Overview

overview

7

Static

static

3

4a1ccbaad9...18.exe

windows7-x64

7

4a1ccbaad9...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/07/2024, 14:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4a1ccbaad9869a37a032fd2aa03be4a9_JaffaCakes118.exe

  • Size

    606KB

  • MD5

    4a1ccbaad9869a37a032fd2aa03be4a9

  • SHA1

    4d61795023c9c7d4040f6e7091325868ce3bedf4

  • SHA256

    ed07a209026e6ae33832e8873824dc9f1cbf06f2b7698255a0df7ee3ee356151

  • SHA512

    6a6c4345e8b1b324c8abec12ee91d48a32552cdfe7ef888c4f5feef88d22931e81db550ff49ad418a273b553881c0041d8a8a23812efeeedf74432300456006b

  • SSDEEP

    12288:bdEK5HO2efzbp+o/txfaWF3Z4mxxp+43xU4Ak8hTbBUWfTc:bdEnLbn1vQmXt3x7l8ZVPc

Score
7/10
defense_evasionpersistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 4 IoCs
    defense_evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a1ccbaad9869a37a032fd2aa03be4a9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4a1ccbaad9869a37a032fd2aa03be4a9_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4072
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.EXE
      2⤵
      • Executes dropped EXE
      • Impair Defenses: Safe Mode Boot
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:940
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.EXE"
        3⤵
          PID:2608
    • C:\Windows\SysWOW64\dll.exe
      C:\Windows\SysWOW64\dll.exe
      1⤵
      • Executes dropped EXE
      • Impair Defenses: Safe Mode Boot
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4052
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\dll.exe"
        2⤵
          PID:3936

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.EXE
        Filesize

        556KB

        MD5

        34d8d594c2894193c37de817c28c6d65

        SHA1

        e149d24d005b0580631f79b7ae9defd63e1dae26

        SHA256

        6af2050b42226ee767badb5688c439e6a838198aa4f98eaaa520fb1b8022c347

        SHA512

        a87a7d4f404c498ab69ea5a59c50074914cd4dbeec21a97edbc98bc1344492179c22958b29b939d87d2bbf969e79ee4140e889251ef8308ba4ebc02918502a7b

        Download Submit

      • memory/940-20-0x0000000010000000-0x0000000010093000-memory.dmp

        Filesize

        588KB

        Download

      • memory/4052-19-0x0000000010000000-0x0000000010093000-memory.dmp

        Filesize

        588KB

        Download

      • memory/4072-5-0x0000000001000000-0x00000000010A4000-memory.dmp

        Filesize

        656KB

        Download

      • memory/4072-4-0x0000000001000000-0x00000000010A4000-memory.dmp

        Filesize

        656KB

        Download

      • memory/4072-6-0x0000000001000000-0x00000000010A4000-memory.dmp

        Filesize

        656KB

        Download

      • memory/4072-0-0x0000000001000000-0x00000000010A4000-memory.dmp

        Filesize

        656KB

        Download

      • memory/4072-7-0x0000000001000000-0x00000000010A4000-memory.dmp

        Filesize

        656KB

        Download

      • memory/4072-10-0x0000000001000000-0x00000000010A4000-memory.dmp

        Filesize

        656KB

        Download

      • memory/4072-11-0x0000000001000000-0x00000000010A4000-memory.dmp

        Filesize

        656KB

        Download

      • memory/4072-3-0x0000000001000000-0x00000000010A4000-memory.dmp

        Filesize

        656KB

        Download

      • memory/4072-15-0x0000000001000000-0x00000000010A4000-memory.dmp

        Filesize

        656KB

        Download

      • memory/4072-2-0x0000000001000000-0x00000000010A4000-memory.dmp

        Filesize

        656KB

        Download

      • memory/4072-1-0x0000000001050000-0x0000000001051000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4072-21-0x0000000001000000-0x00000000010A4000-memory.dmp

        Filesize

        656KB

        Download