Overview

overview

10

Static

static

3

17f1e44376...18.exe

windows7-x64

10

17f1e44376...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-06-2024 23:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    17f1e443761a951d39ee00d9fb9ee94d_JaffaCakes118.exe

  • Size

    152KB

  • MD5

    17f1e443761a951d39ee00d9fb9ee94d

  • SHA1

    3977df63ec554d145f56212467dd1361a7b7ca0a

  • SHA256

    607f14870fda6bc4f03dfd25231ebd918355842be2d55580fb1e69cc60b27c09

  • SHA512

    f29f8b2bd637625dc9f56dbd80431c006c10c711940baca2a169d6729215f1e74a00f499fad1627835b24ce53f5986df5cb9e6734392eed33e1ca975b6edaca5

  • SSDEEP

    3072:T3jIpK9xKA9w2p4QZisLaazNiIIkyyqN4oQZiE9vOGy:T3cpKxY+1isuazgfklcWvm

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 52 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\17f1e443761a951d39ee00d9fb9ee94d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\17f1e443761a951d39ee00d9fb9ee94d_JaffaCakes118.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4416
    • C:\Users\Admin\zaigai.exe
      "C:\Users\Admin\zaigai.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1736

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\zaigai.exe
    Filesize

    152KB

    MD5

    7d9b3f0f8ce463f2921b0d9bcc4e383b

    SHA1

    a6988b144f0a40cc35708b479073c496586305c2

    SHA256

    63bf2b36a473e38b1fd3add2db1ac36a7564b4c735d473c00663ac1d673a3f2a

    SHA512

    20415430c7d1c1b0086c231fae15bd6ec0ccf896006df582e3d221bf21ab1bd11cfa004139b8b4a9c4fccfce87f50814f4fac0193c0d94df6b6062cc3fd062b5

    Download Submit