Overview

overview

10

Static

static

3

2716a1c25c...18.exe

windows7-x64

10

2716a1c25c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    11s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    05-07-2024 19:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2716a1c25c1dd64309c81da5efb26527_JaffaCakes118.exe

  • Size

    299KB

  • MD5

    2716a1c25c1dd64309c81da5efb26527

  • SHA1

    c25187ef1726ba77fb99db87669cff73548c0990

  • SHA256

    dea85f71002fad50dbd302f5a3796635771efba38300ee28d42fababdac4cf1a

  • SHA512

    114f4565bb31030f70c7d84dc62c271a9ef146175c8105370c7d9321b11bcd9e5ecc29d21005d1fa06e39f1dfba9959a7b983748cd131d10ee803b58f7363595

  • SSDEEP

    6144:WyHP7/GdouNeZrrfWiLCutKT1iCoA4TJoVBI1ci91GOulex2wI7dRTUV284M:WyHbG6uElreiLCuQT1foYJcI7IZ3

Score
10/10
evasion

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 8 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2716a1c25c1dd64309c81da5efb26527_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2716a1c25c1dd64309c81da5efb26527_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1664
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 320
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2112

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\tazebama.dl_
    Filesize

    151KB

    MD5

    4f6f3b9a9b42ea338d2a9aaafdd00a62

    SHA1

    fab181e9ebca8f8cca6b8c8b13e69469e7765661

    SHA256

    53f0b8405b685523ac55ad4d278d5f6f65f28c18da578adc0a3e621da8708084

    SHA512

    926d2b106244c9d809b322f095aa49ecfef8428d22f9ee807aebb02c97b141191a58ed0001e6633f5577c5567b020856cd877c00dc1dddb34ff08ca86fc7008e

    Download Submit

  • C:\autorun.inf
    Filesize

    126B

    MD5

    163e20cbccefcdd42f46e43a94173c46

    SHA1

    4c7b5048e8608e2a75799e00ecf1bbb4773279ae

    SHA256

    7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

    SHA512

    e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

    Download Submit

  • C:\zPharaoh.exe
    Filesize

    151KB

    MD5

    b880cbe12b3f4693d9e8368c475b3847

    SHA1

    76e7bf34bf69416cf65d2035fa6d0c20ea865434

    SHA256

    d2916fc3c14fd0273335a4515a0f3ba07e025279b3ea8e75c4004b89bd43cb95

    SHA512

    95bf6472c40cc9afc580c0da97d6208d05a02d710c921652307fb4fa7d828037207366a8f627085af7fdf08b66d70038daa89706b6da9cba66f76369cd64e33a

    Download Submit

  • F:\zPharaoh.exe
    Filesize

    151KB

    MD5

    b50f5d61040336ce92411ffc1d8a0e0a

    SHA1

    8871825cebcdb0ee460fc9df004d4d0d0f85e844

    SHA256

    a43e36a208f68d494f17f787216809170536c4a1269e535c9163c623244f84ce

    SHA512

    02a2d15efacba7d41aa0e623572da99bda731f3521ec4f552fc50dd791be29a79af7be2f91017d96b34866dfaf45cc486011ec6a5ee27260c9178e5a3af9149d

    Download Submit

  • \Users\tazebama.dll
    Filesize

    32KB

    MD5

    b6a03576e595afacb37ada2f1d5a0529

    SHA1

    d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

    SHA256

    1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

    SHA512

    181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

    Download Submit

  • memory/1664-17-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3012-15-0x0000000001019000-0x0000000001024000-memory.dmp

    Filesize

    44KB

    Download

  • memory/3012-14-0x0000000000380000-0x0000000000396000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3012-13-0x0000000000380000-0x0000000000396000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3012-16-0x0000000001000000-0x0000000001029000-memory.dmp

    Filesize

    164KB

    Download

  • memory/3012-18-0x0000000001000000-0x0000000001029000-memory.dmp

    Filesize

    164KB

    Download

  • memory/3012-0-0x0000000001000000-0x0000000001029000-memory.dmp

    Filesize

    164KB

    Download

  • memory/3012-6-0x0000000001000000-0x0000000001029000-memory.dmp

    Filesize

    164KB

    Download