Overview

overview

10

Static

static

3

7126946753...18.exe

windows7-x64

10

7126946753...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    25/07/2024, 20:39 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7126946753de6af96437e545e23f5864_JaffaCakes118.exe

  • Size

    14KB

  • MD5

    7126946753de6af96437e545e23f5864

  • SHA1

    304dc22e140db3b63090c3bcbb5076de5684ef2f

  • SHA256

    5e41d96d3802ea17c942bde8b51793d433fdf81bdd9de5c92796b75195a20175

  • SHA512

    140be1405414410b4604c4867e7e99e7c4868e1967339d52693693857d1010d3985404e8d7cb560413fdb41327292f80546af89dc807690d329f309f53407668

  • SSDEEP

    384:FIAoI4N/TA6kjOVvZzbWuGFbyaW6bZZ0xF6FW91Xtg6q:FBo5JTA9jOVxPOuEFsXO3

Score
10/10
discoverypersistence

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7126946753de6af96437e545e23f5864_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7126946753de6af96437e545e23f5864_JaffaCakes118.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2292
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\9E23.tmp.bat
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\9E23.tmp.bat
    Filesize

    207B

    MD5

    e2189cc9d7cad5b714803bfca4c2891e

    SHA1

    d4d450ab754be63406fddc6b844fa9f971159e90

    SHA256

    8e1ceb93fb0914dc403cdb117d56bf1c671b7b488e337225a9612ef74420ebbf

    SHA512

    6dc517ea416e3879055bfc3c63bbd838e68e17bad8f56a81cc97d5b810df0ae64e0fc7c60dbdc774ecc54d7b268965ed5ee44c8e4c4d7530a47f87aa771e3654

    Download Submit

  • C:\Windows\SysWOW64\tllquhyn.nls
    Filesize

    428B

    MD5

    91ba9919bd57f92e9bb01df346b1fddb

    SHA1

    c0c4fbb98a10082340738bb96b099d9604eac0ed

    SHA256

    f1b370812090f6e82b033aa13c45dbf368774aec748339dc49b3aac8f2960eef

    SHA512

    45a0d435211f5c9c0d07c122ee8b0060cb8fa86f23294e4f9a8b7471b227629df2eb2be6777720b5607e619fb4c7059a060373f929332b75ae2459dac9833e9a

    Download Submit

  • C:\Windows\SysWOW64\tllquhyn.tmp
    Filesize

    2.2MB

    MD5

    bc36b3035aa5d2ce5d44132944d90f94

    SHA1

    7697fd8ab9d14c7aa56ed780b675749798f9b141

    SHA256

    da176ee24c0194949ffba21cccd005175d492cf136570cea2457d1ef3490fe71

    SHA512

    85eb565e91c86f8c9000138a1361778c92136c40f34ecc49e1de0b1d0fae4bcd6fa8a5aac142a82e86ef2d72b3a039fd457f44d4283ac710ddcd0b730b64776e

    Download Submit

  • memory/2292-16-0x0000000010000000-0x0000000010008000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2292-25-0x0000000010000000-0x0000000010008000-memory.dmp

    Filesize

    32KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.