Resubmissions

16-12-2024 12:25

241216-pls9vszpex 10

15-12-2024 04:22

241215-ey8j7swkam 10

Analysis

  • max time kernel
    1799s
  • max time network
    1798s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-es
  • resource tags

    arch:x64arch:x86image:win11-20241007-eslocale:es-esos:windows11-21h2-x64systemwindows
  • submitted
    16-12-2024 12:25

General

  • Target

    f24516e2e02ab686e09717a81c107361_JaffaCakes118.exe

  • Size

    28KB

  • MD5

    f24516e2e02ab686e09717a81c107361

  • SHA1

    381f0ebaaf5e6680003d3c2faff66435e75e70fa

  • SHA256

    c425e7ac539d1829382242ccc5201c520cda3d3f219bd80241c5ddc5b355733e

  • SHA512

    0e36547ba20883ffcf6475a54cda201190488701c248786e0691ca628952f8620a57fe859c900cb0d139777f0005e644b04f633d9dcee0bcc1821514bfdcb24b

  • SSDEEP

    384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNrpjaCNgw:Dv8IRRdsxq1DjJcqf0jaK

Malware Config

Signatures

  • Detects MyDoom family 27 IoCs
  • MyDoom

    MyDoom is a Worm that is written in C++.

  • Mydoom family
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f24516e2e02ab686e09717a81c107361_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f24516e2e02ab686e09717a81c107361_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1792
    • C:\Windows\services.exe
      "C:\Windows\services.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:2792
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 48280
      2⤵
      • Program crash
      PID:49148
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1792 -ip 1792
    1⤵
      PID:49116

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\piJtnV.log

      Filesize

      1KB

      MD5

      a2409d4cd6ef439d1dc6002649ddc879

      SHA1

      b1881e66a1131be57187bd2efb9b8ec3cceeb149

      SHA256

      e42d0dbd5b4655f6e16916a0148e20f205f82ffea3acb8ea8230f641adc943cb

      SHA512

      4dafaf31df9b64714976b352a996e4ec55da17b22958951e9e83448b2d63ac999d9984a5bc3954758cde21557e4ae42473aa8c63335f595d65899b37f8aaaf6b

    • C:\Users\Admin\AppData\Local\Temp\tmp8E3D.tmp

      Filesize

      28KB

      MD5

      92ff616219344826991c9c951ca595f5

      SHA1

      f0210df4c65951f3c4b97254bf5f471f3b5eb148

      SHA256

      26ac8be31655c9cb70f89559b6171e41ef01b33eeebbeea5d789323839a51883

      SHA512

      b8612c0d18bb96bfa890116785c2b37febd1d03b89e760bdde7d31f64cd370f7314c2646826bb1ca63f8d30e902d3aadcccbffdc5a2f2b8973f7bbf3df531da5

    • C:\Users\Admin\AppData\Local\Temp\zincite.log

      Filesize

      1KB

      MD5

      fa7ff1a60fd034cd505c43080ed7562d

      SHA1

      a633c83c93b972812e0a7442614c82e8b40fc908

      SHA256

      bdb50ae327bc4deb8c4c4c9c688f3cd6a4a192f2ecfa93ba916d4d7f3b0ad109

      SHA512

      9d1d21376c04f7f41f0d321e6cc1d683850ec07dc0c6f93957e8442711ae87deaa85b5f4c002bb8614e1a0c7924192682a464e23c40a6cf88dfe2f743ac75190

    • C:\Users\Admin\AppData\Local\Temp\zincite.log

      Filesize

      1KB

      MD5

      87da510e04ce10ef77904e34b3997cd4

      SHA1

      91cc6ed840d630144d7e5f281efa63dda9db10e3

      SHA256

      d0a41a4ffb3eadad9d8c4e762fd5398ceb5b42b5ba42c6a6680e243532d1d141

      SHA512

      c10f8818ef242c557314ee8cd7428cb5b8edc01b50ca4cc765134e5c008be5528732f64503518cfa660bcf35ce64cb316432f34c0cf3decd0a82cdda2a0b9e46

    • C:\Users\Admin\AppData\Local\Temp\zincite.log

      Filesize

      1KB

      MD5

      c2ff861887b71e66a4ca8ef24175dd2a

      SHA1

      0ca2b9d502d3ac36466593d305c950d5c6841235

      SHA256

      42898faae8f0b05d1de5999673b85a91b9747eace2437d0b2555ca39a18443d2

      SHA512

      0aebcd9b1ec40f63788b6a383306f75b8318efd155cbd46bc65719a30f16f1600b27e54b011ce34ab383897991ad1e6a0478e1825196720cc113ba03f2249f07

