Overview

overview

7

Static

static

3

6f454cf4b6...18.exe

windows7-x64

7

6f454cf4b6...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    135s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-07-2024 10:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6f454cf4b6006fd3f5ddbfaeb33750ba_JaffaCakes118.exe

  • Size

    976KB

  • MD5

    6f454cf4b6006fd3f5ddbfaeb33750ba

  • SHA1

    c19b515767c21ba8a2647182567064a11a2cbf90

  • SHA256

    2d50c7a4049bca0257fbeef74aaa4f50888276a83b88f050e79364e7383d6cdd

  • SHA512

    08fffeb178f46b88fba80fe25a81a952095e7922c3aaf58133c5fa3eeac14f93e263d8fb78b88b6869b2bf82c2555060bce08274eaac05f2df52f47094b8fcc9

  • SSDEEP

    24576:T3YdyAeukW5AJJcZlmRhzogTSvvN/5icIKAV7W:T3YgHclK1E/5ipjV

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6f454cf4b6006fd3f5ddbfaeb33750ba_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6f454cf4b6006fd3f5ddbfaeb33750ba_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3892
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\Delete.BAT
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2196
  • C:\Windows\TrueImage.exe
    C:\Windows\TrueImage.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      2⤵
        PID:100
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 12
          3⤵
          • Program crash
          PID:4864
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 100 -ip 100
      1⤵
        PID:3488

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\Delete.BAT
        Filesize

        214B

        MD5

        ae6375808b087cda6c70d46a896c1a66

        SHA1

        0990f9b25ae4101007df8b1f381fcee5a8b4f667

        SHA256

        293f55a208b7e502b5747264ff2a799c8be52c5596ece77aa24b87195a7a850e

        SHA512

        73e121d08955df8e9fbc500078276aabbe4aa3745507e0c3756cc01cec646f0820813086b5a2efa86e4b6c45054db14e88515f1e7f0a8dcd64fda3fbfb690e01

        Download Submit

      • C:\Windows\TrueImage.exe
        Filesize

        976KB

        MD5

        6f454cf4b6006fd3f5ddbfaeb33750ba

        SHA1

        c19b515767c21ba8a2647182567064a11a2cbf90

        SHA256

        2d50c7a4049bca0257fbeef74aaa4f50888276a83b88f050e79364e7383d6cdd

        SHA512

        08fffeb178f46b88fba80fe25a81a952095e7922c3aaf58133c5fa3eeac14f93e263d8fb78b88b6869b2bf82c2555060bce08274eaac05f2df52f47094b8fcc9

        Download Submit

      • memory/1680-10-0x0000000000650000-0x0000000000651000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1680-16-0x0000000000400000-0x00000000004F4000-memory.dmp

        Filesize

        976KB

        Download

      • memory/3892-0-0x0000000000400000-0x00000000004F4000-memory.dmp

        Filesize

        976KB

        Download

      • memory/3892-1-0x0000000000400000-0x00000000004F4000-memory.dmp

        Filesize

        976KB

        Download

      • memory/3892-2-0x0000000000400000-0x00000000004F4000-memory.dmp

        Filesize

        976KB

        Download

      • memory/3892-3-0x0000000000810000-0x0000000000811000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3892-13-0x0000000000400000-0x00000000004F4000-memory.dmp

        Filesize

        976KB

        Download