Overview

overview

10

Static

static

3

32410bbf13...18.exe

windows7-x64

10

32410bbf13...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-07-2024 22:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    32410bbf13aa5b1fe85ae0ca73cc965b_JaffaCakes118.exe

  • Size

    156KB

  • MD5

    32410bbf13aa5b1fe85ae0ca73cc965b

  • SHA1

    2218323fcfc69dd17f64036da61059420848c652

  • SHA256

    0c2747af45baa1c6ba161bfc3551cc3d6c6cbac40390653cf6e4c9cad80e295c

  • SHA512

    08c6a620f4796b91f79ab67dd078eb4f6a11028299d2315079fc0a4d308e17c43b14a61a9120e74bfc18e47715908236946e65d7c9ba87064e5bb6d886e345be

  • SSDEEP

    3072:QBd1g/E2MtU7Qv0w4ZRRQMMDwtIMCeFP4ANA4oQZiE+r:SdKE2R7Qvb4tQTaCeFP4A+W4

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 53 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\32410bbf13aa5b1fe85ae0ca73cc965b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\32410bbf13aa5b1fe85ae0ca73cc965b_JaffaCakes118.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4056
    • C:\Users\Admin\yuako.exe
      "C:\Users\Admin\yuako.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2528

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\yuako.exe
    Filesize

    156KB

    MD5

    7eb39658b90aa7292b52f759b330424f

    SHA1

    c9ff2f2b41ea500a7bf0106041165fbcdb6cb843

    SHA256

    5a59ca2234e8b8bb2b524ac0aec52d0db2bf9ffaba88ccad161ea5103aa78cd9

    SHA512

    0707e5f2326077edc739e66ab8772e99171c9adc4480a759d248e29518bd4b0f631f374be03a54734292148d2d404dd97dec9d56244f214a757f5476875dddee

    Download Submit