Overview

overview

10

Static

static

3

f7f76e16c3...18.exe

windows7-x64

10

f7f76e16c3...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/04/2024, 12:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f7f76e16c35250221be9ce8db4f9813f_JaffaCakes118.exe

  • Size

    124KB

  • MD5

    f7f76e16c35250221be9ce8db4f9813f

  • SHA1

    6f5e8cfe352ac2fabad3f538a4ecf48408b85b26

  • SHA256

    23ff05a360b2f185a2b94ef4c63d47d6c692c92a666d9a5d67dcc13ef75e67a9

  • SHA512

    ac8e2e5da7409f1c2c3cf8078637e9108eebd7835120b7b29f8d97bc3743bd9e894a1735285d303a8c7c20bb7323eb188ac61245cb0131afe9dfd756d53fb79a

  • SSDEEP

    1536:eeb5EF53W/67NxkiQixA+alh98r8Y9USv1jy3wo7JaS4:pb5EF53W/67gjH8ri8ewQq

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 52 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f7f76e16c35250221be9ce8db4f9813f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f7f76e16c35250221be9ce8db4f9813f_JaffaCakes118.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Users\Admin\boiuye.exe
      "C:\Users\Admin\boiuye.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2332

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\boiuye.exe
    Filesize

    124KB

    MD5

    db44b3aa4987355ad526ac8c5862b4c0

    SHA1

    404a594e1133b649cdedcb16515d0a9dd64109ba

    SHA256

    1c7fdabccc47d41dfabffa707c54d8803311cc9e05d8223771a727555b47b140

    SHA512

    cf71eab1ea7a12905c34e97fae6fae5316b0d2d85bc91b23f164333186d3015a4f9ba8827fb373d6d7a5cc6e658deed7fb1ffe9101ad614547050ae2c49bd1c4

    Download Submit