Overview

overview

10

Static

static

3

84683e3042...18.exe

windows7-x64

10

84683e3042...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    01-11-2024 11:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    84683e3042ba32496e10b41b080704c9_JaffaCakes118.exe

  • Size

    152KB

  • MD5

    84683e3042ba32496e10b41b080704c9

  • SHA1

    4137fa3b2418fbb69397f62fabfc16f6de755080

  • SHA256

    df625e25c46aa46b7f95d1d9d19c62261f417039d830dbcfa1c806c7c202ddf9

  • SHA512

    e4aba1546f7fe493817f3f33e3a29f652a7f8c52d06ac6831da960b873798ba3d2e6e4721b8b6e375f26fe2ce4cd57a51ca212a63845d7504d2a946e4db3bd07

  • SSDEEP

    3072:oVoWnCo0fx2RNsfscJRjwjN0giT+PzbY7JjMujbaVYJ6:oVoWn30o3DaVKN0giT+LE7JYucb

Score
10/10
discoveryevasionpersistenceupx

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 6 IoCs
    evasion
  • Drops file in Drivers directory 2 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 10 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1188
      • C:\Users\Admin\AppData\Local\Temp\84683e3042ba32496e10b41b080704c9_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\84683e3042ba32496e10b41b080704c9_JaffaCakes118.exe"
        2⤵
        • Drops file in Drivers directory
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2496
        • C:\Windows\winl0gon.exe
          C:\Windows\winl0gon.exe
          3⤵
          • Modifies firewall policy service
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2848
          • C:\Windows\dodrrr.exe
            C:\Windows\dodrrr.exe
            4⤵
            • Executes dropped EXE
            PID:2060

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\dodrrr.exe
      Filesize

      1024B

      MD5

      c33bb81dc8d36b5807a7b1f3da8e5936

      SHA1

      2654791dca1b6bee9924b37526fa970535814a75

      SHA256

      e27fd4aecbd99567abad60d6e86784443ccd2da754cc7e15adac72be57236ae8

      SHA512

      73ca7987dbd700286e86f24057337817804ba16e88e59ccceec8c9933e0f56511e1454b1f62a98020f812d8dbfc2967a10fd729102257b6098b5d6972c93eeae

      Download Submit

    • C:\Windows\msbpx32.dll
      Filesize

      132KB

      MD5

      010a6c4aa9057dd7cf7feb49361589e7

      SHA1

      ff58e2495fb749f773ec63f3181d134073830b43

      SHA256

      6ae9a492c4facc8c19475e1a0f941b6f4c56a8a318206e966e63a55692f8b1d7

      SHA512

      14765d280896216d63911a0814764c2e2a5727f4b03903ca24ff620f14f718b2371f8556e6a8bff599dd40b7521ee61782cd73013886efaca712e3b3ad297ac4

      Download Submit

    • C:\Windows\mscobpxl.dat
      Filesize

      152KB

      MD5

      90ec1fbc01bb3c5b60670564e3913ab7

      SHA1

      1f6e33eceb2e8edf82f459c28cf85b26ba4e7956

      SHA256

      f219acae487c330c41945a4001e1921ed3e049ebb6213ffec40a5688a0695623

      SHA512

      b8319b1d4960bba1e1be2fea93dadfc71d8819ec3bee8b69635069d0e42e4ad9abc1f5da3941c4a46469d42f2ad5745643c052f785585d42e1b6a399faf87a73

      Download Submit

    • C:\Windows\system32\drivers\etc\hosts
      Filesize

      1KB

      MD5

      9f2617992faacdfd979d05c3907981fc

      SHA1

      fd62c0287f83a64c733ad22c70e90fe2f1937e0e

      SHA256

      1f3d4553b873cf5e1cc88f22b14ba0367ff4edd2598bd62dcd73df9a9820a867

      SHA512

      33ed8e166f33b10e50747d7d4a2b6ede92b9c58b350dd7abb897ad8fec1a9a7aca383f96fc867b6fa820c01fbbab44bcd2ccc76c107a20882d239a2ef792d5ca

      Download Submit

    • C:\Windows\winl0gon.exe
      Filesize

      152KB

      MD5

      84683e3042ba32496e10b41b080704c9

      SHA1

      4137fa3b2418fbb69397f62fabfc16f6de755080

      SHA256

      df625e25c46aa46b7f95d1d9d19c62261f417039d830dbcfa1c806c7c202ddf9

      SHA512

      e4aba1546f7fe493817f3f33e3a29f652a7f8c52d06ac6831da960b873798ba3d2e6e4721b8b6e375f26fe2ce4cd57a51ca212a63845d7504d2a946e4db3bd07

      Download Submit

    • memory/1188-19-0x0000000002210000-0x0000000002211000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2848-22-0x0000000010000000-0x0000000010067000-memory.dmp

      Filesize

      412KB

      Download

    • memory/2848-37-0x0000000010000000-0x0000000010067000-memory.dmp

      Filesize

      412KB

      Download