Overview

overview

10

Static

static

3

1a373251ae...18.exe

windows7-x64

10

1a373251ae...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28-06-2024 13:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1a373251aee83c1d463d78a008f0ea0d_JaffaCakes118.exe

  • Size

    228KB

  • MD5

    1a373251aee83c1d463d78a008f0ea0d

  • SHA1

    022b8b0e1ffce77745b6135c8e73c655184a3c51

  • SHA256

    40b868f699c522fd8542ccf1a2f52d99801c0928dc2dab6bdaa153e1883d6859

  • SHA512

    99749d22aead59ce4b4cd6d62dcb016fd3fa90417385f8fc1230d30b0e95ca930d349b76e99ce3a891f6c6ee0f39db540d12d664bd8ab986656b435cd5972656

  • SSDEEP

    768:JWO+aqbbfbYpgNFmqchFsTR4KydW/s9dXziRSLbry75rVilqwMUTLIlnS70XIL70:ArsMUFrDY/cNeRSLy75r8AZUTLIl9f

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 9 IoCs
    evasion
  • Disables RegEdit via registry modification 9 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • ACProtect 1.3x - 1.4x DLL software 6 IoCs

    Detects file using ACProtect software.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 27 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 22 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a373251aee83c1d463d78a008f0ea0d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1a373251aee83c1d463d78a008f0ea0d_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2336
    • C:\Windows\SysWOW64\Regsvr32.exe
      Regsvr32.exe /s C:\Windows\system32\au3k2v9h.dll
      2⤵
      • Loads dropped DLL
      PID:1256
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Windows\system32\eeamapos5.dll, SystemServer
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      PID:1244
    • C:\Users\Admin\AppData\Local\Temp\ridxv.exe
      C:\Users\Admin\AppData\Local\Temp\ridxv.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1160
      • C:\Users\Admin\AppData\Local\Temp\l8a396i7.exe
        C:\Users\Admin\AppData\Local\Temp\l8a396i7.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        PID:2576
    • C:\Users\Admin\AppData\Local\Temp\bh9fbfk3fx25s0j.exe
      C:\Users\Admin\AppData\Local\Temp\bh9fbfk3fx25s0j.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3032
      • C:\Users\Admin\AppData\Local\Temp\install.exe
        C:\Users\Admin\AppData\Local\Temp\install.exe
        3⤵
        • Modifies visibility of file extensions in Explorer
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Modifies Internet Explorer settings
        PID:1128
      • C:\Windows\lsass.exe
        C:\Windows\lsass.exe
        3⤵
        • Modifies visibility of file extensions in Explorer
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Modifies Internet Explorer settings
        PID:1272
      • C:\Users\Admin\AppData\Local\Temp\wininst.exe
        C:\Users\Admin\AppData\Local\Temp\wininst.exe
        3⤵
        • Modifies visibility of file extensions in Explorer
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Modifies Internet Explorer settings
        PID:1600
      • C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
        C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
        3⤵
        • Modifies visibility of file extensions in Explorer
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Modifies Internet Explorer settings
        PID:1320
      • C:\Users\Admin\AppData\Local\Temp\drweb.exe
        C:\Users\Admin\AppData\Local\Temp\drweb.exe
        3⤵
        • Modifies visibility of file extensions in Explorer
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Modifies Internet Explorer settings
        PID:2004
      • C:\Users\Admin\AppData\Local\Temp\nvsvc32.exe
        C:\Users\Admin\AppData\Local\Temp\nvsvc32.exe
        3⤵
        • Modifies visibility of file extensions in Explorer
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Modifies Internet Explorer settings
        PID:2900
      • C:\Users\Admin\AppData\Local\Temp\cmd.exe
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        3⤵
        • Modifies visibility of file extensions in Explorer
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Modifies Internet Explorer settings
        PID:1816
      • C:\Windows\iexplarer.exe
        C:\Windows\iexplarer.exe
        3⤵
        • Modifies visibility of file extensions in Explorer
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Modifies Internet Explorer settings
        PID:956
      • C:\Users\Admin\AppData\Local\Temp\avp.exe
        C:\Users\Admin\AppData\Local\Temp\avp.exe
        3⤵
        • Modifies visibility of file extensions in Explorer
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Modifies Internet Explorer settings
        PID:1848
    • C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      2⤵
        PID:2488
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\p2hhr.bat" "C:\Users\Admin\AppData\Local\Temp\1a373251aee83c1d463d78a008f0ea0d_JaffaCakes118.exe""
        2⤵
        • Deletes itself
        PID:1588

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Hide Artifacts

    1
    T1564

    Hidden Files and Directories

    1
    T1564.001

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Inhibit System Recovery

    1
    T1490

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\l8a396i7.exe
      Filesize

