Overview

overview

10

Static

static

1

a88d1914a8...18.exe

windows7-x64

10

a88d1914a8...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2024 15:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a88d1914a8879ab730ff1ba9c2f2f585_JaffaCakes118.exe

  • Size

    3.1MB

  • MD5

    a88d1914a8879ab730ff1ba9c2f2f585

  • SHA1

    4f7d01d8c20f1137ed2621281d2824d397df1be7

  • SHA256

    c98de3d6b0dc4e9f54a1de1a10c8ed0f746a7c03eb71424855ca2b0ed850d4f7

  • SHA512

    f1e3fad1ae30c7f1d8fad3f4f2e9ce70e590128e45429a40e090f22621ab2c23acb4b83e5e921cfc83ed05ae743f806a1c38e89b3b8b12b5b63f9f61d7ebe2f3

  • SSDEEP

    49152:qTNVoeuNhGQl8kwNGOZQtlKPwOxConN8PyowDHW+va4apRMVNTPAwRh1az:qTNVoeuNItNOawmCMD2+y4GIbY

Score
10/10
pandastealerdiscoverystealer

Malware Config

Signatures

  • Panda Stealer payload 2 IoCs
  • PandaStealer

    Panda Stealer is a fork of CollectorProject Stealer written in C++.

    stealerpandastealer
  • Pandastealer family
    pandastealer
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 12 IoCs
  • Drops file in Windows directory 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 52 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\a88d1914a8879ab730ff1ba9c2f2f585_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a88d1914a8879ab730ff1ba9c2f2f585_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2796
    • C:\Users\Admin\AppData\Local\Temp\7zSA374.tmp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\7zSA374.tmp\setup.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5108
      • C:\Windows\SysWOW64\msiexec.exe
        "msiexec" /i "C:\Program Files (x86)\Downloaded Installers\{90D92A69-433F-49BF-B358-E0B785FFBD94}\setup.msi"
        3⤵
        • Blocklisted process makes network request
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:4916
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2984
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:1108
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding E3AD6ADDE5D9497F3E0681C13EF9682E C
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4512
        • C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe
          "C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe"
          3⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Modifies registry class
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          PID:4328
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:116
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4036

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Config.Msi\e583d53.rbs
        Filesize

        9KB

        MD5

        12afadc9a9aad12c0f9157ec6846ae78

        SHA1

        5869999c2c84ecee9e9b8d29921c63dfe0b80e90

        SHA256

        4e1b35a16d1911b977ca30da3972880eccedb8a037244802974246b30595dc05

        SHA512

        82ef95885fdbc6cfb5cff8f7e9f1fe28e65d58934743d09325c457fc8e4dd21dc7d3be4432dc22cbedd3994a654cf8a62989695a2ef9122b958c9ba7bbd0f858

        Download Submit

      • C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe
        Filesize

        36.5MB

        MD5

        5bc76411c1dfeaf988a4469f128bbb6d

        SHA1

        b66c018fedfca88a82c96c58a97c6006f870b32e

        SHA256

        26eecdb9ae714be60758560d7f8410c2d78faa13d66e1f6714db2f17b7c5bd55

        SHA512

        d73865f15af9c64349ff02c85a18f009ad8b8f5ccd219a4d90d13a73ed1aa0f42a6c8f7d07ea1b836ce4b8da36e191e6af371439a51b3600b53a693c71298c16

        Download Submit

      • C:\Program Files (x86)\Reg-Tool\definitions.db
        Filesize

        32KB

        MD5

        9d5a45aa7203672bd0c16e212815f1bf

        SHA1

        e09162aa55916d5428ea540c11b00d8f77be9a8e

        SHA256

        2af162c85d8f898cf31a972c9af66caa21aa009bf84b1522c8a37cbe0d84e34c

        SHA512

        a274750efead11bb21bbdd6c77b2a902ec51d8d760405f2600bb62992798123995acd475b4891d0c94d52b0b0431fd244867eba33fb16c787759ca2e538b8748

