Overview

overview

7

Static

static

3

4978cfcab3...18.exe

windows7-x64

7

4978cfcab3...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    95s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/07/2024, 10:54

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    4978cfcab326102f72f09d9b84653242_JaffaCakes118.exe

  • Size

    22KB

  • MD5

    4978cfcab326102f72f09d9b84653242

  • SHA1

    521f85c237bd5489bfe031cd909625fed4fd2ed3

  • SHA256

    dae94d07dbdcd16b1bdd1ecae608c1beb3492c38662de00fc1eeae8c897725b4

  • SHA512

    8a4401d724fa67febd3d454c2684673f0b8a08c7ed40923e1ab32947e697945deceac5cba28262596820279a406c3d3304c6c84d9052eb0dd8384f24e2cbebf4

  • SSDEEP

    384:ColuhmnCxYWh7h/VjVCmIZkCMGD2xZVqc9YYuRFasc1LBn7Vn0yO+18XSU6WjzWY:cSM7h/VyTZax7q+YRFs1lJp18XSU6UYU

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4978cfcab326102f72f09d9b84653242_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4978cfcab326102f72f09d9b84653242_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4376
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\4978CF~1.EXE >> NUL
      2⤵
        PID:5064

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysWOW64\C8FFD223.dll
            Filesize

            11KB

            MD5

            31dfc5f0552db270e7abedb8024ec3c0

            SHA1

            e87036430500fd45b64c2a60452fd077d85569f2

            SHA256

            188ab5d27303405878b1fbd85983bde87f9852844549a94a4a4b795dc8d29273

            SHA512

            7fca193b5eedd170a75f8cdabe34690bb08255f06d3992ac1c396b25de7f483ae3ed76943379a77ced08c11676d55df3e234e6fdeb6dc2911aae850e6b91b562

            Download Submit

          • memory/4376-8-0x0000000010000000-0x0000000010015000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4376-9-0x0000000010000000-0x0000000010015000-memory.dmp

            Filesize

            84KB

            Download