Overview

overview

8

Static

static

3

28746a63fe...18.exe

windows7-x64

8

28746a63fe...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    06/07/2024, 14:17

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    28746a63fe3061e771c533ad348a14e2_JaffaCakes118.exe

  • Size

    332KB

  • MD5

    28746a63fe3061e771c533ad348a14e2

  • SHA1

    af19463899cd782c280e310ab49815ffa4b0e284

  • SHA256

    75c4f6a5fc9f1bd3678a39eeefbf863c404123af2ca525a6c004f8bd9882f0ff

  • SHA512

    60090da9addbf4a5a1c6e7ed241cbfdab81ca353abee6d5761fe45a1a29527351dd72e784bcaf3f5cc92cfbe2ed6be8f6b247468078c92e45a83c0c3a35c0ac3

  • SSDEEP

    6144:MRAhhJxX7bNIAROzTuaPUD8XRuf0b4mtoqC2FCVb1imcYeVoAQmr2m:UsAAPaPUD18t7FIneVEm

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies registry class 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\28746a63fe3061e771c533ad348a14e2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\28746a63fe3061e771c533ad348a14e2_JaffaCakes118.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3004
    • C:\Windows\spoolsv.exe
      C:\Windows\spoolsv.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Modifies registry class
      PID:1988

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\concp32.exe
          Filesize

          334KB

          MD5

          7655cf3b8800bf92e0ec124ae7cd1e78

          SHA1

          c7f2cf5f8b0b07e6ca70952aceaa6b0869f71ab7

          SHA256

          6ef3b5965d5bf9e52184fee46f4627905230ddffd0bac9c5ed3bf0c339701738

          SHA512

          08063e0c1b4b620f4f2f179ca0dbd69f2005fdb2ce4ca8282e19b029cee664ac6ef92cefb4b766b3404053e91ae6537fd2c42714ad1fb6f3ccac0d505ed82446

          Download Submit

        • C:\Windows\spoolsv.exe
          Filesize

          336KB

          MD5

          27f70b644bfb547cb49bd88ad3a0b295

          SHA1

          d88a611f0516c11f4c355f483c2f7ac848bec1cb

          SHA256

          5e355b8814c50b45fef91c62ca395d8d8603c07934020848bde1d50c35cfef21

          SHA512

          3f7a129d81e1b18fef84538cdc39b042afb85f40b7e46ca0ada2a7fed0ae686d6287ba4728bfb891ea8a96f2e3e83f6869d638227dc5b53d91291806e95e6fc1

          Download Submit

        • memory/1988-15-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/3004-0-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/3004-14-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download