Overview

overview

10

Static

static

5

43ee537be1...18.exe

windows7-x64

10

43ee537be1...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14/10/2024, 19:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    43ee537be1f1b94599352999ce0b0ac5_JaffaCakes118.exe

  • Size

    253KB

  • MD5

    43ee537be1f1b94599352999ce0b0ac5

  • SHA1

    1242eac60b7867c7162ec827559018d54c075afd

  • SHA256

    e9af912b5faf9e3695362bfffbb0ad43a46e1d193b1a6c769409de32be19d8d5

  • SHA512

    b9b6f8589cfe001678af503fb94efe5c033cccc93ece1e1e023c05a80fc917faec717610d3ca07918db903645e583103da14ba5e04ab111a7ad0c7010dbe25c3

  • SSDEEP

    3072:Aej3f+jEMAPMMoUegs+rdFeLmH7QWsXMqLvIP75rTTK/h4KtBfqXKPRPRU6/OYqX:tWjEMAIUHs+rd4mb+DETTq7xPRU3P

Score
10/10
discoveryevasionpersistenceupx

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 2 IoCs
    evasion
  • Detected Nirsoft tools 1 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\43ee537be1f1b94599352999ce0b0ac5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\43ee537be1f1b94599352999ce0b0ac5_JaffaCakes118.exe"
    1⤵
    • Modifies firewall policy service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1628
    • C:\Windows\SysWOW64\ntkernelloader.exe
      C:\Windows\system32\ntkernelloader.exe /stext C:\Windows\system32\micdriverz.dll
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:2764

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Windows\SysWOW64\mswinsck.ocx
    Filesize

    106KB

    MD5

    3d8fd62d17a44221e07d5c535950449b

    SHA1

    6c9d2ecdd7c2d1b9660d342e2b95a82229486d27

    SHA256

    eba048e3a9cb11671d0e3c5a0b243b304d421762361fe24fd5ea08cb66704b09

    SHA512

    501e22a0f99e18f6405356184506bc5849adc2c1df3bdee71f2b4514ab0e3e36673b4aecbd615d24ebb4be5a28570b2a6f80bd52331edb658f7a5f5a9d686d10

    Download Submit

  • \Windows\SysWOW64\ntkernelloader.exe
    Filesize

    42KB

    MD5

    ab39f2449e55cc3790e8233f188c0506

    SHA1

    4a5cb790d0b79d62897cc54621596e772ec60d7f

    SHA256

    af33f86c8461c1abc08bb6e22b6be7a0e85121a095b6072ab9b9a6a3c36c5277

    SHA512

    a5a02e723265f42b413060b41f0d9f3ec05826cb69b69a987a876b1737a94e68af21a435c4a5f69c791311b27a4933f594b7469dbf5ad4c1b92fe8b4944e45db

    Download Submit

  • memory/1628-0-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1628-13-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1628-17-0x0000000002670000-0x000000000268B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/1628-22-0x0000000002670000-0x000000000268B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/1628-27-0x0000000002670000-0x000000000268B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/1628-28-0x0000000002670000-0x000000000268B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/1628-31-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2764-24-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2764-25-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download