Overview

overview

10

Static

static

3

599abd3411...18.exe

windows7-x64

10

599abd3411...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    18/07/2024, 23:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    599abd341172f2f648c82de36d7494e8_JaffaCakes118.exe

  • Size

    152KB

  • MD5

    599abd341172f2f648c82de36d7494e8

  • SHA1

    63946501ab28917bf2ac7a437dafe5b1f697c903

  • SHA256

    11bd859c80fae0e1b8448bfa957982c5b6018456b109f21fec21b9d3617a85d3

  • SHA512

    d31932797cec7948b2433ca85443b780109a6d6148170b75b16402b2f5aec96a1926b9023d77fd4c1e128aea0535f76a68d8d6204bf6550558f0c9656b23c414

  • SSDEEP

    3072:8XMM3OULXqV1eOGe4M6nBfIVkKa3WnbwrNswK3jpj:8ceO4qSBeHYBfIVkuEsV3jl

Score
10/10
evasion

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\599abd341172f2f648c82de36d7494e8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\599abd341172f2f648c82de36d7494e8_JaffaCakes118.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Program Files (x86)\Microsoft Office\Office14\winword.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\winword.exe"
      2⤵
      • Drops file in Windows directory
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2384
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2144

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      19KB

      MD5

      6f8b1c3e7588e5ca5ad89eeb15c1e922

      SHA1

      3f07229bc01aa95bf825cd68311d26110e68f92a

      SHA256

      10c22884a125587fe54dad986efd174cc2af003c282773673d8df4b49223fcb1

      SHA512

      136165474d1067a2465caeb40b8af3df10d85f490eb8e218c8559110e501220941095946587891019bee64dc046321423e2280013610d21ab87e73b2cd3348f9

      Download Submit

    • C:\autorun.inf
      Filesize

      126B

      MD5

      163e20cbccefcdd42f46e43a94173c46

      SHA1

      4c7b5048e8608e2a75799e00ecf1bbb4773279ae

      SHA256

      7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

      SHA512

      e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

      Download Submit

    • C:\zPharaoh.exe
      Filesize

      151KB

      MD5

      69f2dc33da572510f5fd320de84e31a2

      SHA1

      d6fb179c10d029f2f60cfa34a24511d4f626aca1

      SHA256

      d476cc8be5df2542cb76ef9601e127f1969980205474ff5ccfc7c023b449caad

      SHA512

      500bbf0189b776e14ebf47975353ea9b0084283a54aaadfa6042f2167b4c13298a4177603a8fe48fefa3359db09c7b43eb8a6fb8ab398ad8a512cf9662613fe2

      Download Submit

    • F:\zPharaoh.exe
      Filesize

      152KB

      MD5

      c046db0af29a700151069d98235a530e

      SHA1

      d72ef03d4c065c035ebd6759c2d8d170e26af117

      SHA256

      1cb3e97c1cff872fa60b8361aa555eac69fcc0e46ea76140f1e1d55675957e5c

      SHA512

      02ebce5f01d2a3b438555c72686e0c696630667049d790695435ede8e5531653b13a46c06c7c80e01507867eb5de92cbd9fae93a2ab6de7b3895aaee979ea4c6

      Download Submit

    • memory/2384-27-0x000000002FBD1000-0x000000002FBD2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2384-33-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2384-34-0x000000007156D000-0x0000000071578000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2384-40-0x000000007156D000-0x0000000071578000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2384-53-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2416-0-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/2416-32-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download