52b92a536bc1ffea65c2bdb27f51825d74f41926289c7a8d3f65b7400dddd483 | Triage

Submit
Reports

Overview

overview

Static

static

3

1ca75a402f...18.exe

windows7-x64

1ca75a402f...18.exe

windows10-2004-x64

Sharing

General

Target

1ca75a402f294bb1335ff4eef986e32e_JaffaCakes118
Size

262KB
Sample

240701-1yattssdng
MD5

1ca75a402f294bb1335ff4eef986e32e
SHA1

9750128a6ee6b7f83436d99054113c056a6bfd10
SHA256

52b92a536bc1ffea65c2bdb27f51825d74f41926289c7a8d3f65b7400dddd483
SHA512

458d488b4c32c68b16a0b4d20167a07329025a72395cb8e6e10f9bde966f452bc58f11aae97e0a638519607b3705449dfed6c5f009918e1a860d139680d40c0a
SSDEEP

6144:+TpqGbdkGtc/pIG9puxV3XW27azxQBSfhmBrW9Yg3I/heafx3k:7GbdkGoIG2xVHW2m9QQJgWmg3SheafxU

Score

10^/10

evasion execution upx vmprotect

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

1ca75a402f294bb1335ff4eef986e32e_JaffaCakes118.exe

Resource

win7-20240611-en

evasion execution upx vmprotect

windows7-x64

22 signatures

150 seconds

Behavioral task

behavioral2

Sample

1ca75a402f294bb1335ff4eef986e32e_JaffaCakes118.exe

Resource

win10v2004-20240508-en

evasion execution upx vmprotect

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Targets

- Target
  
  1ca75a402f294bb1335ff4eef986e32e_JaffaCakes118
- Size
  
  262KB
- MD5
  
  1ca75a402f294bb1335ff4eef986e32e
- SHA1
  
  9750128a6ee6b7f83436d99054113c056a6bfd10
- SHA256
  
  52b92a536bc1ffea65c2bdb27f51825d74f41926289c7a8d3f65b7400dddd483
- SHA512
  
  458d488b4c32c68b16a0b4d20167a07329025a72395cb8e6e10f9bde966f452bc58f11aae97e0a638519607b3705449dfed6c5f009918e1a860d139680d40c0a
- SSDEEP
  
  6144:+TpqGbdkGtc/pIG9puxV3XW27azxQBSfhmBrW9Yg3I/heafx3k:7GbdkGoIG2xVHW2m9QQJgWmg3SheafxU
Score

10^/10

evasion execution upx vmprotect
- Disables service(s)
  evasion execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

Execution

System Services

Service Execution

Command and Scripting Interpreter

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Replication Through Removable Media

Collection

Exfiltration

Command and Control

Impact

Service Stop

Resource Development

Reconnaissance

Tasks

static1

behavioral1

evasionexecutionupxvmprotect

behavioral2

evasionexecutionupxvmprotect

© 2018-2024

Terms | Privacy