Overview

overview

7

Static

static

3

0bab4f169d...18.exe

windows7-x64

4

0bab4f169d...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    25/06/2024, 01:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0bab4f169d2aba122c02c443ce219663_JaffaCakes118.exe

  • Size

    135KB

  • MD5

    0bab4f169d2aba122c02c443ce219663

  • SHA1

    30ec9995c5592801bd9ad4fdb63549bcc661c6a2

  • SHA256

    e9c77576f3f9e0820ea6c967b1585e24693378975d504adb061f22ba6cc77ccd

  • SHA512

    46e38de9e9968713b688019ede6ec931c22be8c1b76d4848705966e2e00a7aceb12aafc0875cf48fb4e12362f678f35217ae5fdbaa8c52d66e36cec226868d41

  • SSDEEP

    3072:MHcolp0kf1Ypet5hnBhOpPUgxnFfrN8O8yf3:XoTf1Ypet5po

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\0bab4f169d2aba122c02c443ce219663_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0bab4f169d2aba122c02c443ce219663_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2344
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1D31.tmp\1D32.bat C:\Users\Admin\AppData\Local\Temp\0bab4f169d2aba122c02c443ce219663_JaffaCakes118.exe"
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2252
      • C:\Windows\system32\schtasks.exe
        SchTasks /CREATE /SC DAILY /TN "Test" /tr "C:\Windows\Help\Trigger.bat" /ST 14:00
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2688

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1D31.tmp\1D32.bat
    Filesize

    1KB

    MD5

    82e112a12d87fbc6fd9a800c7e5d0bea

    SHA1

    95ff9f40cc08cf075d79610799b37b03b07edb31

    SHA256

    b4a2196eb9f54f5d3ed2534af7620cab8cc4a713adc063a19bdc7c99c4aa1e91

    SHA512

    7058c273a895963e9408782c34dc4f30bce94fdc1fd9d7817149f70131ea8942338a1ea423817689e77312a93ff1505b0b6bea2684d9653a3e9794ca039fd4ce

    Download Submit