Overview

overview

10

Static

static

3

67951ac154...18.exe

windows7-x64

10

67951ac154...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-07-2024 12:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    67951ac15477aeb0a34a2f5fd527fa9d_JaffaCakes118.exe

  • Size

    100KB

  • MD5

    67951ac15477aeb0a34a2f5fd527fa9d

  • SHA1

    025a80053d203e8f5e1e374e2534fb05cba33a94

  • SHA256

    abdf6fad1374aad4762f179d6d765f2831ab7dfcc494bb1e1cb13e084e364c24

  • SHA512

    3c9254aa816fa0ffc0784fa42c7e643903ddc78f969e0ccb54f2a772b6082b2847053870a82792ae003e25fecc7667aa7ea2dfe8d382c838a623273fb77d3670

  • SSDEEP

    1536:T9tGs82NTzwPMGAc4ohrPXo+73Rez8b0SyuNIjnZq:NwiurPX7CuCnY

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 50 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\67951ac15477aeb0a34a2f5fd527fa9d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\67951ac15477aeb0a34a2f5fd527fa9d_JaffaCakes118.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3472
    • C:\Users\Admin\pooceeq.exe
      "C:\Users\Admin\pooceeq.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3296

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\pooceeq.exe
    Filesize

    100KB

    MD5

    06f64e1d7ed08c15f97c8641119921d2

    SHA1

    eae0a2edf336da4a06b64bd1e34e81bf32421885

    SHA256

    b10bedf49ae561483f64a71abf665065354d04d5e556c8c34568728057b0dd02

    SHA512

    4dedc3443f17df049c2e2b3bbd3ea482819b7f9e4cc3dd90cb175ba8c93004ae49f2fdc1322e950bba8b37b6c94e751951a3033d45c2d6627e9ca39c1d7e9166

    Download Submit