Overview

overview

10

Static

static

3

490e2ff9d4...18.exe

windows7-x64

10

490e2ff9d4...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    15-07-2024 08:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    490e2ff9d485fd68d1c439697b7567fb_JaffaCakes118.exe

  • Size

    152KB

  • MD5

    490e2ff9d485fd68d1c439697b7567fb

  • SHA1

    8afdf999eb36fb49f23730133ac467a93e169a18

  • SHA256

    85fc0e966a77d39b21c04b3a2b3179fd283606ad06c3a3776e9e1c9a6f862fbb

  • SHA512

    dff3bfcae07ca91d3693fc87202e2a9a34ced614149c0ca019b013d8284318a7e860a44597829580e103d78cf460e3a6a6fa90a1ccff5f6ae5d675bad508b50b

  • SSDEEP

    3072:h72DTjMbh1+u7jb2WLyYAfozPCO9Jk7Np8rNmxpmYCEoZx:F2vaDjb2vq+Bp8rNqpZCEob

Score
10/10
evasion

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Program crash 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\490e2ff9d485fd68d1c439697b7567fb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\490e2ff9d485fd68d1c439697b7567fb_JaffaCakes118.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2304
    • C:\Program Files (x86)\Microsoft Office\Office14\winword.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\winword.exe"
      2⤵
      • Drops file in Windows directory
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2760
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1808
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 312
        2⤵
        • Program crash
        PID:2976

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      19KB

      MD5

      8d355473fbe14bb2d3241edb57492b65

      SHA1

      27aa97bbab0b1e72876016eed7b49c67eb81d829

      SHA256

      a4cdbfea09da0c102af5463e00d93dabf24252c1dbef4f6c15b402d8ebdb3349

      SHA512

      4cfc631e740d36fbc47f0ab9038431f7e877640ffe692de138b8fc9ca7db55fd608e06b6e5930f5675bbc9c4fba4257a4a1e12594f7dac73732efa7f696fc916

      Download Submit

    • C:\autorun.inf
      Filesize

      126B

      MD5

      163e20cbccefcdd42f46e43a94173c46

      SHA1

      4c7b5048e8608e2a75799e00ecf1bbb4773279ae

      SHA256

      7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

      SHA512

      e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

      Download Submit

    • C:\zPharaoh.exe
      Filesize

      151KB

      MD5

      ecaae103490278289cc1b16f48351fc8

      SHA1

      e899882b8b49f667080ccac05468374467459734

      SHA256

      c669b7df05e1b11bbc091da412a82ebd780821f209d438ed4cf31e86159297ea

      SHA512

      cbddc909ebf23030e79205ec29944f99432dc011af5695d2c908ede1f78feb8e1ce9567f28d2430ae75ac47771f6095a60660fed33cf43c7da3c5076a06c937a

      Download Submit

    • F:\zPharaoh.exe
      Filesize

      152KB

      MD5

      546fcf5b22d5edd1ca7ac3c4cb3480e0

      SHA1

      2439ad94562de47e014f9ce217ff8194ef5c29b5

      SHA256

      f22617117bbb85cdd9167af492328a0436821528d34a9658d79fb6fd8ef76b59

      SHA512

      8dd2ad82be6c1583990327888e07775e1f6c5a8810ae0cd10b39d3f93a9eb26ff60d52f1ad6cf80541e5173668ca7e68a91e4d3428d4c0d79af54707fa704a0b

      Download Submit

    • memory/2304-0-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/2760-30-0x000000002F931000-0x000000002F932000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2760-36-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2760-37-0x0000000070A0D000-0x0000000070A18000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2760-39-0x0000000070A0D000-0x0000000070A18000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2760-52-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download