Overview

overview

7

Static

static

7

1a7a529b67...18.exe

windows7-x64

7

1a7a529b67...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    80s
  • max time network
    80s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-07-2024 07:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1a7a529b672d2d2487e58058145b03ec_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    1a7a529b672d2d2487e58058145b03ec

  • SHA1

    d5fa4cccb347be0275cb1298255622daaff1431f

  • SHA256

    47cb3620b4a793bfcb4a3fa3a0ea0800515b2c31e0599cb5ea2acc1f4b881da6

  • SHA512

    c5e91bdc5ccc1bda1e8f6f018f7fb8a933ecab90cb9f3cc2dd672b02fbbad4b115fa638b2ee9467300865237e8789c5f0b1c778fe05dae5020e9033fd052cacc

  • SSDEEP

    24576:zAUgy2I8Zl3vtMphbSb6MEW5h3nsoAnHnWy+by0eKMZ6oky:zd9FoWphZMdv3soAHAKKPoD

Score
7/10
vmprotect

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 23 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a7a529b672d2d2487e58058145b03ec_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1a7a529b672d2d2487e58058145b03ec_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.cfdami.com
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:264
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:264 CREDAT:17410 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2172
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:264 CREDAT:17418 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1176
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.cfdami.com
      2⤵
      • Modifies Internet Explorer settings
      PID:5052

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1992-0-0x0000000000400000-0x00000000006AF000-memory.dmp
    Filesize

    2.7MB

    Download
  • memory/1992-1-0x0000000000400000-0x00000000006AF000-memory.dmp
    Filesize

    2.7MB

    Download
  • memory/1992-3-0x0000000000400000-0x00000000006AF000-memory.dmp
    Filesize

    2.7MB

    Download