Overview

overview

10

Static

static

3

432bdfd268...18.exe

windows7-x64

10

432bdfd268...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    16s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    13/07/2024, 20:11

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    432bdfd268e5f8c57ad859669149d924_JaffaCakes118.exe

  • Size

    150KB

  • MD5

    432bdfd268e5f8c57ad859669149d924

  • SHA1

    dfbcd2038f0856770130d35fc4645b29e670ac98

  • SHA256

    e71a2d1b15e9669405eccba8d23c9cb488fe246ddb82e0b431be4afe8c24df11

  • SHA512

    77e38862e3b6ca27845ea99430a441e623346a2adb1bda8c3c92c12bdd5c97373216ec1f05b57ef44242b91e32485247aea818c94f75e323931a78cbe73a9f6d

  • SSDEEP

    3072:BOHtyqyXRlSg3t72U/4N1DpgnAJ0CDhE7G:3h8g3ty9NZ2nAtD

Score
10/10
evasion

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\432bdfd268e5f8c57ad859669149d924_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\432bdfd268e5f8c57ad859669149d924_JaffaCakes118.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Enumerates connected drives
    • Drops autorun.inf file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2840
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 540
      2⤵
      • Program crash
      PID:2708

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\RCXA70A.tmp
          Filesize

          69KB

          MD5

          8ba404e90194c38541e324657e72f74c

          SHA1

          ad9fda28f95b7747579a7fbb8a18e1d1e6311a49

          SHA256

          8145e4c62390f9c55343cc6dadb790dc2cb9463c4f578fa57bf43f12c4720340

          SHA512

          1f594ebb6b970c9cb86b97d642351106a52db407c6e90db7391b50e97a1136e5ba13aeec66c9b985192c377d8c5c70d3746a00f37bcc83855fea316cf8d82362

          Download Submit

        • C:\autorun.inf
          Filesize

          126B

          MD5

          163e20cbccefcdd42f46e43a94173c46

          SHA1

          4c7b5048e8608e2a75799e00ecf1bbb4773279ae

          SHA256

          7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

          SHA512

          e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

          Download Submit

        • C:\zPharaoh.exe
          Filesize

          149KB

          MD5

          1cd3fee327a5e50fbd474c27f6fdd70a

          SHA1

          c27b81267d6050b9f2887ec8b8b42f2b80522b55

          SHA256

          ccf11ef3637b4977b17104c2be25fb71ec45f44560b6636b1640a0bbe73bffca

          SHA512

          f76931afecd99ebe16975c408a56dd60a7ee1e05fb1289bd1c09f522010476bad5936a0e4790dc3bb4033de4ee4c0f32ff7c008652bc6df6abf4552608ab5aab

          Download Submit

        • F:\zPharaoh.exe
          Filesize

          149KB

          MD5

          4636950e3e042df9629b2f70dfd4c3bf

          SHA1

          728d67647fe57387f2d49256d7e9588687738ce2

          SHA256

          3a88501ff88691aa62531c9316a2e405bd3e7455a80f00355e49bcbce067f4ed

          SHA512

          18ad95215ecd915b1457e3ba46e41db54da482858dfba8b2bc5885ffebb8868721e7289813acd7bd5321a0483f8b773672cfc2a8f14c9c87a41bcc22f72843f9

          Download Submit

        • memory/2840-0-0x0000000000400000-0x0000000000416000-memory.dmp

          Filesize

          88KB

          Download