Overview

overview

10

Static

static

3

ec3094e416...18.exe

windows7-x64

10

ec3094e416...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10/04/2024, 23:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ec3094e41698b618fa1e78c5be758ed4_JaffaCakes118.exe

  • Size

    14KB

  • MD5

    ec3094e41698b618fa1e78c5be758ed4

  • SHA1

    862436641fed10c0dc4deba2d1d64ceb700a0cb5

  • SHA256

    1069b8d1bcda486810c3ddc3bf9cc43246f044b5538ef7cf0373562e04d4005c

  • SHA512

    9c673af1c48e25cdc9c9f29d4296fa896a7e0b4559240d1479d9d39021b66694ba227ef1c1f9a758ec3c79925d9798058ad22ff83818530e1f55cc234d43d549

  • SSDEEP

    384:P62OB3w11/1rvErbEFRU0nYKgeLIDxr3tQoznV7jE2:yzB3u19rcrw7aQgJ3Vf

Score
10/10
persistence

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ec3094e41698b618fa1e78c5be758ed4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ec3094e41698b618fa1e78c5be758ed4_JaffaCakes118.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2196
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\F27A.tmp.bat
      2⤵
      • Deletes itself
      PID:2556

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\F27A.tmp.bat
    Filesize

    207B

    MD5

    1734924276653475cc37c7c4274f8b06

    SHA1

    50cf9e5880c751ab9ab572e58744bce6fc90914d

    SHA256

    11a10c285044aa59fb15c705c52a2af1ad647af4b1666bcb07606e29148abcca

    SHA512

    661bfada2410a94e5f9b8b9add8624b322fb602c0cb4804baebacd34dd81f6f19e42ce80e2851fa6ce8d60acbcca9570a606fd24dfe93658888636f813d7c063

    Download Submit

  • C:\Windows\SysWOW64\xolehlpjh.tmp
    Filesize

    2.2MB

    MD5

    4cee3cab365531b0020c6579dd137d3d

    SHA1

    909b241dfbf13eef90c9227b51483594ac8fd5c2

    SHA256

    b8c212ccf8a6284202f16b64dcdd0dbd0d7b859119b00f6c960480739d2d95fc

    SHA512

    940af0bbd6c0fe335f88366efd7f3d3de0806c81c50441d50915985dfa2c0521d9a10bbc61ac05510900b37dfba37c624207a598bc2840af6602977511a65c08

    Download Submit

  • memory/2196-12-0x0000000020000000-0x0000000020008000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2196-21-0x0000000020000000-0x0000000020008000-memory.dmp

    Filesize

    32KB

    Download