Overview

overview

10

Static

static

3

7126946753...18.exe

windows7-x64

10

7126946753...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    25/07/2024, 20:39

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    7126946753de6af96437e545e23f5864_JaffaCakes118.exe

  • Size

    14KB

  • MD5

    7126946753de6af96437e545e23f5864

  • SHA1

    304dc22e140db3b63090c3bcbb5076de5684ef2f

  • SHA256

    5e41d96d3802ea17c942bde8b51793d433fdf81bdd9de5c92796b75195a20175

  • SHA512

    140be1405414410b4604c4867e7e99e7c4868e1967339d52693693857d1010d3985404e8d7cb560413fdb41327292f80546af89dc807690d329f309f53407668

  • SSDEEP

    384:FIAoI4N/TA6kjOVvZzbWuGFbyaW6bZZ0xF6FW91Xtg6q:FBo5JTA9jOVxPOuEFsXO3

Score
10/10
discoverypersistence

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7126946753de6af96437e545e23f5864_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7126946753de6af96437e545e23f5864_JaffaCakes118.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2292
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\9E23.tmp.bat
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1948

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\9E23.tmp.bat
          Filesize

          207B

          MD5

          e2189cc9d7cad5b714803bfca4c2891e

          SHA1

          d4d450ab754be63406fddc6b844fa9f971159e90

          SHA256

          8e1ceb93fb0914dc403cdb117d56bf1c671b7b488e337225a9612ef74420ebbf

          SHA512

          6dc517ea416e3879055bfc3c63bbd838e68e17bad8f56a81cc97d5b810df0ae64e0fc7c60dbdc774ecc54d7b268965ed5ee44c8e4c4d7530a47f87aa771e3654

          Download Submit

        • C:\Windows\SysWOW64\tllquhyn.nls
          Filesize

          428B

          MD5

          91ba9919bd57f92e9bb01df346b1fddb

          SHA1

          c0c4fbb98a10082340738bb96b099d9604eac0ed

          SHA256

          f1b370812090f6e82b033aa13c45dbf368774aec748339dc49b3aac8f2960eef

          SHA512

          45a0d435211f5c9c0d07c122ee8b0060cb8fa86f23294e4f9a8b7471b227629df2eb2be6777720b5607e619fb4c7059a060373f929332b75ae2459dac9833e9a

          Download Submit

        • C:\Windows\SysWOW64\tllquhyn.tmp
          Filesize

          2.2MB

          MD5

          bc36b3035aa5d2ce5d44132944d90f94

          SHA1

          7697fd8ab9d14c7aa56ed780b675749798f9b141

          SHA256

          da176ee24c0194949ffba21cccd005175d492cf136570cea2457d1ef3490fe71

          SHA512

          85eb565e91c86f8c9000138a1361778c92136c40f34ecc49e1de0b1d0fae4bcd6fa8a5aac142a82e86ef2d72b3a039fd457f44d4283ac710ddcd0b730b64776e

          Download Submit

        • memory/2292-16-0x0000000010000000-0x0000000010008000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2292-25-0x0000000010000000-0x0000000010008000-memory.dmp

          Filesize

          32KB

          Download