Overview

overview

10

Static

static

3

24a3dfc747...18.exe

windows7-x64

10

24a3dfc747...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/07/2024, 04:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    24a3dfc747808b77483a65c430c721aa_JaffaCakes118.exe

  • Size

    124KB

  • MD5

    24a3dfc747808b77483a65c430c721aa

  • SHA1

    108e8e7f9093a5fa42fbb6e19325e869b0b81881

  • SHA256

    a496bd08ff815c1e01ba5047107f92c56b25d089098a28acc4726eaa0d7109dc

  • SHA512

    cd538460d321a828bee826e5576c046c06da87a7482d40b7752e05e230d3f8cfa7aff6252bf4ab937ad362af276ad6092e7f6523437504681559541fe2129a51

  • SSDEEP

    1536:Ulszv5Yq8hRO/N69BH3OoGa+FLHjKKvRgrkOSoKNeG0h/x:6GRYNhkFoN3Oo1+FvkSyp

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 53 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\24a3dfc747808b77483a65c430c721aa_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\24a3dfc747808b77483a65c430c721aa_JaffaCakes118.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2660
    • C:\Users\Admin\rvzaz.exe
      "C:\Users\Admin\rvzaz.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4220

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\rvzaz.exe
    Filesize

    124KB

    MD5

    e691f3ffd3a654a21180f8aec94d8729

    SHA1

    9d31f715bfc787242615ba0371de825978fa5e8b

    SHA256

    093929cbd3b2fc0daeea2ee0409cc55b2c3a232afa93611c4193eab2ec07b8f1

    SHA512

    0d9b34cedb28a313307d9d3982ac763131537d22cfa05710173535531ca67e68c5a60ee09cdfef3f3b6b33175971778b14be22305d22d2d6805173b850d05265

    Download Submit