Overview

overview

10

Static

static

3

6a9f03f9be...18.exe

windows7-x64

10

6a9f03f9be...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    24/07/2024, 06:47

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    6a9f03f9be9cd086d025bf9f429904e7_JaffaCakes118.exe

  • Size

    151KB

  • MD5

    6a9f03f9be9cd086d025bf9f429904e7

  • SHA1

    d0a647d7e2c3d88431d639abb45e820fbb580013

  • SHA256

    dccfdf869dec4a22e1fefe753f853de65cb4c89991b7da3edd3e173920a5516a

  • SHA512

    d4f3688f0839d0c20157e40a952e62cd44201c56300f34bb0648f6b7216059df0d37d3ff0e15f94159db299c94987c8eab0e1e2d072f7a0f1fc54e7d93889e03

  • SSDEEP

    3072:yl9EbHbfSskFvZNtvCE2KawoZiGswK3jp4:ylsvkd/F7cTsV3ju

Score
10/10
discoveryevasion

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 8 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6a9f03f9be9cd086d025bf9f429904e7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6a9f03f9be9cd086d025bf9f429904e7_JaffaCakes118.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1740
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 316
      2⤵
      • Program crash
      PID:592

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\autorun.inf
          Filesize

          126B

          MD5

          163e20cbccefcdd42f46e43a94173c46

          SHA1

          4c7b5048e8608e2a75799e00ecf1bbb4773279ae

          SHA256

          7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

          SHA512

          e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

          Download Submit

        • C:\zPharaoh.exe
          Filesize

          151KB

          MD5

          d1c458c72b5e746c79e49f3e85fa012d

          SHA1

          6fe083eba5c3b59b9c4238345e93fda5de643776

          SHA256

          bdb8019ffebff527bdd546bd0f0b311db75fb0421bef9f2fb81c9ea3a2408ab9

          SHA512

          0567eb80856206a32d2f4c45ec159617d8fea21bb0c6e83e1c3e0ab505b0bf75edd8c2cd756c93308b137e2e940f7974a2d6aae5cf8447dc3db9d5862d653245

          Download Submit

        • F:\zPharaoh.exe
          Filesize

          151KB

          MD5

          af6e72729410d2327ac61031def12764

          SHA1

          1ddf97070694381eb42d5058c6294bde4f092153

          SHA256

          091d80cd888410c180f1ce6de7ac703a159296941fc929491af9c38642628929

          SHA512

          0fe2aaee397429ddbc9667baa632e2a3e9040a1e5919fb6e8a3572b33bd5638168e339984d536314a18a1dfbb80da4aa934df7261dbb06be2d5283180957f8f7

          Download Submit

        • memory/1740-0-0x0000000000400000-0x0000000000416000-memory.dmp

          Filesize

          88KB

          Download