Overview

overview

10

Static

static

3

eba294062d...18.exe

windows7-x64

10

eba294062d...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10-04-2024 17:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eba294062d83291164fbe084cf076ebc_JaffaCakes118.exe

  • Size

    24KB

  • MD5

    eba294062d83291164fbe084cf076ebc

  • SHA1

    0685a368d99c938d5af514c0985e8a436d7b80f3

  • SHA256

    ca898de55807908e60ac2b2fd5d121fad3bae8e2f1facffad01f83741ef7c3e7

  • SHA512

    7e946e890b349e2d6c08da0e1f6497a879b76239b3e71ff26ce0091b4a120dc525c720f9f48380d6e3eb40778085fb53b60383ede9989c64a7c2150940802e79

  • SSDEEP

    384:/30T352o3pGmjLRxANhafz4cDgjsNWAG56:CI0YmHkNhhcU4

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eba294062d83291164fbe084cf076ebc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eba294062d83291164fbe084cf076ebc_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2248
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\system32\RegWindowsUpdateXPtoVista.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2692
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKLM\Software\Microsoft\Security Center" /v FirewallDisableNotify /t REG_DWORD /d 0x00000001 /f
        3⤵
        • Windows security bypass
        PID:2488
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKLM\System\CurrentControlSet\Serices\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0x00000000 /f
        3⤵
          PID:2524
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKLM\Software\Microsoft\Security Center" /v AntiVirusDisableNotify /t REG_DWORD /d 0x00000001 /f
          3⤵
          • Windows security bypass
          PID:2512

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\RegWindowsUpdateXPtoVista.bat
      Filesize

      382B

      MD5

      1d57d9e49337b689e9c2b74a415cf023

      SHA1

      2c133ac97da77e9efbde350765d5d21d303203d3

      SHA256

      c8cd53423483d7ea743f73d4cb3e9a5d9d4f54e3499c59eac8cef900c8bba483

      SHA512

      a0560c190a6cb8aa3e992aadacdeedd76a4ac335f4196907bdfc31791e3e84d6c117a1c012b158cd672821f64868f45e292907808bc6be0c4759d53e3d36684b

      Download Submit

    • C:\Windows\SysWOW64\SystemTimer-5474596193354\SecurityReference.dat
      Filesize

      86B

      MD5

      42ea79cf00bafad25192110fa7522772

      SHA1

      4d1ad5265aa1dbc89004f314dfab940815dceb95

      SHA256

      135dbe0c9319e22edb09265faf01cc32566961973464fb4b35e88b8273891e67

      SHA512

      3eacd014ccaf89ee7a1c18199285bcd17c14822c4cce43711988888350450ea20753b91de873b200718a712037a70b73bf759e6363665b98a2f2245850192f97

      Download Submit