    • C:\Windows\services.exe

      Filesize

      8KB

      MD5

      b0fe74719b1b647e2056641931907f4a

      SHA1

      e858c206d2d1542a79936cb00d85da853bfc95e2

      SHA256

      bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

      SHA512

      9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

    • memory/1792-44-0x0000000000500000-0x0000000000510000-memory.dmp

      Filesize

      64KB

    • memory/1792-130-0x0000000000500000-0x0000000000510000-memory.dmp

      Filesize

      64KB

    • memory/1792-154-0x0000000000500000-0x0000000000510000-memory.dmp

      Filesize

      64KB

    • memory/1792-149-0x0000000000500000-0x0000000000510000-memory.dmp

      Filesize

      64KB

    • memory/1792-37-0x0000000000500000-0x0000000000510000-memory.dmp

      Filesize

      64KB

    • memory/1792-147-0x0000000000500000-0x0000000000510000-memory.dmp

      Filesize

      64KB

    • memory/1792-39-0x0000000000500000-0x0000000000510000-memory.dmp

      Filesize

      64KB

    • memory/1792-142-0x0000000000500000-0x0000000000510000-memory.dmp

      Filesize

      64KB

    • memory/1792-161-0x0000000000500000-0x0000000000510000-memory.dmp

      Filesize

      64KB

    • memory/1792-103-0x0000000000500000-0x0000000000510000-memory.dmp

      Filesize

      64KB

    • memory/1792-137-0x0000000000500000-0x0000000000510000-memory.dmp

      Filesize

      64KB

    • memory/1792-49-0x0000000000500000-0x0000000000510000-memory.dmp

      Filesize

      64KB

    • memory/1792-135-0x0000000000500000-0x0000000000510000-memory.dmp

      Filesize

      64KB

    • memory/1792-159-0x0000000000500000-0x0000000000510000-memory.dmp

      Filesize

      64KB

    • memory/1792-56-0x0000000000500000-0x0000000000510000-memory.dmp

      Filesize

      64KB

    • memory/1792-125-0x0000000000500000-0x0000000000510000-memory.dmp

      Filesize

      64KB

    • memory/1792-123-0x0000000000500000-0x0000000000510000-memory.dmp

      Filesize

      64KB

    • memory/1792-63-0x0000000000500000-0x0000000000510000-memory.dmp

      Filesize

      64KB

    • memory/1792-118-0x0000000000500000-0x0000000000510000-memory.dmp

      Filesize

      64KB

    • memory/1792-166-0x0000000000500000-0x0000000000510000-memory.dmp

      Filesize

      64KB

    • memory/1792-13-0x0000000000500000-0x0000000000510000-memory.dmp

      Filesize

      64KB

    • memory/1792-86-0x0000000000500000-0x0000000000510000-memory.dmp

      Filesize

      64KB

    • memory/1792-631-0x0000000000500000-0x0000000000510000-memory.dmp

      Filesize

      64KB

    • memory/1792-91-0x0000000000500000-0x0000000000510000-memory.dmp

      Filesize

      64KB

    • memory/1792-105-0x0000000000500000-0x0000000000510000-memory.dmp

      Filesize

      64KB

    • memory/1792-93-0x0000000000500000-0x0000000000510000-memory.dmp

      Filesize

      64KB

    • memory/1792-0-0x0000000000500000-0x0000000000510000-memory.dmp

      Filesize

      64KB

    • memory/1792-98-0x0000000000500000-0x0000000000510000-memory.dmp

      Filesize

      64KB

    • memory/2792-94-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

    • memory/2792-99-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

    • memory/2792-104-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

    • memory/2792-92-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

    • memory/2792-106-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

    • memory/2792-87-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

    • memory/2792-64-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

    • memory/2792-119-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

    • memory/2792-62-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

    • memory/2792-124-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

    • memory/2792-57-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

    • memory/2792-126-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

    • memory/2792-52-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

    • memory/2792-131-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

    • memory/2792-50-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

    • memory/2792-136-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

    • memory/2792-45-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

    • memory/2792-138-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

    • memory/2792-40-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

    • memory/2792-143-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

    • memory/2792-38-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

    • memory/2792-148-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

    • memory/2792-33-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

    • memory/2792-150-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

    • memory/2792-28-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

    • memory/2792-155-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

    • memory/2792-26-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

    • memory/2792-160-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

    • memory/2792-21-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

    • memory/2792-162-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

    • memory/2792-16-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

    • memory/2792-167-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

    • memory/2792-15-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

    • memory/2792-6-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB