Overview

overview

7

Static

static

3

f55d800089...18.exe

windows7-x64

7

f55d800089...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/04/2024, 08:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f55d800089aeefa33670a16520c23f6e_JaffaCakes118.exe

  • Size

    460KB

  • MD5

    f55d800089aeefa33670a16520c23f6e

  • SHA1

    6119f3d72eb91542f98503488cc6280034b578a0

  • SHA256

    e56442bd1916ea10b4a761509e0652378886e2dd067d13e0050dc84686d84cd5

  • SHA512

    6ba9155c455ef61a2a475c6fb22d44c4fe780e1f11b3d7b7d0acfe4da524d4ea1d00c72392eade010615e90997b4dc4fd70717296adca95d0a44d84b468bbe0f

  • SSDEEP

    12288:RxBWWSniIBusV/CLghucc35WHlC18GFGNE2kz:bBCicZCLf

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 10 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 12 IoCs
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 33 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\f55d800089aeefa33670a16520c23f6e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f55d800089aeefa33670a16520c23f6e_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Users\Admin\AppData\Local\Temp\emsp9kxbokdzo.exe
      C:\Users\Admin\AppData\Local\Temp\emsp9kxbokdzo.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2036
      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ntity_helper.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ntity_helper.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3736
        • C:\Program Files (x86)\Windows Photo Viewer\gingdevices.exe
          "C:\Program Files (x86)\Windows Photo Viewer\gingdevices.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3004
          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ntity_helper.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ntity_helper.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:844
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\otextextractor.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\otextextractor.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1984
            • C:\Program Files (x86)\Windows Photo Viewer\gingdevices.exe
              "C:\Program Files (x86)\Windows Photo Viewer\gingdevices.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:2920
          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ntity_helper.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ntity_helper.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3916
            • C:\Program Files (x86)\Windows Photo Viewer\gingdevices.exe
              "C:\Program Files (x86)\Windows Photo Viewer\gingdevices.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:2892
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 2276
              6⤵
              • Program crash
              PID:4736
          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ntity_helper.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ntity_helper.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2920
            • C:\Program Files (x86)\Windows Photo Viewer\gingdevices.exe
              "C:\Program Files (x86)\Windows Photo Viewer\gingdevices.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:3500
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 2504
          4⤵
          • Program crash
          PID:1152
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ycfhbscv.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2548
        • C:\Windows\SysWOW64\attrib.exe
          attrib -a -r -s -h "C:\Users\Admin\AppData\Local\Temp\emsp9kxbokdzo.exe"
          4⤵
          • Views/modifies file attributes
          PID:3028
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ycfhbscv.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2296
      • C:\Windows\SysWOW64\attrib.exe
        attrib -a -r -s -h "C:\Users\Admin\AppData\Local\Temp\f55d800089aeefa33670a16520c23f6e_JaffaCakes118.exe"
        3⤵
        • Views/modifies file attributes
        PID:4056
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3736 -ip 3736
    1⤵
      PID:3008
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3916 -ip 3916
      1⤵
        PID:4300

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
        Filesize

        1KB

        MD5

        84cc91708c444c30647ef07922bac2f1

        SHA1

        97fec2794e5f14b4a9e54366d723d781161d7fb9

        SHA256

        3e95b831913d3d7205a09c98cc185943fd810f6e2582607a54fa1e9cc30731aa

        SHA512

        cc75685d2259bd362c076ce4941e9ce19d129801a9337e5d44f91de332d67f64f921d1a5870bf9ab5375ad2bc95a98398d7de91a8b72887767532e5933b3a175

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
        Filesize

        724B

        MD5

        ac89a852c2aaa3d389b2d2dd312ad367

        SHA1

        8f421dd6493c61dbda6b839e2debb7b50a20c930

        SHA256

        0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

        SHA512

        c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_A1F02DC8148108B28D2F0231550FD784
        Filesize

        472B

        MD5

        a8c92c40a8b5a846076104fe775654c1

        SHA1

        7abc0826dad6438508eafa44908d7e70cff6c75e

        SHA256

        6b208617e19e7a263d9242d8c7ae5426920ae7ea3506f6cc04699200b4726c43

        SHA512

        29cbb1ca768bf2e6dea2481e4d430acd12996f8ef1ce44e16e7c413a268f0e43e9339229f0c6d0a237c78bab850a26fd03af7c6fcdab840aeb34003017b8d5e7

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
        Filesize

        410B

        MD5

        ace164e12f7029f14af7204982a9d8c8

        SHA1

        8c96a2803100929db14751623684540ad7307c6f

        SHA256

        48800785fafbcc8e802c461966f7e311c5e2c0804d00e53ddd5406776e747138

        SHA512

        017f4f797064b847dafaef2e95d29345d30a40c1edcea068f33184c50a776b8450e0c906490acce20dc0917e3710020c94236e3fe78c40daa27187042888a7e0

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
        Filesize

        392B

        MD5

        ade2db6e8f1a59523aaaa94c847e6e55

        SHA1

        ae16dcb08fc71a74756390625eb99a58e656ce31

        SHA256

        0f54a8447ae4643e9deec648ce44c6bc4c0ccec1756e98597eb98a35aa476b3b

        SHA512

        27c016b265bc9484808d3a39f417777b17b67edb5bf56ad8fcc77f953a33c9491ae4354bca80193411aaf6ce0bc14024ca8dd7684420a11adaac91d18efac328

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_A1F02DC8148108B28D2F0231550FD784
        Filesize

        406B

        MD5

        a6295adc5cc9c5b9b3bf04df74af528c

        SHA1

        8d274d21431a424f494a269f528a4630a71ffa44

        SHA256

        6aa3f069d306da61abd9f51d053cf500ed3506202ac31a02c121c363197e52c0

        SHA512

        8f900333f9d30d3bc90bd846f6b1cc80dfad340812b9818fb6f9798880e01adc04cd96206edf2f97e1d2ad92569f76bbb63527282071a362605ea490aa4b439d

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4H6GDT3Z\LIRZFQ93.htm
        Filesize

        18KB

        MD5

        7b0af3c0316f7f3d76e0a45c1651a301

        SHA1

        8320ae0c690b1d2f8752eb488a686ed69bf55ddd

        SHA256

        a14fb6bef3d56e3698b38dd81a72742bbaeb2820703b0c44c7010e9aeb5e8fa2

        SHA512

        91cd66abd2ff87db82fa324e2a09662c1a39af7f6618df611e04865d331a62480b1dcb814082ba93aac1a3b44e85328dc72c453695fc3434d2a6b647eb73eefd

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FM7P9K7Y\googlelogo_white_background_color_272x92dp[1].png
        Filesize

        5KB

        MD5

        b593548ac0f25135c059a0aae302ab4d

        SHA1

        340e2151bb68e85fe92882f39eca3d1728d0a46c

        SHA256

        44fc041cb8145b4ef97007f85bdb9abdb9a50d744e258b0c4bb01f1d196bf105

        SHA512

        b869acfb5a4d58248c8414990bad33e587e8d910f5cb12b74a96949305d5cd35bd638394a91a7f3a9e675f5cc786dce01f1587f5ade9cae19cf09e18dbea0306

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\emsp9kxbokdzo.exe
        Filesize

        460KB

        MD5

        f55d800089aeefa33670a16520c23f6e

        SHA1

        6119f3d72eb91542f98503488cc6280034b578a0

        SHA256

        e56442bd1916ea10b4a761509e0652378886e2dd067d13e0050dc84686d84cd5

        SHA512

        6ba9155c455ef61a2a475c6fb22d44c4fe780e1f11b3d7b7d0acfe4da524d4ea1d00c72392eade010615e90997b4dc4fd70717296adca95d0a44d84b468bbe0f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\o5rxyx0glqbp.txt
        Filesize

        6KB

        MD5

        9942373421fe2d5483232426e485178d

        SHA1

        fa239a2ebc5e301b4b9e7e182cadb47a01cef230

        SHA256

        5eb3fb331d3f9b63ed70df8d05ef7f955110df9b2946e0691284e0576802fc99

        SHA512

        43f33d9cb7f5101c620891d3d26977ad8bc591c1e7ca5e1de1a792510964ae9daff5060ccee26a563a41f20e94b0fe829c6331525efe34cad729c720456db346

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\ycfhbscv.bat
        Filesize

        263B

        MD5

        3b3790cb03866d7a8365cbc855f24369

        SHA1

        1e37929e9f859e63deb21b4be414fd83e8b9cedc

        SHA256

        5de9948d828e60b16482c38e21ac1e0b62fb5e12c16511d765eb56361373af54

        SHA512

        4c40e516892350e246daea2aa5b16239261f89deb0c4829aaf2b8c810bef0610012c097fa47412e0109e1edcd77859c6ff836367d1a86db55b69507823a91079

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\ycfhbscv.bat
        Filesize

        362B

        MD5

        607d70af5b894816c390c5a9247a7fd1

        SHA1

        7b2f7c4f92fc5990f6dc1a9bf6f9e7f68f229e35

        SHA256

        0fc92493ecb051449de208bde1537f81063d8d31fa28e5a45536f17ac8ad0ee7

        SHA512

        46eb2ec56f71920acb4d25b496af54a334d0c0bee4eb0ffe600b864c24391e68e07cf554596ab8dc05ec510744cf92c3a07e52331fd67e03a897da3a712c5008

        Download Submit