Overview

overview

7

Static

static

3

1a840a3c70...18.exe

windows7-x64

7

1a840a3c70...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    01-07-2024 07:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1a840a3c705ef55e0ed6262ac41d516a_JaffaCakes118.exe

  • Size

    267KB

  • MD5

    1a840a3c705ef55e0ed6262ac41d516a

  • SHA1

    ab570527a9f49389c6aa4ac4b55249eaa86b1cca

  • SHA256

    9d086957c0c5144e230854368a6b0eee11256b3797e194197b35cbfc91ffe825

  • SHA512

    62088596d2f3ad6a85abb0a71ca7571e2c88a9c65bccfa1065cfbe6c1783cf2850e102b7864789962a607167b10bebb1c6c37a95b5eb173f3cb5f079028c64d1

  • SSDEEP

    3072:kxvypKnQxFIsBEs6ijRj7v5tAvSNZHd0VYclOL2ZPhwo1XrwFEP4h:GU0sX5LtGSNaYc3Z1XrwFEP4h

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a840a3c705ef55e0ed6262ac41d516a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1a840a3c705ef55e0ed6262ac41d516a_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" "C:\Windows\system32\world2.html"
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:2796
    • C:\Windows\SysWOW64\3..exe
      "C:\Windows\system32\3..exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1652
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 36
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:1432

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\3..exe
    Filesize

    10KB

    MD5

    fef48b2345e8030fd734145721fa5f98

    SHA1

    4259e9fce66621889909833ad9d07fa29ec91135

    SHA256

    5ff8b971dfdcf93c673b8f0f76012de35d0a2ac11bda1ff3480d979efbc55ac6

    SHA512

    5c191c892f0a771902fcf9b593fae78499a8cb21c655867a3c6bbb3faf5caf466d705ec5fd8ce1d17625083dea9ce0da1feff01caeb4320df04a0038f724055a

    Download Submit

  • C:\Windows\SysWOW64\world2.html
    Filesize

    151B

    MD5

    c2c9349012ee49ec51945f5b2aa45935

    SHA1

    37e4651e12ce98c0e76bf727addf78b245830a72

    SHA256

    eb40c81ecb4d8eeb4c9810f834b7c3583c21388865f5290a9f5993021ca80a64

    SHA512

    1947544bccd6b6d2419db8cab17bf356e5e398fd93e8913ffb84ed90bed47370a8dc99d97f4d2e12957b25ef4bd7e4973c91b7238a98fbc79121f3fb7469c072

    Download Submit

  • memory/1652-22-0x0000000000400000-0x0000000000405000-memory.dmp

    Filesize

    20KB

    Download

  • memory/1936-10-0x0000000000380000-0x0000000000385000-memory.dmp

    Filesize

    20KB

    Download

  • memory/1936-9-0x0000000000380000-0x0000000000385000-memory.dmp

    Filesize

    20KB

    Download

  • memory/1936-18-0x00000000003D0000-0x00000000003D5000-memory.dmp

    Filesize

    20KB

    Download

  • memory/1936-17-0x00000000003D0000-0x00000000003D5000-memory.dmp

    Filesize

    20KB

    Download

  • memory/1936-20-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download