Overview

overview

10

Static

static

5

693d168782...18.exe

windows7-x64

10

693d168782...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 01:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    693d16878296d10d4609d9f9c277babd_JaffaCakes118.exe

  • Size

    1.2MB

  • MD5

    693d16878296d10d4609d9f9c277babd

  • SHA1

    8944a160cb223b3998ed95fbe8c2a3a5c5993eef

  • SHA256

    982568fb61e27b7f208c1570ee1b11593c9892187b5ef8a41697ed516dcf838f

  • SHA512

    4a8f808d864b38abf6330091d2519130a26074d1b2924b02cdbc9a646e4b6f49da6c9b13c069f161a546c666e62cc08391f2fa4306ca07147ad0cf76ee3f7ce0

  • SSDEEP

    24576:nAHnh+eWsN3skA4RV1Hom2KXMmHae3h/BhURGV/K5ajc5:ah+ZkldoPK8YaeR/nUhaO

Score
10/10

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    91.121.121.25
  • Port:
    21
  • Username:
    k1
  • Password:
    6E4o4U7d6E4o4U7d

Signatures

  • Executes dropped EXE 3 IoCs
  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\693d16878296d10d4609d9f9c277babd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\693d16878296d10d4609d9f9c277babd_JaffaCakes118.exe"
    1⤵
    • NTFS ADS
    • Suspicious behavior: RenamesItself
    PID:4352
  • C:\Users\Admin\AppData\Roaming\x86_netfx-shfusion_dll_b03f5f7f11d50a3a_6.1.7601.22733_none_186920d0a287a16e\crtdll.exe
    C:\Users\Admin\AppData\Roaming\x86_netfx-shfusion_dll_b03f5f7f11d50a3a_6.1.7601.22733_none_186920d0a287a16e\crtdll.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    PID:2656
  • C:\Users\Admin\AppData\Roaming\x86_netfx-shfusion_dll_b03f5f7f11d50a3a_6.1.7601.22733_none_186920d0a287a16e\crtdll.exe
    C:\Users\Admin\AppData\Roaming\x86_netfx-shfusion_dll_b03f5f7f11d50a3a_6.1.7601.22733_none_186920d0a287a16e\crtdll.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    PID:3340
  • C:\Users\Admin\AppData\Roaming\x86_netfx-shfusion_dll_b03f5f7f11d50a3a_6.1.7601.22733_none_186920d0a287a16e\crtdll.exe
    C:\Users\Admin\AppData\Roaming\x86_netfx-shfusion_dll_b03f5f7f11d50a3a_6.1.7601.22733_none_186920d0a287a16e\crtdll.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    PID:2308

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\x86_netfx-shfusion_dll_b03f5f7f11d50a3a_6.1.7601.22733_none_186920d0a287a16e\crtdll.exe
    Filesize

    1.2MB

    MD5

    693d16878296d10d4609d9f9c277babd

    SHA1

    8944a160cb223b3998ed95fbe8c2a3a5c5993eef

    SHA256

    982568fb61e27b7f208c1570ee1b11593c9892187b5ef8a41697ed516dcf838f

    SHA512

    4a8f808d864b38abf6330091d2519130a26074d1b2924b02cdbc9a646e4b6f49da6c9b13c069f161a546c666e62cc08391f2fa4306ca07147ad0cf76ee3f7ce0

    Download Submit

  • memory/4352-6-0x00000000006F0000-0x0000000000825000-memory.dmp

    Filesize

    1.2MB

    Download