Overview

overview

7

Static

static

3

602435b057...18.exe

windows7-x64

7

602435b057...18.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    20/07/2024, 10:37

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    602435b0571b0da5006a9313f2ae72d3_JaffaCakes118.exe

  • Size

    445KB

  • MD5

    602435b0571b0da5006a9313f2ae72d3

  • SHA1

    cdf2d6f8913cf50dfa4988b28a4c09a0f4ea6082

  • SHA256

    07d80d1ea50bf38e7dc49e30db756bfa4a9888dc215214a3912a143435225d7d

  • SHA512

    6598df39904ee8d7f3feb4744e94995e7fa1090dbe8e5b6ce4d266f49cd66dfab2bf9ed4270d0897f229fc7a4372d5d801fe9098b8136e2c09f4cedf69a86dfc

  • SSDEEP

    12288:YGHnThjLf1sJ4w+wsRFAWv5c6T+gty2KE9ZqgwU8Ap:rHThHfFw+TRnfp82KE9ZqE8Ap

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\602435b0571b0da5006a9313f2ae72d3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\602435b0571b0da5006a9313f2ae72d3_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Users\Admin\AppData\Local\Temp\602435b0571b0da5006a9313f2ae72d3_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\602435b0571b0da5006a9313f2ae72d3_JaffaCakes118.exe
      2⤵
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:2516
      • C:\Windows\SysWOW64\notepad.exe
        notepad C:\Users\Admin\AppData\Local\Temp\Message
        3⤵
          PID:1972
      • C:\Users\Admin\AppData\Local\Temp\602435b0571b0da5006a9313f2ae72d3_JaffaCakes118.exe
        C:\Users\Admin\AppData\Local\Temp\602435b0571b0da5006a9313f2ae72d3_JaffaCakes118.exe
        2⤵
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1688
        • C:\Windows\postcard.exe
          "C:\Windows\postcard.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2368
          • C:\Windows\postcard.exe
            C:\Windows\postcard.exe
            4⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            PID:2440
          • C:\Windows\postcard.exe
            C:\Windows\postcard.exe
            4⤵
            • Executes dropped EXE
            PID:2696

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\Message
            Filesize

            4KB

            MD5

            c5d37fe4751f17707af6c5f433510cba

            SHA1

            6a0de5fae9d977e6716580fefb4125b78c3929ac

            SHA256

            4069f4e624c2c861fec6273d7fb6ce64241d6b7b226143176782887b34873502

            SHA512

            ce073e7fe1906e3ac097505096963597f35174a3de7bc2ccf2b42557ccd6fc7d4fabcc05ab937711586b5bd0239fe070e0bc9f6f07e6050cec4e345d0dd6b214

            Download Submit

          • C:\Windows\postcard.exe
            Filesize

            445KB

            MD5

            602435b0571b0da5006a9313f2ae72d3

            SHA1

            cdf2d6f8913cf50dfa4988b28a4c09a0f4ea6082

            SHA256

            07d80d1ea50bf38e7dc49e30db756bfa4a9888dc215214a3912a143435225d7d

            SHA512

            6598df39904ee8d7f3feb4744e94995e7fa1090dbe8e5b6ce4d266f49cd66dfab2bf9ed4270d0897f229fc7a4372d5d801fe9098b8136e2c09f4cedf69a86dfc

            Download Submit

          • memory/1688-44-0x0000000000400000-0x000000000044D000-memory.dmp

            Filesize

            308KB

            Download

          • memory/1688-10-0x0000000000400000-0x000000000044D000-memory.dmp

            Filesize

            308KB

            Download

          • memory/1688-7-0x0000000000400000-0x000000000044D000-memory.dmp

            Filesize

            308KB

            Download

          • memory/1688-16-0x0000000000400000-0x000000000044D000-memory.dmp

            Filesize

            308KB

            Download

          • memory/1688-13-0x0000000000400000-0x000000000044D000-memory.dmp

            Filesize

            308KB

            Download

          • memory/2368-27-0x0000000000380000-0x0000000000381000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2368-39-0x0000000000010000-0x000000000008C000-memory.dmp

            Filesize

            496KB

            Download

          • memory/2384-14-0x0000000000010000-0x000000000008C000-memory.dmp

            Filesize

            496KB

            Download

          • memory/2440-43-0x00000000004A0000-0x00000000004AA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2516-1-0x00000000004A0000-0x00000000004AA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2516-5-0x00000000004A0000-0x00000000004AA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2516-6-0x00000000004A0000-0x00000000004AA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2516-17-0x00000000004A0000-0x00000000004AA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2516-11-0x00000000004A0000-0x00000000004AA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2516-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2696-45-0x0000000000400000-0x000000000044D000-memory.dmp

            Filesize

            308KB

            Download