6133beff8ec087d3cbc07b0671b4c1012a29632a294

          SHA512

          f61a798fd6325ab964d671dec7cf665aa84cc0798429abd1940888c34a045705ebfa572ec1b14a67f4bd5d3054d24ea1325e75601a02be46b8b59b9538325ce8

          Download Submit

        • \Users\Admin\AppData\Local\Temp\selvice.exe
          Filesize

          30KB

          MD5

          ecc341f2bf4f88c8fbf60ea10b5e4fed

          SHA1

          21a19153f5efa049ff24595dd296d718d7b93710

          SHA256

          99692573fdff86d6eb11ab4f9062b5b35be53dd74d2937a9faf12ce53d26acc1

          SHA512

          f82adbd04826941c741ee76f1b83425bda5edb9ad46de6d0950ce68a6dc166cfdc11b035547227dc1ee80eb0147450b9b3857cfc9471ea17b50767e10e8e3614

          Download Submit

        • \Users\Admin\AppData\Local\Temp\spools.exe
          Filesize

          60KB

          MD5

          6dfd42c8451da8aa8d62dc052e962cf3

          SHA1

          976629d685068130c649dc2292d62c76a3cb15e4

          SHA256

          f8d7c5e80202dd022ce4e1cf4a7e6eb9e68411c1b362c733ac9ba61d8d4a7cdf

          SHA512

          894d2a0b8d16dfc51c9d11121e334975a600fdfa0e4813aee13ee8d12fa2c05a0cd71c3dc4fd1dab38a4c6eb37f0270f34f3ca5bffd02ed00f2ec8427ed0cdd9

          Download Submit

        • \Users\Admin\AppData\Local\Temp\svehost.exe
          Filesize

          162KB

          MD5

          05a44e8ed157637048677b18431b8e3d

          SHA1

          fd9793991710bb548b5f6b6f1346474334cdd69a

          SHA256

          f5cc755162c2ee5f2cb887b8dd3c0b0f316e7830932c1047b082e884c99c0252

          SHA512

          9af0ba8933b6365d366221c9a0b93c9a5fd7d530db61152220a651dfe97f527518d7e357b4049b441dba1fd3bf710a4165db9ba5fc9ee705b180e3c782bb4f61

          Download Submit

        • \Users\Admin\AppData\Local\Temp\syseter.exe
          Filesize

          312KB

          MD5

          3ad35857a12ece3594ffd2ccd2c078eb

          SHA1

          e65ba6692482a5d4119f22a22e671b8763fc801e

          SHA256

          9a643d34f71e6d78428361aa8ba7c4cca2393b65ce6bb3b278388512d11e8331

          SHA512

          cc6ab0e7e06b9ddb79d95cfd7d14bd3703cf8c47c8d6831dadfc4ce8df9ce68045282207cc50d9259e3a62ce9c719212108c3bccda9dfdf872022c9eae99a34a

          Download Submit

        • memory/2372-11-0x00000000008A0000-0x00000000008DD000-memory.dmp

          Filesize

          244KB

          Download

        • memory/2372-16-0x00000000008A0000-0x00000000008DD000-memory.dmp

          Filesize

          244KB

          Download

        • memory/2372-81-0x00000000008A0000-0x00000000008B6000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2372-82-0x00000000008A0000-0x00000000008E0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2492-162-0x0000000000400000-0x0000000000416000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2492-83-0x0000000000400000-0x0000000000416000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2516-86-0x0000000000400000-0x000000000042D000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2516-103-0x0000000000400000-0x000000000042D000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2516-90-0x0000000000400000-0x000000000042D000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2516-85-0x0000000000400000-0x000000000042D000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2516-84-0x0000000000400000-0x000000000042D000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2516-92-0x0000000000400000-0x000000000042D000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2516-94-0x0000000000400000-0x000000000042D000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2516-96-0x0000000000400000-0x000000000042D000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2516-98-0x0000000000400000-0x000000000042D000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2516-99-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2516-313-0x0000000000400000-0x000000000042D000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2516-88-0x0000000000400000-0x000000000042D000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2516-104-0x0000000000400000-0x000000000042D000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2516-184-0x0000000000400000-0x000000000042D000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2584-101-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/2756-79-0x0000000000230000-0x000000000026D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/2756-182-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/2756-27-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/2756-200-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/2964-177-0x0000000010000000-0x000000001002B000-memory.dmp

          Filesize

          172KB

          Download

        • memory/2964-176-0x0000000010000000-0x000000001002B000-memory.dmp

          Filesize

          172KB

          Download

        • memory/2964-180-0x0000000010000000-0x000000001002B000-memory.dmp

          Filesize

          172KB

          Download

        • memory/2964-181-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2964-116-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

          Download