upatre | b5dbfb12aa5a97e5014e64be64a2e9368ae8bb84f97643b4078f6fc9f3e82d1f

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c6f661deddbf56c7b470f0fe8233370_JaffaCakes118.exe
Size

13KB
MD5

1c6f661deddbf56c7b470f0fe8233370
SHA1

16060ae77e7d5b72df74649d5718daa75675eb45
SHA256

b5dbfb12aa5a97e5014e64be64a2e9368ae8bb84f97643b4078f6fc9f3e82d1f
SHA512

db6a93d748d73f39bc500b2f6fad2de95defed8a59fab435f2b88ad6e45a86742f88717db064880257b5a66adbdc61f84ec32d0f65076c77d0664c7535b0ac46
SSDEEP

384:6K+dKfzQHxFxRmyja4QhiP7UlY/pjK7aylryylFyyTsqljy8PQ:v+dAURFxna4QAPQlYg7aylryylFyyTsv

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre
Executes dropped EXE 1 IoCs

Processes:

szgfw.exe

pid process

1068 szgfw.exe
Loads dropped DLL 2 IoCs

Processes:

1c6f661deddbf56c7b470f0fe8233370_JaffaCakes118.exe

pid process

2756 1c6f661deddbf56c7b470f0fe8233370_JaffaCakes118.exe
2756 1c6f661deddbf56c7b470f0fe8233370_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1068	szgfw.exe

pid	process
2756	1c6f661deddbf56c7b470f0fe8233370_JaffaCakes118.exe
2756	1c6f661deddbf56c7b470f0fe8233370_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

1c6f661deddbf56c7b470f0fe8233370_JaffaCakes118.exe

description	pid	process	target process
PID 2756 wrote to memory of 1068	2756	1c6f661deddbf56c7b470f0fe8233370_JaffaCakes118.exe	szgfw.exe
PID 2756 wrote to memory of 1068	2756	1c6f661deddbf56c7b470f0fe8233370_JaffaCakes118.exe	szgfw.exe
PID 2756 wrote to memory of 1068	2756	1c6f661deddbf56c7b470f0fe8233370_JaffaCakes118.exe	szgfw.exe
PID 2756 wrote to memory of 1068	2756	1c6f661deddbf56c7b470f0fe8233370_JaffaCakes118.exe	szgfw.exe

C:\Users\Admin\AppData\Local\Temp\1c6f661deddbf56c7b470f0fe8233370_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1c6f661deddbf56c7b470f0fe8233370_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756

C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
2⤵
- Executes dropped EXE
PID:1068

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\szgfw.exe
Filesize
13KB

MD5
68279bbc03bc197e47cdb783638ea146

SHA1
0bbbbe6ceda76888e485609be6d36d54dc01577a

SHA256
98966d4024e06d5e9aec264a57ba3ad4409b443105d8107eacfefe043ed75ed2

SHA512
d730f0c92f245102af82d259612d00662f823a1c84b5d016caec34ab569939c8fe1fcc8f716df622c87ba7fe419a511739629ab418497d1a5d348fe4dc89706f

Download Submit