Overview

overview

7

Static

static

3

26f97eb79f...18.exe

windows7-x64

7

26f97eb79f...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-07-2024 14:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe

  • Size

    743KB

  • MD5

    26f97eb79f7217579fcef497133a5178

  • SHA1

    8544305857d33d6b88502dc0a527a21dc4175f25

  • SHA256

    e56da3f5db3bafec7d4b26ee19bcfcc8b1f5e01155b35ced32373fea7bf0e3fd

  • SHA512

    fe7d45088c03e6b38dd32b2052cca24d5165f765f1089094203588612af254431246be483ed2b71cb3326882b036343a5dfc880c51f578c60ecfaef97fe5be1f

  • SSDEEP

    12288:T/5pooFT7xMgKvLvruqQ5+uWXdyFlQh9FRvJQSVc0xK7gTENepZP:Txm+xMRvLvXduVI/T0gTvp

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2712
    • C:\Program Files\Common Files\Microsoft Shared\MSInfo\tmp.exe
      "C:\Program Files\Common Files\Microsoft Shared\MSInfo\tmp.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:420
    • C:\Program Files\Common Files\Microsoft Shared\MSInfo\R_Server.exe
      "C:\Program Files\Common Files\Microsoft Shared\MSInfo\R_Server.exe" -NetStat
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1672

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Common Files\microsoft shared\MSInfo\R_Server.exe
    Filesize

    30.7MB

    MD5

    f5bf22328235e4750c4bde9b3640c47c

    SHA1

    6e422a1cfd392b56d85e163a9be8467d75927f62

    SHA256

    862b11c9c7d75929c755ac2904c325f25ac315c1da0855384110493f2e2e5ccf

    SHA512

    31bc05640a3c32e94888fdc862041b5d7bb59a07f5e78cd4f0fb9f3da27e4a7ee1e70802ef71ff031d63242467e7f55483b97235f0225651c64838fec3da6241

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\MSInfo\tmp.exe
    Filesize

    30.0MB

    MD5

    61910644e9560ebea70adc93af6c7f9e

    SHA1

    e110bafedefb8db4b092349c5412367fe3669422

    SHA256

    0145df902adcc046e1a99fb05e52b12d46d69dace736159a7295afa600754853

    SHA512

    fb42e43a7eac0ddb2704dc4f1956091eb74b3295c2f272d6426399f9d8401fdb6df4ce0a4afa16f0b4780b1b898fa702f0187ffda902b67a3e0da1cb1d32f488

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\MSInfo\tmp.exe
    Filesize

    10.9MB

    MD5

    4545c9b1aadd29bf54632ae46a3c269c

    SHA1

    fc58e85babc411dad234b4893b60a4a2a546aa67

    SHA256

    7c6e7f06d4471120bdc3dd03c4e221ff57e81e40fafea775e1f85f69fa3c149f

    SHA512

    dec50f30f9c1c946f5e0af7a9b91fe1249b2bb043ab09bb81ec733bfe5cb6e5aa7c500b33a2b08aa882042b550188996ec2f09a2d384c762304b80ab6081ea1b

    Download Submit

  • memory/420-41-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/420-43-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/420-19-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/420-20-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/420-22-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1672-49-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/1672-39-0x00000000005C0000-0x00000000005C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1672-46-0x00000000005C0000-0x00000000005C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1672-45-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/1672-44-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2712-34-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2712-42-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2712-40-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2712-2-0x0000000002280000-0x0000000002281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2712-17-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download