Overview

overview

10

Static

static

10

6367de68db...18.exe

windows7-x64

7

6367de68db...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    22-07-2024 13:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6367de68dbfc67a235ea8be08ab5a7e3_JaffaCakes118.exe

  • Size

    164KB

  • MD5

    6367de68dbfc67a235ea8be08ab5a7e3

  • SHA1

    7e43aeedf201a78b93e5afd79eb0cdbfe2e9bd38

  • SHA256

    ecceacf4d9f83a5a238eb248c383908a64c93ace2187d84e07ee28c7ed9fc628

  • SHA512

    e17669e27b1efb382a9027537eb5d92a54d404bce7fd880323e98c32cd7360589ae49c5097fda0b01a80a240d766995bec5913c1da84ddb9903394c23b7c445b

  • SSDEEP

    3072:bHwSAvpWcGbFWLDGwNlsftNX080ZhFel+D3OtS/cpeLYl6HkBmzAdCvMZO7IV5bY:bQBC550itS/cpeLYl6HkBmzAdCvMZO79

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6367de68dbfc67a235ea8be08ab5a7e3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6367de68dbfc67a235ea8be08ab5a7e3_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2556
    • C:\Users\Admin\AppData\Local\Temp\abc1.exe
      "C:\Users\Admin\AppData\Local\Temp\abc1.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops autorun.inf file
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2828
    • C:\Users\Admin\AppData\Local\Temp\abc2.exe
      "C:\Users\Admin\AppData\Local\Temp\abc2.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        dw20.exe -x -s 548
        3⤵
          PID:2760

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\abc1.exe
      Filesize

      45KB

      MD5

      3b65e1da116e8d755fd0784d1bdb5f92

      SHA1

      b3777e2bbe8a5a3aa87e115943c9d93426d37a2f

      SHA256

      d886498a0128e22d55fa2a7c5401c81b4ed079e642ec8205b7b699ef5469d7f3

      SHA512

      bbf22506c0aae0f2677330c8fbc2bfb7d9bce5a02926c75e4663408f0a9159569f4014d6e87eda4c9b4ad2a743ec0fcd2161bebff7b499db07c41c18d748cbd2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\abc2.exe
      Filesize

      65KB

      MD5

      2ba789d2f29432d83d11b9d74da5a918

      SHA1

      48c8e69dd2b55c1d2cef5661d18f6709ce2e214e

      SHA256

      655540e37bed51b285f572d8be52999e9cb0988b30d7c6f6dcf930de840232c4

      SHA512

      2a192b7b2f53cc09c5825d68c210ec4e98cba8102020fc3974ecb58799dbe62c2c475ed60241403faafd80ea696067b004d5b6c54072b79cb9425c5e6c915edb

      Download Submit

    • memory/2556-0-0x000007FEF5FFE000-0x000007FEF5FFF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2556-1-0x0000000000970000-0x0000000000980000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2556-2-0x00000000008D0000-0x00000000008DC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2556-3-0x000007FEF5D40000-0x000007FEF66DD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2556-4-0x000007FEF5D40000-0x000007FEF66DD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2556-7-0x000007FEF5D40000-0x000007FEF66DD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2556-18-0x000007FEF5D40000-0x000007FEF66DD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2828-13-0x000007FEF5D40000-0x000007FEF66DD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2828-17-0x000007FEF5D40000-0x000007FEF66DD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2828-23-0x000007FEF5D40000-0x000007FEF66DD000-memory.dmp

      Filesize

      9.6MB

      Download