Overview

overview

10

Static

static

3

dec558ed05...18.exe

windows7-x64

10

dec558ed05...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-12-2024 22:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dec558ed05a4e33c7f71769d3832f107_JaffaCakes118.exe

  • Size

    195KB

  • MD5

    dec558ed05a4e33c7f71769d3832f107

  • SHA1

    073eb35eba241a631f900a67d10d794b25eeb28c

  • SHA256

    0e49b327e35f3e2c1328649d0752fa3fbe79b0aee1a875fbf36306a9fb587bd9

  • SHA512

    f7107ae2e184117c66cd3c63096f49852b6e578e51565ac3fe2a25a56a45901ce48df292aa7414f76df4dccdfdfcb5f48f103b29458ae7a1bf6867ea87dce91d

  • SSDEEP

    6144:Y1c6jL5pvnBYCLbb8Q5AGKgICNILqDe6x:Y1c6jL5pKCfZuyIQeg

Score
10/10
discoveryevasionpersistenceupx

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 4 IoCs
    evasion
  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 10 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:620
    • C:\Users\Admin\AppData\Local\Temp\dec558ed05a4e33c7f71769d3832f107_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\dec558ed05a4e33c7f71769d3832f107_JaffaCakes118.exe"
      1⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2332
      • C:\Users\Admin\AppData\Local\Temp\dec558ed05a4e33c7f71769d3832f107_JaffaCakes118.exe
        C:\Users\Admin\AppData\Local\Temp\dec558ed05a4e33c7f71769d3832f107_JaffaCakes118.exe
        2⤵
        • Modifies firewall policy service
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of WriteProcessMemory
        PID:4512
        • C:\Windows\SysWOW64\retinascan.exe
          "C:\Windows\system32\retinascan.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3300
          • C:\Windows\SysWOW64\rundll32.exe
            rundll32.exe C:\Windows\system32\byXQGvuS.dll,a
            4⤵
            • Blocklisted process makes network request
            • Loads dropped DLL
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3952
            • C:\Windows\SysWOW64\rundll32.exe
              rundll32.exe "C:\Windows\system32\ljJDSJdA.dll",s
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3528
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\removalfile.bat "C:\Windows\SysWOW64\retinascan.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2108
        • C:\Windows\SysWOW64\notepad.exe
          notepad C:\Users\Admin\AppData\Local\Temp\Message
          3⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:4900

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Message
      Filesize

      4KB

      MD5

      118645742176eb6938364de56930d650

      SHA1

      19c4fb343a9606ff0c8b63ce30a6d872bf5f3091

      SHA256

      129591d1f2a2ca691bff6f4722f59b2ff2f2a0a1d223ca13acf160109692066d

      SHA512

      7970adbf7e91d9ee2d28e60717bed6ae4f9689674c0dbca3ad626cdb779a2ea17b8af219741868b903a988d2ab218f762d085570b03d83e500c75bee52b4161f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\removalfile.bat
      Filesize

      43B

      MD5

      9a7ef09167a6f4433681b94351509043

      SHA1

      259b1375ed8e84943ca1d42646bb416325c89e12

      SHA256

      d5739a0510d89da572eb0b0d394d4fb4dd361cd9ee0144b9b31c590df93c3be7

      SHA512

      96b84cd88a0e4b7c1122af3ed6ce5edf0a9a4e9bf79575eadfac16b2c46f1278d57755d29f21d7c6dcb4403be24b7ac7da4837c6cc9c602342a8f2b8e54883df

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp42E2.tmp
      Filesize

      195KB

      MD5

      d69ea28d59dde422d85091413fd99550

      SHA1

      f7c35d4bd3e8b4d46a58bcc88533a3cf0d5e8e95

      SHA256

      bcd44cb409fbe0330b3569e87ddfc87346a4f41991a84df76563893b73c2c729

      SHA512

      eef9263a8053411e65e7ed2d82972950ba601276c434d594d4e59f5baf88cd7454c54479d9e90948cd28db51834285d8c1ab9682b9c7ea71946e667c23834316

      Download Submit

    • C:\Windows\SysWOW64\ljJDSJdA.dll
      Filesize

      1KB

      MD5

      2de74de3e0120d8d69a597b41453a2a4

      SHA1

      51ea2b653ed73cea31932c8529cfbfd3f4af457e

      SHA256

      db7f973b1ff888e4f2af0eeed78e70abe2ebe3b3b3f2ee34203f2193c97d5cd0

      SHA512

      e3bc87252fe6838ede6b8784136b708de72539192e143f6fcf2aea8931757b29937cbc46b30183a6a483e80bf58358c8d26baf9835422c84608e19c2e27a3934

      Download Submit

    • C:\Windows\SysWOW64\retinascan.exe
      Filesize

      53KB

      MD5

      8dff6ed5e52b67460e5ce81e9be4121d

      SHA1

      958a03f9ecc0ccc3695257b388838ac75d631f9d

      SHA256

      202cbe47018c1ef372496552697e650126411943061ccd1008b6faa28a02c3bb

      SHA512

      a65eba95bfa01bd974ed05048936622bfa72e566e4befabf4a6a754d33c54f2cc035d311ef985bda5d4c613e24e6fbe616d18bdc20d52bccc86e5552d1716446

      Download Submit

    • C:\Windows\SysWOW64\urqNDTNH.dll
      Filesize

      35KB

      MD5

      c30f166e300a94517e42bbe036ac1d28

      SHA1

      d9ba2ca0d17347520ff95f16f399a608e88fd575

      SHA256

      d0a683f95e05c326c6d77bfeb4b7ba7df67fe90538c5d2774c486b8e0c68389b

      SHA512

      aa56f4fc81f958af0b9677a240858561c62e24236b56c8e4c3ad71c211192e1aadae3bf54aeb4ca8f4f43ba732fab4593c4b226e97d74689ac1a2b9ba04162e3

      Download Submit

    • memory/3300-18-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3300-26-0x0000000010000000-0x0000000010014000-memory.dmp

      Filesize

      80KB

      Download

    • memory/3300-45-0x0000000010000000-0x0000000010014000-memory.dmp

      Filesize

      80KB

      Download

    • memory/3300-27-0x0000000010000000-0x0000000010014000-memory.dmp

      Filesize

      80KB

      Download

    • memory/3300-28-0x0000000010000000-0x0000000010014000-memory.dmp

      Filesize

      80KB

      Download

    • memory/3300-19-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3300-16-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3300-17-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3952-88-0x0000000010000000-0x0000000010014000-memory.dmp

      Filesize

      80KB

      Download

    • memory/3952-80-0x0000000010000000-0x0000000010014000-memory.dmp

      Filesize

      80KB

      Download

    • memory/4512-67-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/4512-3-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/4512-103-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/4512-0-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/4512-42-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/4512-56-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/4512-61-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/4512-62-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/4512-51-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/4512-87-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/4512-2-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/4900-41-0x0000000010000000-0x0000000010014000-memory.dmp

      Filesize

      80KB

      Download

    • memory/4900-39-0x00000000027A0000-0x00000000027A7000-memory.dmp

      Filesize

      28KB

      Download

    • memory/4900-38-0x0000000010000000-0x0000000010014000-memory.dmp

      Filesize

      80KB

      Download

    • memory/4900-40-0x000000001000E000-0x0000000010013000-memory.dmp

      Filesize

      20KB

      Download

    • memory/4900-43-0x000000001000E000-0x0000000010013000-memory.dmp

      Filesize

      20KB

      Download