Overview

overview

7

Static

static

5

54be8c23be...18.exe

windows7-x64

7

54be8c23be...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/10/2024, 01:32

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    54be8c23be0cd244d94c8c82077dd321_JaffaCakes118.exe

  • Size

    42KB

  • MD5

    54be8c23be0cd244d94c8c82077dd321

  • SHA1

    dc92b76053242dbe5b297d67c0179e0f1edbc5b9

  • SHA256

    e40300f5d4e4a3ab6ce695a1bb39ad72431411435b869be4c71107f7dd04d055

  • SHA512

    63194b7ea0a159be50d9c464228bcc71ccb2fa2a68665b28fa4426f7bdf5ca0801e0b2bba9435571ffe51a5e6ea47e490a1ceb0a44697d4e6bf3a2156760cec4

  • SSDEEP

    768:oWw1WakBDDkpW+z4dsZYsWbh699SbRl3jsEPI:oVM3gsdsZnWbh6PElzsEA

Score
7/10
defense_evasiondiscoveryupx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\54be8c23be0cd244d94c8c82077dd321_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\54be8c23be0cd244d94c8c82077dd321_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1384
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\54BE8C~1.EXE >> NUL
      2⤵
      • System Location Discovery: System Language Discovery
      PID:436

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\56BC86C7.dll
          Filesize

          13KB

          MD5

          7466c142028ab9756421efcebd13bdbb

          SHA1

          58dde93623517f4bb723163661f777d4b18de112

          SHA256

          e0826938c334a3bd46704c0a2ca3c8e23e2c0e12962df6e375b6129579ca74e6

          SHA512

          47a2a4920ee9d77d60de511c02be06cc13c5fce3fcac3320129d5046c179130d05df400f379fa244fb686169709a92b80991f61346f0965c179febc1f7ac11e1

          Download Submit

        • memory/1384-0-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/1384-7-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/1384-8-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/1384-9-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download