      29KB

      MD5

      23dbc5e7e623e3e419ecfd171213d1a4

      SHA1

      598687c892428d75182924fa972751f7688fedf0

      SHA256

      2b2f9d82a6874d5c1ab0d37a2d8f10fdba0344ddd06aa4e68a6a38aedefdcbbe

      SHA512

      3e7ae53302cffd84eb5e566f7e4e575033355d2501a13fc6a34af099fe171662d33c03d4a1c8f78e27be579a5685b52ab2abb08ad58a57ef23c281a14fa747b9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\p2hhr.bat
      Filesize

      46B

      MD5

      4eb5eeba568b8c5912ccd65442c964ce

      SHA1

      b4af6dd121ef6a57e5799e812bb795db0659a8a1

      SHA256

      a0620011f49bc3947e6d1d8c45c3135f640c331b679ed0eb6f97d7028ec113e6

      SHA512

      671b8be20b29af30450d4a36c8f71d6bc29718cfcac35b3788cd60c8141206ac3081a93c094234a6c7d1126e4690ce6536ab9a6535072d80a866b1ce83812b89

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\yawghd72y7huhd.tmp
      Filesize

      4B

      MD5

      831d083d073a75faf6382b4dfc4c5d00

      SHA1

      e14f9c00e6fbd690eaa8744531b3728e5fc397af

      SHA256

      e8e38a319cac0e24fcd55cb71bcbd252253ee56b2ec17d4f86c060f13990e6b2

      SHA512

      5d5dfa0b1a66f3edfb458cbf7f4cf1234a44967b7e172a1cf8468cc3d6ebfe08e3946de536efe1297f0e52bffba2ba61c12193874196331b891c209f703351a6

      Download Submit
    • C:\Windows\SysWOW64\au3k2v9h.dll
      Filesize

      29KB

      MD5

      5c4d06fe227d3a5dc48777cb9ebc7ef7

      SHA1

      f71e593eb7141cf4450f5cad0de6dfd528339749

      SHA256

      4e28eed9dd4cf48f72cf235d23066784298720a6215facdfbaf44d5cb60474c4

      SHA512

      f737730fae1db1b5de054c05beb3f65d5d7f350cfd4b6fa0f26c809b7f52208a4507033539bc05bb36d929b82661eb497d3e8efec475ca4286631dc32a102343

      Download Submit
    • C:\Windows\SysWOW64\eeamapos5.dll
      Filesize

      29KB

      MD5

      fa9815a7b21fc6bdac4ebab1c8d6b685

      SHA1

      5b5712306c0d194f7d0a1a7d1c1462b5f3c594df

      SHA256

      086fb43eb71f1ed527124149d7e93310ea73678197a94453e273fead9cd60e11

      SHA512

      2cbd7c5f19c84847046403c9be28e4c189de69b0786ba846162b2f58586c3787d3680a9ce184e19b6309ddbc1b291246cab71d8e04cb0595d5c37af6687804f8

      Download Submit
    • C:\Windows\iexplarer.exe
      Filesize

      58KB

      MD5

      47731a606c225b0e245e965dbc5c8e41

      SHA1

      d44c7ef79cbdeaa4b8af1bc6d0f8b547269a1621

      SHA256

      8df70c595f54f54e48f7d1ac26fc2529ce27ee5db66e629013b9ea6db3c35532

      SHA512

      398cdb16f9243b89b4cb758225eaabc04719babaca11ffd2072e85edfac25693dd638ee006ff8959555c18b5af9e672936bc1a26dfcc6db9e107db10bb23756f

      Download Submit
    • C:\Windows\lsass.exe
      Filesize

      58KB

      MD5

      993767ee2ffecda53293faf008b1e672

      SHA1

      5f869d9ebf0d5f666595c6743b8ed2c8ddb57a01

      SHA256

      ec3b5a407735d71c6d71bfd954000338e91fed68c5273f5901983a37afd0da0a

      SHA512

      18abe23d90bd64a2f87109e23d3e71764bfda30f27629460e5852d9bc77c1ef50b31e51ac4fca133aa213a9aeb60bc0cfb8a4479e0bce304b7132f5ba94d8b43

      Download Submit
    • \Users\Admin\AppData\Local\Temp\avp.exe
      Filesize

      58KB

      MD5

      6278f41d3eaaeac8e6f99943cfc8901e

      SHA1

      e2e7e46a75b63e6859715af18ac4fd86a8916c7d

      SHA256

      07e23c55ad0c1573c3f9a6d0c92a223c65b94bed0f6c718251712f8b2985647e

      SHA512

      33b5b4790d3ec5cae8cc3ad4de8f957eb5955a22431e5fa1f2561d4153b50d239940c63902660e938c739670b904c0ad9004fcd399ba225ce867f121ba5d6812

