Overview

overview

8

Static

static

3

227055efda...18.exe

windows7-x64

8

227055efda...18.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    03-07-2024 12:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    227055efda5b3a7a08e641cea942d42d_JaffaCakes118.exe

  • Size

    306KB

  • MD5

    227055efda5b3a7a08e641cea942d42d

  • SHA1

    53a0c4ccab3debe1de69cb93229a795ca202c868

  • SHA256

    899d7ecaafc66af4c4931176d91cb6186520e2ec3c76adabb0806cf8ee1119b6

  • SHA512

    c567489da0a7c52b67e96e0a4ce61da38075407a4b613d1f7a8841c804391e2e856642fbc3ee113c8d937bc647f2742f340e89b14d450b54178169c954a6c470

  • SSDEEP

    6144:vRCPLFtCGNgE+kU9e33G7kMgFBHwNrqVJobzr8y:vRCPLFbuEPvHsqVJobH

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 29 IoCs
  • Suspicious use of SendNotifyMessage 22 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\227055efda5b3a7a08e641cea942d42d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\227055efda5b3a7a08e641cea942d42d_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2140
    • C:\Users\Admin\AppData\Local\oca.exe
      "C:\Users\Admin\AppData\Local\oca.exe" -gav C:\Users\Admin\AppData\Local\Temp\227055efda5b3a7a08e641cea942d42d_JaffaCakes118.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      PID:2968
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\oca.exe
    Filesize

    306KB

    MD5

    fd08cf8afdfda3803dd6c004be2fc314

    SHA1

    98a75807bd58c6eafe558b343ab7b30824ecbd9d

    SHA256

    b5d61708594490e5aaff9a8d2c04127e100616d1877a032ef4cb974f026a2dbb

    SHA512

    8b839595b281d7df6499a2315f7c717df0e60e6595697539344423bde1dc95cac9167e78543b4badc0fb771a116e7c8849fb8ef8a3bd57a9d2f46a46f4631d37

    Download Submit

  • memory/2140-13-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

    Download

  • memory/2140-2-0x0000000000401000-0x000000000045A000-memory.dmp

    Filesize

    356KB

    Download

  • memory/2140-4-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

    Download

  • memory/2140-0-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

    Download

  • memory/2140-14-0x0000000000401000-0x000000000045A000-memory.dmp

    Filesize

    356KB

    Download

  • memory/2140-1-0x0000000001ED0000-0x00000000022DE000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2628-34-0x00000000029C0000-0x00000000029D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2968-15-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

    Download

  • memory/2968-16-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

    Download

  • memory/2968-18-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

    Download

  • memory/2968-17-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

    Download

  • memory/2968-19-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

    Download