Overview

overview

7

Static

static

7

1b5e9b41d4...18.exe

windows7-x64

7

1b5e9b41d4...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    140s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-07-2024 12:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1b5e9b41d4655cc7606ddd1e3eb99412_JaffaCakes118.exe

  • Size

    37KB

  • MD5

    1b5e9b41d4655cc7606ddd1e3eb99412

  • SHA1

    45b4030dcdaee61dc483bf6a7a247fb1a95da3e7

  • SHA256

    91ec9033043c030c6ceb73093da3dff25f8ec66446a4d2fedc45517fcbb0e471

  • SHA512

    6e0ebd92159ae527e584ed1c58a80f90f78f151b2940e75c40f6913edab8968bbc876a4d3b3e869ce9da0675608020b319db8edf1bc67a35fd9a5d00b13e0b7f

  • SSDEEP

    768:daRaNDkIPL0KvmjqW0jbWHJa2DcIPZ5clNs6fpv0/iAy1gLlH3Z4JEXNnbcuyD7D:dHNDkmLfmmW0waGCNs6KRy1gLlXZ9XNW

Score
7/10
upxvmprotect

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1b5e9b41d4655cc7606ddd1e3eb99412_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1b5e9b41d4655cc7606ddd1e3eb99412_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3568
    • C:\Windows\ctfmon.exe
      "C:\Windows\ctfmon.exe"
      2⤵
      • Executes dropped EXE
      PID:3264

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\240606593n02.dll
    Filesize

    66KB

    MD5

    ec39468e25be5f579339bbcf0b90317f

    SHA1

    dd8675cbf093194a05d94df6b71c649c4cab4803

    SHA256

    1749618bc984d1e546bfbb5c16bfcb9187c13b7e402a1f29a6a7eec86f743e43

    SHA512

    65f8cb19b82cb067d415597afd24ceacda253b7769784bd4c92c09536db91b87d509cde3280fc71397f5c3f2326a512fcfdd63a83bffbd20c343c3e1eb5db84c

    Download Submit
  • C:\Windows\ctfmon.exe
    Filesize

    207KB

    MD5

    1c1760ed4d19cdbecb2398216922628b

    SHA1

    66b6158b28cc2b970e454b6a8cf1824dd99e4029

    SHA256

    d66458a3eb1b68715b552b3af32a9d2e889bbf8ac0c23c1afa8d0982023d1ce2

    SHA512

    f058eda0c65e59105a7c794721697782f1e1db759c69a11dab09ca454aa89767addcc8ecefa54995527bc2cae983e44c9ed42b0973fdb47435b31428150b96db

    Download Submit
  • memory/3568-0-0x0000000000400000-0x000000000041A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/3568-19-0x0000000000400000-0x000000000041A000-memory.dmp
    Filesize

    104KB

    Download