Overview

overview

10

Static

static

3

1a357f19d8...18.exe

windows7-x64

10

1a357f19d8...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    28/06/2024, 12:58

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    1a357f19d85b3bffb9ad1b62726af766_JaffaCakes118.exe

  • Size

    151KB

  • MD5

    1a357f19d85b3bffb9ad1b62726af766

  • SHA1

    4d46cf42058dcc2088996aed4597cc0812a5ffae

  • SHA256

    0a7a08c67c08c95cc114c79caf2a926d90cbb7d8bc5fefbb1702e357fc65be3f

  • SHA512

    8f7a6159feccd0d424a54ca7a89bac700acf72cea5e78734ef424aa68754582337d29c3e8fecb04c492db578f35ba3e06e46687cfb43fc23c0a5b6296f1df5e0

  • SSDEEP

    3072:phEoyai+0RAJR3c3bzCYilEITQr2fVxSJnWQHp:pvh0RAJHlEITQKVxrQJ

Score
10/10
evasion

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a357f19d85b3bffb9ad1b62726af766_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1a357f19d85b3bffb9ad1b62726af766_JaffaCakes118.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Enumerates connected drives
    • Drops autorun.inf file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:848
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 560
      2⤵
      • Program crash
      PID:2700

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\autorun.inf
          Filesize

          126B

          MD5

          163e20cbccefcdd42f46e43a94173c46

          SHA1

          4c7b5048e8608e2a75799e00ecf1bbb4773279ae

          SHA256

          7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

          SHA512

          e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

          Download Submit

        • C:\zPharaoh.exe
          Filesize

          152KB

          MD5

          b33e6bedad96fa077e35bcc9dac475b5

          SHA1

          67da81d2c2d323de6db5f8d71b369397642806fe

          SHA256

          1d9a73e2eedc839600f4a803d2e7df8900d7e892866fc37d99bba8ea0e1c1e44

          SHA512

          0f555b44da4a43b858aa5b9a00187afec62f41439fa1fa4aa03623b584773b6b21cb896013678e3e6eced1eedc8cdfe5832628eaabcff3dac7490e0934b892c1

          Download Submit

        • C:\zPharaoh.exe
          Filesize

          152KB

          MD5

          95d90e795444a1726e2cf583a435cdfb

          SHA1

          6108024a14fb5e6f26292bd9a1962509096c49f2

          SHA256

          72289d46a02d1b95322c5d899667bc396ed383be122020045f852dee78b9f034

          SHA512

          3e850c7d99b08cae3564302b09e91ac63ebf508bf080b7dc9f145553d660811e8ec7f8b82b4bc5609d88ed3e945eaec5447d517461665712559ddeb714bf024c

          Download Submit

        • memory/848-0-0x0000000000400000-0x0000000000416000-memory.dmp

          Filesize

          88KB

          Download