Overview

overview

10

Static

static

3

4b339c507d...18.exe

windows7-x64

10

4b339c507d...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/07/2024, 20:05

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    4b339c507d3bf73c161354f77f1a5be1_JaffaCakes118.exe

  • Size

    232KB

  • MD5

    4b339c507d3bf73c161354f77f1a5be1

  • SHA1

    025a4fda1cfaa3d99f979a61df5f43af12f65b4f

  • SHA256

    3dba36f6ae6bb74324a5a7800da47b285c199eb208ee0c6162bd91ce531f1393

  • SHA512

    88d6c18ae4815875e0561d36162508feb8f28fef7ddde9459859741547a2b6b856e0124e0d9c419ad0dd25f37d541b51b77fec306d73d45ddbc3aee0a0364aa8

  • SSDEEP

    6144:8/Q3PFKs78g2KyEOaWEqxF6snji81RUinKdNOv:PPh+mFO

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 27 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4b339c507d3bf73c161354f77f1a5be1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4b339c507d3bf73c161354f77f1a5be1_JaffaCakes118.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4696
    • C:\Users\Admin\rtteb.exe
      "C:\Users\Admin\rtteb.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1992

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\rtteb.exe
          Filesize

          232KB

          MD5

          3f7bf9ba49bd3165196e5bd81804bc3f

          SHA1

          2dd6ee7e9907871bfbd26f53dc0d19eda52a29dd

          SHA256

          5453682ed0c4d02983ce6ad28e99fb11b0300843abfb52715c78b9a79f20717c

          SHA512

          fa40cc41bd7f762ff90430b10005f736a957d67fed1bc8da02c4cc248c4e2334ce753418511599d6906547823fccfec59ee47e4cd529067a7ec85650d8fd8f4e

          Download Submit