Overview

overview

7

Static

static

3

ed91324f09...18.exe

windows7-x64

7

ed91324f09...18.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    153s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11/04/2024, 13:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ed91324f0907b0f4b545b7520ab8e469_JaffaCakes118.exe

  • Size

    1012KB

  • MD5

    ed91324f0907b0f4b545b7520ab8e469

  • SHA1

    c473dfe2f0d04e65ef0a90c52b65d74a57991236

  • SHA256

    79ff73ebfde3c274add059b985205481e2a77cf5f04163ca3a42682b52bc44df

  • SHA512

    ba29fe6e5f12b5e084e6eb5cd715a8713ded394fd29641266124368ac7c782c376cf7c15ea46ef3453808fd792218981fdc7bc41af2e29bcc5c6f4cf5123d806

  • SSDEEP

    24576:I3YWhPxKAxGuAHSM1C7jYf96EAHZKF4n7S2NTtBT/:21hHgukSxjsA5KFUttBT/

Score
7/10
persistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed91324f0907b0f4b545b7520ab8e469_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ed91324f0907b0f4b545b7520ab8e469_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\1857397.bat" "
      2⤵
      • Deletes itself
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2068
      • C:\Windows\SysWOW64\reg.exe
        reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v ed91324f0907b0f4b545b7520ab8e469_JaffaCakes118 /f
        3⤵
        • Modifies registry key
        PID:2148
      • C:\Users\Admin\AppData\Local\541285.exe
        C:\Users\Admin\AppData\Local\541285.exe -i
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3032

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1857397.bat
    Filesize

    437B

    MD5

    1f21acea505232af6b556c3ea870e5db

    SHA1

    e41bff81e902f0ebcfffa0ee62a880d504a0fdf8

    SHA256

    b0d1188b7b10d416a8d836e5e140abffb8b61397c1ad8d727a58befacfc64be5

    SHA512

    1cc760b0bdd484286f690e2b416e73cba0e41ce5f40f4879eb31a6580a42f3a79f98700da2cf37c3a54f34e9a4276632b0cc4eae5b318db2770656fb10198b4b

    Download Submit

  • \Users\Admin\AppData\Local\541285.exe
    Filesize

    1012KB

    MD5

    ed91324f0907b0f4b545b7520ab8e469

    SHA1

    c473dfe2f0d04e65ef0a90c52b65d74a57991236

    SHA256

    79ff73ebfde3c274add059b985205481e2a77cf5f04163ca3a42682b52bc44df

    SHA512

    ba29fe6e5f12b5e084e6eb5cd715a8713ded394fd29641266124368ac7c782c376cf7c15ea46ef3453808fd792218981fdc7bc41af2e29bcc5c6f4cf5123d806

    Download Submit

  • memory/2180-2-0x0000000000860000-0x0000000000A60000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2180-1-0x0000000000400000-0x000000000082F004-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/2180-3-0x00000000001B0000-0x00000000001B2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2180-4-0x00000000001C0000-0x00000000001C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2180-14-0x0000000000400000-0x000000000082F004-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/3032-29-0x0000000000400000-0x000000000082F004-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/3032-33-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3032-23-0x00000000001B0000-0x00000000001B2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3032-25-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3032-28-0x0000000000400000-0x000000000082F004-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/3032-21-0x0000000000400000-0x000000000082F004-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/3032-30-0x0000000000840000-0x0000000000A40000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3032-31-0x0000000000400000-0x000000000082F004-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/3032-32-0x00000000001B0000-0x00000000001B2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3032-22-0x0000000000840000-0x0000000000A40000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3032-35-0x0000000000400000-0x000000000082F004-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/3032-36-0x0000000000400000-0x000000000082F004-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/3032-37-0x0000000000400000-0x000000000082F004-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/3032-38-0x0000000000400000-0x000000000082F004-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/3032-39-0x0000000000400000-0x000000000082F004-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/3032-40-0x0000000000400000-0x000000000082F004-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/3032-45-0x0000000000400000-0x000000000082F004-memory.dmp

    Filesize

    4.2MB

    Download