Overview

overview

7

Static

static

3

44fb5ba17d...18.exe

windows7-x64

7

44fb5ba17d...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/07/2024, 08:05

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    44fb5ba17d8a42a60fa82c6dd7c2a707_JaffaCakes118.exe

  • Size

    172KB

  • MD5

    44fb5ba17d8a42a60fa82c6dd7c2a707

  • SHA1

    59e2239b0d837d350ac1e13c8ae1868535c9276e

  • SHA256

    9ec94c01d6a9cf0bb7da720a5efda7818904fc7fa27ab703087ef8a91a192eb4

  • SHA512

    7fced9b16be2cc1f9c78a08db29d1d89813f2ee2e0a8af33c356d5596fa852d7344226c8c82d677c04acaca04662aad808e29d659aba3c36bc9ffc150e219349

  • SSDEEP

    3072:P2o6Zb6DKJW6jbZJ4oJDsOeMPEQ8HLCpUZS7o3SFnAsD:eNzJxPZJr4szSeUlunH

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\44fb5ba17d8a42a60fa82c6dd7c2a707_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\44fb5ba17d8a42a60fa82c6dd7c2a707_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Maps connected drives based on registry
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4764
    • C:\Windows\tmp2.exe
      "C:\Windows\tmp2.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3464
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2836

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\tmp2.exe
          Filesize

          88KB

          MD5

          2deeafeec1ac2e76601d0cdc63ec730c

          SHA1

          9002f5c2b70b455b5d792aa924287883e7a6435d

          SHA256

          a19747ecc81cb311aba20784023ac817a894eeb18857bb2f452495c5ac372524

          SHA512

          d0b76d9166889a730aa6505da37ff8d438df1f8e8e3e111aa95063cb51803a613aa6921301b3b840787ce88845fc8bdfd452efaa2904e482ee6f0b3fc040f36e

          Download Submit