Overview

overview

7

Static

static

3

09e130f6f7...18.exe

windows7-x64

7

09e130f6f7...18.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    24/06/2024, 17:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    09e130f6f7840f0b9b38a6d93cd969de_JaffaCakes118.exe

  • Size

    464KB

  • MD5

    09e130f6f7840f0b9b38a6d93cd969de

  • SHA1

    3159890fb96c60c71ed5365de009226d089c97aa

  • SHA256

    270bd28a5b05a13315a8307378c3b5c33ed1b1e3cd87716a2d2a6bd597f59d23

  • SHA512

    d0a66bdcd091c81a5ab9656e0adb85a2aa5e20a9e87d9c5de31f42d79dbd0971ae2dcbf2acf490bb8610fc67d57fd9c65695dc74ce72d2fe5d1a28e472065d9f

  • SSDEEP

    12288:rZ7ElP0pGufmL5MZZWyan1sVsz/YM5m+J6t5tzD:FEloLmLOLWtn1r5hEtDf

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
    evasion
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\09e130f6f7840f0b9b38a6d93cd969de_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\09e130f6f7840f0b9b38a6d93cd969de_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /f /pid 3040 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\09e130f6f7840f0b9b38a6d93cd969de_JaffaCakes118.exe" & start C:\Users\Admin\AppData\Local\ribag.exe -f
      2⤵
      • Deletes itself
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2884
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /pid 3040
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2564
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 3 127.1
        3⤵
        • Runs ping.exe
        PID:2652
      • C:\Users\Admin\AppData\Local\ribag.exe
        C:\Users\Admin\AppData\Local\ribag.exe -f
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:2708

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\ribag.exe
    Filesize

    464KB

    MD5

    09e130f6f7840f0b9b38a6d93cd969de

    SHA1

    3159890fb96c60c71ed5365de009226d089c97aa

    SHA256

    270bd28a5b05a13315a8307378c3b5c33ed1b1e3cd87716a2d2a6bd597f59d23

    SHA512

    d0a66bdcd091c81a5ab9656e0adb85a2aa5e20a9e87d9c5de31f42d79dbd0971ae2dcbf2acf490bb8610fc67d57fd9c65695dc74ce72d2fe5d1a28e472065d9f

    Download Submit

  • memory/2708-15-0x0000000001000000-0x00000000010AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2708-11-0x0000000001000000-0x00000000010AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2708-12-0x0000000001000000-0x00000000010AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2708-13-0x0000000001000000-0x00000000010AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2708-14-0x0000000001000000-0x00000000010AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2708-16-0x0000000001000000-0x00000000010AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2708-17-0x0000000001000000-0x00000000010AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2708-18-0x0000000001000000-0x00000000010AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/3040-2-0x0000000001000000-0x00000000010AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/3040-5-0x0000000001000000-0x00000000010AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/3040-1-0x0000000001000000-0x00000000010AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/3040-0-0x0000000000260000-0x0000000000266000-memory.dmp

    Filesize

    24KB

    Download