        Download Submit

      • C:\Program Files (x86)\Reg-Tool\privacy.db
        Filesize

        4KB

        MD5

        bc166f104d54c05ef2ea87d0c5509f46

        SHA1

        9c5068bca2fba2d6e39df6b171ecf944b14899d4

        SHA256

        4b489a11a37516b7f1ebbacde2cfbe173726deb570a89f367094370045c57772

        SHA512

        671765513c11254f5f4cfbd106898a2505299071ffd188b7505b8c5b9ef53a24b04fd7d8c0c15227a02ada5d2695417352733926e6407880bd87e6d7947f515f

        Download Submit

      • C:\Program Files (x86)\Reg-Tool\pw.zip
        Filesize

        1KB

        MD5

        b8b098eae0638a02207abb73dba0afe2

        SHA1

        3316ffabbf994bcea4f3a2f4c97e8352621171ea

        SHA256

        0ae908b2989b4a9d7c93cd7cfe27b7c0c60cce64c265b743fb6b5f7a6d72f269

        SHA512

        29b0c4de613a7ece77d4668af9169d54140f2bdb49218f294b5dbc91ef48b51b7b2f556ccd530b67d8c2808a59becd5489ecfad0d4ff91283c01fdc8ae5c415b

        Download Submit

      • C:\Program Files (x86)\Reg-Tool\startup.db
        Filesize

        112KB

        MD5

        44fa7b9f408c0b5ba1fff283808eba34

        SHA1

        9c9809646306f67b4ab1cdec78cacbb2a5162e84

        SHA256

        6573f1fe1de7541042ca6f49a0adac130fde506d6b92e1ed0ee856d69fb57946

        SHA512

        5bdec5ed5a21f3a2e6a04ddc9aab06fb8fc3256eddf79c62d026022fbd41f4229a73c57c775ff8c5e3723fc47f9773c951260928c4b5877fb67399b861538f68

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4DD39726D4B55AC3B4119B35A893323C_E7006F6DAEDBA5B627CA573B13FD6F3A
        Filesize

        5B

        MD5

        5bfa51f3a417b98e7443eca90fc94703

        SHA1

        8c015d80b8a23f780bdd215dc842b0f5551f63bd

        SHA256

        bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

        SHA512

        4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5
        Filesize

        1KB

        MD5

        1ba25895dc793e6826cbe8d61ddd8293

        SHA1

        6387cc55cbe9f71ae41b2425192b900a1eb3a54f

        SHA256

        cc4c5c999ca59e5a62bc3ffe172a61f8cf13cc18c89fe48f628ff2a75bdc508a

        SHA512

        1ff9b34fdbeae98fa8b534ba12501eb6df983cc67ce4f8ffc4c1ff12631aa8ed36ff349c39a2186e0ac8d9809437106578a746eec3854b54fef38a3cc0adb957

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4DD39726D4B55AC3B4119B35A893323C_E7006F6DAEDBA5B627CA573B13FD6F3A
        Filesize

        400B

        MD5

        2c4b0106b503c0d2c861d165bad88b40

        SHA1

        c1d64a3b0c5e17897203c551a774ef74f58f881e

        SHA256

        a41aa04286910a41c98bd4c1df65e2cf4b0e98d8bb4f3a8e3f269e1a8bdb21d4

        SHA512

        512c7054cd7bcd35ffd130b263d0007cd53a84cd255b9a0711fb2f0aa81d3e9ebf6446c36ea16a765e54b1100fabab797bdb0a06c38188a39ca4a52d753f778b

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5
        Filesize

        182B

        MD5

        475fd6b63ea1af350c330855b6826bb8

        SHA1

        e541e304fa55dfb44777a1a5ea8dd26af308561e

        SHA256

        f06d9137292d9dd97120e274cec6ba680bb912eca0b5417b082ead636777aa4b

        SHA512

        1d4b5c70e079ad257e7f86c1c908655bdae9f8cc4ab77badd0bd72732a49fbee5ddfa518218e46f2bc306da48f4d9d9d6047983c1cda15ea3da6d3fe9215376f

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC
        Filesize

        404B

        MD5

        0d21d80c9639e14a4d07441c970b1a88

        SHA1

        6e3485c9a29bd67f52d0fd58e3ef779f33db8b50

        SHA256

        1639a46e2f5887ed5106a403a7acedf5ca98f188488306e5db018c7a91cd966c

        SHA512

        61494385c43089e029149cee7cae9a1f15d5b41497c8a0e076942c7023848d7cf956f91eae87aaeda40733fd18998523cc7c896eabd5016c7d00ea80061a37fd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zSA374.tmp\setup.exe
        Filesize

