Overview

overview

10

Static

static

10

6fe4ac1776...18.exe

windows7-x64

7

6fe4ac1776...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25/07/2024, 14:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6fe4ac17766e2878f6b57320cfafcbe4_JaffaCakes118.exe

  • Size

    492KB

  • MD5

    6fe4ac17766e2878f6b57320cfafcbe4

  • SHA1

    20f4ebae589f61726d5ad7ed29c87f222b3f4298

  • SHA256

    6ec7b2b08274592b5830ae39c0e6cae025367d455a7ee5407daea259f89b374f

  • SHA512

    17219231eb829d970b8bb6088fcf64e44460b3aa294cd6cfc5819672d45df41e399bd2e8f758ef5ab79f26a5235a2f00bff78d88ccfa2d450cd8aafb0ca6f9ba

  • SSDEEP

    6144:awcaAn70pz2YDY/XgvZX4NeCPwcaAn70pz2YJY/XgvZX4NeCIZvLKvu:aZn70l3SI4NhPZn70l3UI4NhIJLKvu

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6fe4ac17766e2878f6b57320cfafcbe4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6fe4ac17766e2878f6b57320cfafcbe4_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2292
    • C:\Users\Admin\AppData\Local\Temp\original.exe
      "C:\Users\Admin\AppData\Local\Temp\original.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 156
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2008

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\original.exe
    Filesize

    439KB

    MD5

    940d08d63a521c34993b809b52c4596a

    SHA1

    ee37869129ea4d5b63ebe0a3c8bedc201489961c

    SHA256

    21c135e31a3e3b649d991c9e3e17f56fab8e27f2c03756048cbd747c72e996f2

    SHA512

    f10a1df05fbb268efc17509dd83fc4ad0c7ab407b18bffef169a8e64abf481223676d07dd0d9371e22c3bb1c5b074acabb0c338a0e41ae85a542d12c33d2bf50

    Download Submit

  • memory/2028-13-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/2292-1-0x000007FEF58FE000-0x000007FEF58FF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2292-9-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2292-15-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

    Filesize

    9.6MB

    Download