Overview

overview

7

Static

static

3

37f409f1c2...18.exe

windows7-x64

7

37f409f1c2...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    140s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/07/2024, 05:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    37f409f1c229cebe24cad14e404920b8_JaffaCakes118.exe

  • Size

    387KB

  • MD5

    37f409f1c229cebe24cad14e404920b8

  • SHA1

    9004f1372b154dbb5eca25fcaec86b9c66725ee5

  • SHA256

    e68a0886bd7f68410f34eb935a4affa38eb7828d0b0ec0a889e56b4ef400578c

  • SHA512

    4b57a9c659348dc0403bc76aeaebdb1b8294469ea52795e12829d27f4402dcc3c39bfaf04c1dc3a8a2734da1d5f8fd2e13a6910406ad216f4ad9ea010011da18

  • SSDEEP

    12288:uI0lhjFzMa3SOuo8xuWW/taUNdXYF3EyRl:uHlhdMESOuo8jwt79m0yD

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\37f409f1c229cebe24cad14e404920b8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\37f409f1c229cebe24cad14e404920b8_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4148
    • C:\windows\pla\pkh.exe
      "C:\windows\pla\pkh.exe" /i
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3640

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\PLA\pkh.exe
    Filesize

    387KB

    MD5

    37f409f1c229cebe24cad14e404920b8

    SHA1

    9004f1372b154dbb5eca25fcaec86b9c66725ee5

    SHA256

    e68a0886bd7f68410f34eb935a4affa38eb7828d0b0ec0a889e56b4ef400578c

    SHA512

    4b57a9c659348dc0403bc76aeaebdb1b8294469ea52795e12829d27f4402dcc3c39bfaf04c1dc3a8a2734da1d5f8fd2e13a6910406ad216f4ad9ea010011da18

    Download Submit

  • C:\Windows\b3577d2ef.log
    Filesize

    64B

    MD5

    c5b97177ae610ef7929bfebaa6d043e6

    SHA1

    f3184c324e50d19b4c50c597adba63d883227850

    SHA256

    a7715db111c4d7eaf11cfc9b40fe8a1c32fd709476af5c653c03acfd4be592b9

    SHA512

    365664f30389c2341755fbe6cfaa44deb242cdd00c7aa77c0e8041f75a9eb851522922c7bb43b46bb5af179ab74474386626c481eb6669fb9c3f664a4b1f5570

    Download Submit

  • memory/3640-19-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/3640-27-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/3640-29-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/4148-0-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/4148-1-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/4148-4-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/4148-34-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download