Overview

overview

10

Static

static

3

5c786b024c...18.exe

windows7-x64

10

5c786b024c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/07/2024, 15:08

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    5c786b024c012b03ea114b4f30a30fa8_JaffaCakes118.exe

  • Size

    228KB

  • MD5

    5c786b024c012b03ea114b4f30a30fa8

  • SHA1

    ebb404db099d7aa99bb390cf84dfa5717184df88

  • SHA256

    9ca706cc2ff003640f6b98c524832c5d5c876490af0b460f6f95654429004cbb

  • SHA512

    0146c252697f02a41e3da9abfde671d6c968b4f7ef278fa1cf9bceb0e252d89252ac151f8f41b22de902c130cc5e73c2626531dd4f10155eac79e537cf7d09c5

  • SSDEEP

    6144:omo3PFKs7aFwKWwalhrEqxF6snji81RUinKZHg/7S7:omSPhAmZIH+7q

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 27 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5c786b024c012b03ea114b4f30a30fa8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5c786b024c012b03ea114b4f30a30fa8_JaffaCakes118.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4544
    • C:\Users\Admin\vgwaed.exe
      "C:\Users\Admin\vgwaed.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3900

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\vgwaed.exe
          Filesize

          228KB

          MD5

          0d0014104e602bccf17b3cef9265ebd0

          SHA1

          0903f4a6a9987eb697310e6bb7a9aaad98ceb87b

          SHA256

          e3512ec74605091ed554154841783fd14ac86e26c0fcbbbba018db9087453b3e

          SHA512

          3437c16d090dc96f0636e8129f20e70e2f977165e8587dc2685bd00e41e6a0aaee30d366e4d547c388e4455998dbaa13734f5c7b97df6e9e1457894fa20656a1

          Download Submit

        • memory/3900-34-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

          Download

        • memory/3900-38-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

          Download

        • memory/4544-0-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

          Download

        • memory/4544-37-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

          Download