Overview

overview

10

Static

static

3

0783b33714...18.exe

windows7-x64

10

0783b33714...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-06-2024 08:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0783b337146ac5047652304f76320c83_JaffaCakes118.exe

  • Size

    136KB

  • MD5

    0783b337146ac5047652304f76320c83

  • SHA1

    40050ae9bd4ff9f0f128751ab2399e0852c40251

  • SHA256

    3516387457324ae99923365d936641e512c8eec577c07cec1b1bc4be60fdb09a

  • SHA512

    404fd5cfd35a019f4c9f0debc99c77d0c9e5e9b2fb4212ba57594fc9467cb0eb37f5d37b08944a2402d7efb70bcb79cf43ce57dcb2b89724fd31c19ad7da133b

  • SSDEEP

    1536:YkskoBVL5nPn5QaTNUbaxaZ65gX4Pv9u2y0aZAbs/nLziow28fz+DliO3MxsawEN:/uVIkUbaxHg+g/nvif7hsAMW+8

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 53 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0783b337146ac5047652304f76320c83_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0783b337146ac5047652304f76320c83_JaffaCakes118.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3292
    • C:\Users\Admin\zuogiey.exe
      "C:\Users\Admin\zuogiey.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1284

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\zuogiey.exe
    Filesize

    136KB

    MD5

    4e3a1cb30e7889124aa4309c678d2c65

    SHA1

    9dff194a23dfbcad30f9745cbc0a291b40a58f95

    SHA256

    5951b0fd6029b1a41fb49f10476939d7eae30e01102e9a6bb432bd9d525fde73

    SHA512

    80d2db7b9d3f8499e1b37b1e49ada4c8d0e76124eecac166ff7ba741477cce2eecfc4ccdb2abfcf78a1588eb5a256e7730451d98b28b96f324917bdd502ccc36

    Download Submit