        73KB

        MD5

        de1a17d4d7683738c4b0b165d36d5821

        SHA1

        5b175debe5ce1e700a2f420bf944b20f5f17bd2e

        SHA256

        1ee03147705d39bf9c2c57340bcf6576a1647ad97517e74df2ebb4443cd8ee66

        SHA512

        7f2ebfd3b532548aec594b4399ccec17490a924215c0dfa0683becb5b9da19af5ba37341b562d04d4adc9dfea6feacea701652fdc612d14cc17acfe869c39177

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zSA374.tmp\setup.msi
        Filesize

        37.7MB

        MD5

        8d5626aaf4505a65505f646959aab3fe

        SHA1

        65baaabfd5d1eb022083fe9df79504cc656f315e

        SHA256

        b479919a20b820f13ba758f5a3851045ead9315b702bf5355c66e00593a5f832

        SHA512

        fa2024af189f337048d4e425829bb75ff83f91b879b67502913bb25e734b2ac3371f7b9b2d502b05e8471791a765f018800edbb0ee57db5410db9d6d3fe7cfec

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\MSI4B9A.tmp
        Filesize

        148KB

        MD5

        14c01c848d8452005734858a64b6784b

        SHA1

        d3d81fcd1267095880218ef09b92220248905ea8

        SHA256

        fa9b83479f1b955790325dc557624185a8c72df3e31870dae075437146858185

        SHA512

        8334c467c470c13b0245425d3bc1ba9676a04e1e015bec56122504d622e7e3858d5ad7950d09c155f3666a90b7d3c7b40f324d0786553d6e81711b7f38cf1d57

        Download Submit

      • C:\Windows\Tasks\Reg-Tool Scan.job
        Filesize

        464B

        MD5

        7433803142b99264d274c83902e47f79

        SHA1

        cf22880e9aea42cf531effd7287ce4a9430f7b85

        SHA256

        dbffa9bad9491fbb78aa07212009c71de3f4cca4f8e9773b43aa9d4487d2e6de

        SHA512

        6dde5abd17ff406612ae890444acaf17b3779baa721cd2a4c27ec30b579b332af8a5886496dc6dac109a2698e8dffe01cc73e83b011df99b5e681a1b0ac69746

        Download Submit

      • C:\Windows\Tasks\Reg-Tool Startup.job
        Filesize

        404B

        MD5

        cbec6b878ef7cd520c8dda9f68d3ddc6

        SHA1

        3365966b73baf1d710a7bcb453f838959fa6476b

        SHA256

        6cbbd5eb18130a667c74111c27c81baaf72e7698032ff9d890d44faf03d58293

        SHA512

        2429c904660bbd933d502bb935838a0bd072a7a695f4ed9b3289e04d8c0b0428eb5318a2e14fb26c89d398be3d6387c9a9fdad0e4b77414d0a182a88a19b082f

        Download Submit

      • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
        Filesize

        24.1MB

        MD5

        64c47b84ec0a3a89247fa2f191af007f

        SHA1

        22de42ef56a0ea58a4afe4fad5b3a2ef5ae647d9

        SHA256

        bbe8216b996fe917a3da61269b1da88a722c500f28ce8042dd90a78d014e94a7

        SHA512

        f7e1b5587b49e4182e05f84a8711a50e2be5a356b938dffe04e5fd9b70dc4e05665052b10025675d26c48f830a5c885beb54ac838cbf6304a4a94fbef7c78094

        Download Submit

      • \??\Volume{612d9cf5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{398257c9-b1ab-4b98-87a3-479a55dbc59f}_OnDiskSnapshotProp
        Filesize

        6KB

        MD5

        19a76b2579c0ce856f25bfcfafadfef9

        SHA1

        51398ed8d31045431262fdb1f8aa4d1c321f10df

        SHA256

        892f7d7b371a55851fc0735b8676c36078af64874888e28aac845b8a3228fee7

        SHA512

        2ccd8547e5e78e6a0a6100c235135df5671b994abd37659cdfc03fba7ca20dadec69110b2bcc0e1c9231402b41d16a7ea08305d0f9e83776c865569ed83dfb83

        Download Submit