      Download Submit
    • \Users\Admin\AppData\Local\Temp\bh9fbfk3fx25s0j.exe
      Filesize

      58KB

      MD5

      549b38636d376d6f35e92809da5bbc24

      SHA1

      1dfa1224e21e8db7ebfc97eb0112b42e6c6347fd

      SHA256

      13cdbc72c3a4e00ea7c77a45cb514d09821cd279b088e2d92be4c3ee1d438131

      SHA512

      943f39ece4452298d61126e793a8caf7e7c4c14f4859d1bb195a7d2cd8c1c9d2de52c93c03cb4868d6cff2cdcff1b5fc4762be775f7b925f7f4a60a2eb419b26

      Download Submit
    • \Users\Admin\AppData\Local\Temp\cmd.exe
      Filesize

      58KB

      MD5

      cd6369f02a6092f6b859588e15182cd9

      SHA1

      8dbd41a70f53b943b1574e2e1943ef40f22a3760

      SHA256

      0cf30e50b73b13e986b60fcfb5ac7cd85faa0a881d0463b6f08c5bfebd857acb

      SHA512

      a1a75dda022f0e1a5c7d82c0389c4e4fb96c0bdcdcdb222d4528343de8d1c6c6bb040fe3aeb8b200d4ecf540548bb2d65bda69a5b579b69f9b9b800dbdd87380

      Download Submit
    • \Users\Admin\AppData\Local\Temp\install.exe
      Filesize

      58KB

      MD5

      3333963a7c3fb1dfe30b529d7af5a333

      SHA1

      e69a4ce7b48935640e867455da04c0f7b9cce63a

      SHA256

      488358835f2d72122cb248c69a56cf9a7091ae31040b9e4216d10a1165d3af5e

      SHA512

      e326116ef29ca85be50579a31245a1aa61e045daafd16b2bd9cf3e863f4968084abb352202cba2121e982741ee2cf44f4ccd6daa73f5c023edac836b20333dea

      Download Submit
    • \Users\Admin\AppData\Local\Temp\ridxv.exe
      Filesize

      29KB

      MD5

      602ae0ce460afec64cdf36383b949279

      SHA1

      bf9286b0bb0b2c13741877d0fce4df0d330a1f0b

      SHA256

      f8646cfaa18ee7aec4be0544af623418e9cb5834ee22c62a5534bb1c59d27fe5

      SHA512

      0668ea99e8e7166d99cbadf987aede84ad7db22eee2f317711da8a70ceb37a2a385509bb3ed960c96b38f256d98ef339d4bd222876b25afc9a03a15b0360d881

      Download Submit
    • \Users\Admin\AppData\Local\Temp\taskmgr.exe
      Filesize

      58KB

      MD5

      07b07c79285949744ddcba546edf879c

      SHA1

      684fbbc5c2813daf641d896fafa761b503062a2e

      SHA256

      bde69d1c9452f196adff8b5c84c51d39b384963d714221da59b683ea60a4b92d

      SHA512

      84b6b0cb119c6950e2dfe8660ca5687f0d6c8850365869fcdea5fa5849acf573c8647d134c71191588ef622d2de77ffdcea9249adfc6f93bbf979d7370186233

      Download Submit
    • \Users\Admin\AppData\Local\Temp\wininst.exe
      Filesize

      58KB

      MD5

      9affcaf0b71f2ab75bbd2c9491b8c6b3

      SHA1

      0a3b7cda799c8e2bc5254dbfaa39750f0ba14ab7

      SHA256

      239c45b1c2fb99960650cd774989b50141c6438b35cef283d81176ac9c5f25b0

      SHA512

      f6feb73223a7b3e341735c6acaca40b4c6aae452c9efd50dc33904da2ea2884eb8afe1ef8c6326d132768622cfecc98d0e53deb23613028a84598075e12a26a2

      Download Submit
    • memory/956-163-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1128-154-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1128-168-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1160-28-0x0000000000400000-0x000000000041F000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1244-52-0x0000000010000000-0x000000001001A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/1244-41-0x0000000010000000-0x000000001001A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/1244-202-0x0000000010000000-0x000000001001A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/1244-95-0x0000000010000000-0x000000001001A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/1256-40-0x0000000010000000-0x000000001001B000-memory.dmp
      Filesize

      108KB

      Download
    • memory/1272-172-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1272-155-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1320-174-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1320-158-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1600-157-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1600-173-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1816-161-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1816-177-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1848-164-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1848-179-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/2004-159-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/2576-54-0x0000000000400000-0x000000000041F000-memory.dmp
      Filesize

      124KB

      Download
    • memory/2900-160-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/3032-53-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/3032-147-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/3032-96-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download