Overview

overview

10

Static

static

3

52db8262b6...18.exe

windows7-x64

10

52db8262b6...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/10/2024, 17:29

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    52db8262b6fdfc265caa70b7aa6abd14_JaffaCakes118.exe

  • Size

    452KB

  • MD5

    52db8262b6fdfc265caa70b7aa6abd14

  • SHA1

    561ede3362c63dfe224dfe9f98544673bf9f293b

  • SHA256

    51904d5c59460a8d90236bee6cf28176de7c4ceb0b2e7abae2e5ad3ed4ce3bf2

  • SHA512

    c20e122280a5ded19e7c2f839c008f958852cbeedd939eace37dbc5fa3ac0c58a6a86f140ec065b80bf3cd17aba30d6f326daab71e77274f3d6b2453b4448782

  • SSDEEP

    12288:GLO+MJClrwmPuuqcor/1/4UkNpxWBulXZDCzAI:GLO+MAUmHbo1tkV4+CD

Score
10/10
discoveryevasionpersistenceupx

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 52 IoCs
    persistence
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\52db8262b6fdfc265caa70b7aa6abd14_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\52db8262b6fdfc265caa70b7aa6abd14_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4944
    • C:\Users\Admin\atlop.exe
      "C:\Users\Admin\atlop.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3272
      • C:\Users\Admin\suuwe.exe
        "C:\Users\Admin\suuwe.exe"
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4536
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del atlop.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1812
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1628
    • C:\Users\Admin\bwsap.exe
      "C:\Users\Admin\bwsap.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4180
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3048
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\a.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2668
    • C:\Users\Admin\cwsap.exe
      "C:\Users\Admin\cwsap.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4500
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Lbv..bat" > nul 2> nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:728
    • C:\Users\Admin\dwsap.exe
      "C:\Users\Admin\dwsap.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1944
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 280
        3⤵
        • Program crash
        PID:1072
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4112
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1944 -ip 1944
    1⤵
      PID:5104

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
            Filesize

            264B

            MD5

            930a1968118596d8ce8339ce83ad6c01

            SHA1

            04cdfd1b110726630450f4145f65cbc4ae63315c

            SHA256

            2c0c20c124541515a9822d3bcc299b0ee1a8e3d78becb9cacbc7710329445e63

            SHA512

            fea6ce671bcf786289d8c615a6f6b4f950f5fd075b938dfd96165a9add63538f5d713019cbd840083a488693ce6f958cc0083736acc3857d90427ef7be4a4bc5

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Lbv..bat
            Filesize

            118B

            MD5

            81813fa4c78795237b6535d14a271ea9

            SHA1

            e5ad5a60cd264c5823a0546a4aaa3f037004b18f

            SHA256

            f6de6ecdc4833afd16c7526b9782b30da925fa532da05ef0033986d3869008e1

            SHA512

            5f6fa39e2c6cb42618f88319c640b9598046609c35d622196d3d225b8d4adfb7613b1fae672cad9de780f1e56b9610aac01cd1d3761a277c59ddd212e6b6ac39

            Download Submit

          • C:\Users\Admin\a.bat
            Filesize

            113B

            MD5

            49d6b96ecf3f7f4a0b2d683ebb21c852

            SHA1

            ddb1e7eb58e991538c7af65fb807b30b7aa34c9e

            SHA256

            17529ddc40da41a75333366b84b1a001fa4b57bc9e8a9ef78277ae0780ccd45d

            SHA512

            e4e500699ec50e969edc796e1eb334f2f3f40269a71a42c11cef6709c61b1b789770c76535f15b598e416e081279ea14cc2511c20087fcb3829b1fde42d24243

            Download Submit

          • C:\Users\Admin\atlop.exe
            Filesize

            268KB

            MD5

            08cce3f3b08395b0188f6581d3f67cee

            SHA1

            f3db5f2fbbf5e3e06e50920eea8665cd6840e7ef

            SHA256

            97531a3cd8aff7520e4cad53927bc2abdc046a4f1e052bcbe0aecc574d2c6e63

            SHA512

            231b82a579f20831a025035d2e0c094eb1c93206bee5bef95dba53c0d017a1ac4069631c08cadd4d5335b8c507b27b2c64468d1cf577d85c290b7ecdddbda682

            Download Submit

          • C:\Users\Admin\bwsap.exe
            Filesize

            60KB

            MD5

            a1ec0e0b7ba6382f4a7ab696cd97be1e

            SHA1

            6dc5f7346be363c097a16b6306cfc8c91e859e60

            SHA256

            1749c9fb78d215dc3d49d9e850e3a18f734e7cfc331dad8aa805c96ab2240b52

            SHA512

            a92ee5a4e087a234669860e1707abac99484988f137210270d109e43a9895c503abde3f3a49f314f7472f81a7ca6d23eb63df2ebc687e0e0b119fa7cf5a63bc5

            Download Submit

          • C:\Users\Admin\cwsap.exe
            Filesize

            214KB

            MD5

            357bce01eddac462ffd80a0032901667

            SHA1

            fc9d8843b3db02570332558c72e4fe8530f4c76e

            SHA256

            b3b5b3894f59b2c85e00f25cbd55cf290cb31908479dcfc8008258b3d3e03680

            SHA512

            0738a133f0cd3b3a355e0a630ff29c19fe794588ea8361cd8b3ec4f440d417a0d71bf935a02b1a2c7bf2f072ff1d9fcf9f0ebe99666d5395aa77c9440fdd6d43

            Download Submit

          • C:\Users\Admin\dwsap.exe
            Filesize

            121KB

            MD5

            2acc5ceb47acb798ae535daad48a6150

            SHA1

            f31dbe4e53c2c4683fc5074e59752c1ce0031a00

            SHA256

            697aa03bfe6922e88d96bb72b5a1d90d8206a9c8e050e5ca4e41676f6d72d5e4

            SHA512

            dda965b604fdbb5e629f18c0f8c3a0822ef3d07fd1ec1fc051412bace9c93c61885f824149ac3009adad73016cf16bd97dda5a67dd72ecfb056ae9642c00576c

            Download Submit

          • C:\Users\Admin\suuwe.exe
            Filesize

            268KB

            MD5

            760b9cef166373c87a24eabe01e27ddf

            SHA1

            e9727c8e0f9557df84508a41d8e876a50edb7492

            SHA256

            9310f1f91be9fd53db5b5879678d23a1993487a42203fe7b3c4c67260f44d73d

            SHA512

            e03242728c49ef7ec361b5b6e9283c2e65b9b39554e9baf854ae6a1dfc7ccca74202ab8b684dd222441be3cbf96612b850710345caa7f41789bfc58af0fa8eb0

            Download Submit

          • memory/3048-103-0x0000000000400000-0x000000000040F000-memory.dmp

            Filesize

            60KB

            Download

          • memory/3048-104-0x0000000000400000-0x000000000040F000-memory.dmp

            Filesize

            60KB

            Download

          • memory/3048-101-0x0000000000400000-0x000000000040F000-memory.dmp

            Filesize

            60KB

            Download

          • memory/3048-171-0x0000000000400000-0x000000000040F000-memory.dmp

            Filesize

            60KB

            Download

          • memory/4500-137-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

            Download