Overview

overview

10

Static

static

3

36655a0b11...18.exe

windows7-x64

10

36655a0b11...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/07/2024, 21:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    36655a0b11773cacf42ec2ca9ca3ec50_JaffaCakes118.exe

  • Size

    200KB

  • MD5

    36655a0b11773cacf42ec2ca9ca3ec50

  • SHA1

    64c4be9d982d56106f7d8167c07295da4d9d8e0d

  • SHA256

    9df5a67c5941d24ac50ad1dd41f73a4438850f30b111d45c154a69b5d0573907

  • SHA512

    e5e6c7be87fbf10e2106af4635cc6a3a4bf67ef83e01d7802c29c97793759b452d3e30381124ae80754035b19acd7e380f743eb4f2ad8bef3a671ca80159580b

  • SSDEEP

    3072:wR7To/05Wr0tQ9nLHbB9WBJiBs2HWWEaPGJm9wFH:wRix4QxL7B9WBJi+yWWEaUjJ

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 27 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\36655a0b11773cacf42ec2ca9ca3ec50_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\36655a0b11773cacf42ec2ca9ca3ec50_JaffaCakes118.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4888
    • C:\Users\Admin\feoil.exe
      "C:\Users\Admin\feoil.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3432

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\feoil.exe
    Filesize

    200KB

    MD5

    44b74ff6883f423a8ab616e2e1957fff

    SHA1

    4f993f4627f31d5aff9058adcb944ac26919c3ba

    SHA256

    b8560ea7b30a6ccca605437244ae14023f5159b67771bc670a368a29c800ae90

    SHA512

    95b56af5c27205e8cf00cab36583c0be5ce39a27baea6d9469b6a1aed6a59ea6661ef166fe6458a55623087ccfb75de8cd10d55fbda602e837c00efc4341f5bd

    Download Submit