Overview

overview

7

Static

static

3

4bdef79bc1...18.exe

windows7-x64

7

4bdef79bc1...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    15-07-2024 23:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4bdef79bc1f1709049f3f4e1aefa9d3a_JaffaCakes118.exe

  • Size

    17KB

  • MD5

    4bdef79bc1f1709049f3f4e1aefa9d3a

  • SHA1

    1f923501094b234ef59596adab187874f734e882

  • SHA256

    160d68f65b5ab4690993398f63a3407d113f5ce70e35aee6a44e1b36b637047c

  • SHA512

    30a210ba33ef4eb6bc32cb50d93d2b46376d90b0ff90cebfa00873721e6fe45efdc7f576af18e7c1d57d3032006d3e5ddc59df62fa9020fe19e1201c9a8e07c9

  • SSDEEP

    384:Ny+26QIVmapXo0rridertW0w0PBVrivaa2zFAVhh:NLFQI/YirCkwGV2yFzFi

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 4 IoCs
  • Runs net.exe
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4bdef79bc1f1709049f3f4e1aefa9d3a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4bdef79bc1f1709049f3f4e1aefa9d3a_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2584
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\a.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2408
      • C:\Windows\SysWOW64\net.exe
        net stop "Security Center"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1724
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Security Center"
          4⤵
            PID:2860
        • C:\Windows\SysWOW64\net.exe
          net stop winvnc4
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2256
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop winvnc4
            4⤵
              PID:2812
      • C:\Windows\utorrent.exe
        "C:\Windows\utorrent.exe"
        1⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:1652
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\a.bat" "
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2480
          • C:\Windows\SysWOW64\net.exe
            net stop "Security Center"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2888
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Security Center"
              4⤵
                PID:2992

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\utorrent.exe
          Filesize

          17KB

          MD5

          4bdef79bc1f1709049f3f4e1aefa9d3a

          SHA1

          1f923501094b234ef59596adab187874f734e882

          SHA256

          160d68f65b5ab4690993398f63a3407d113f5ce70e35aee6a44e1b36b637047c

          SHA512

          30a210ba33ef4eb6bc32cb50d93d2b46376d90b0ff90cebfa00873721e6fe45efdc7f576af18e7c1d57d3032006d3e5ddc59df62fa9020fe19e1201c9a8e07c9

          Download Submit

        • C:\a.bat
          Filesize

          71B

          MD5

          4db2c561024318efaf926a8e0a6ebc36

          SHA1

          8e3060152b239e7c7bc488e79030b9e3c13de066

          SHA256

          f9ea85780a059d9338c359925ec487588102ef55be4062ec4ac19efc8af59f0f

          SHA512

          df700bc9348e147ceb1db687974c567fdff052d73eb4709b718f3b3dfaf44116a5a70c0ae62438416888c0783a575e524f501da1308bbc987443ec3c852bef99

          Download Submit

        • memory/1652-13-0x0000000000400000-0x000000000094F71D-memory.dmp

          Filesize

          5.3MB

          Download

        • memory/1652-15-0x0000000000400000-0x000000000094F71D-memory.dmp

          Filesize

          5.3MB

          Download

        • memory/1652-18-0x0000000000400000-0x000000000094F71D-memory.dmp

          Filesize

          5.3MB

          Download

        • memory/1652-21-0x0000000000400000-0x000000000094F71D-memory.dmp

          Filesize

          5.3MB

          Download

        • memory/1652-24-0x0000000000400000-0x000000000094F71D-memory.dmp

          Filesize

          5.3MB

          Download

        • memory/2584-12-0x0000000000400000-0x000000000094F71D-memory.dmp

          Filesize

          5.3MB

          Download