Overview

overview

10

Static

static

3

76052d4b85...18.exe

windows7-x64

10

76052d4b85...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-07-2024 22:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    76052d4b85ec76db757eb6b4d7587fba_JaffaCakes118.exe

  • Size

    674KB

  • MD5

    76052d4b85ec76db757eb6b4d7587fba

  • SHA1

    a7cbdc3ec66ae4f285d754df0b88f23c28b8cf4b

  • SHA256

    4028c58dc2e2004bbed97de7bad99898cc5971cd7e56ec0c320fa2e2703b7ecc

  • SHA512

    9d61665165fa1b4163c54ee2196895b32466fe6db1e23586535ad36acb9fb64fa9dd7dd153a02a1b44277d593eec9e96ddbfe25c1084601c4cb8470d4de9f732

  • SSDEEP

    12288:COwT6AVg9jzrpMPSK3+laYSnjj2FsgYSqKZdb/MJtptHmGgRC5IGxtIXc3AQ:6T6eaK3y9Sn32lYSJAVtGGgRCKgtIXcD

Score
10/10
discoverypersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 15 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\76052d4b85ec76db757eb6b4d7587fba_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\76052d4b85ec76db757eb6b4d7587fba_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3476
    • C:\Program Files\Common Files\CTHELPER.EXE
      "C:\Program Files\Common Files\CTHELPER.EXE"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Common Files\CTHELPER.EXE
    Filesize

    963KB

    MD5

    f55c61e01653533fdbf7d97e6bd8a3ff

    SHA1

    3c433305b1d12f7db4ab5d776c4e49c3da059926

    SHA256

    7b7e9995eff54560ed2f41896fab4326693c4fac63c626646a0cb4db69d29bc9

    SHA512

    ccc1480d663829d0c00fb41beb6057bf5a2995f6491c5ae62dd45de647cb4ff7f40c0e5285b56af576a469f964b275c5609928797b1cbb92969d1521b80e1026

    Download Submit

  • C:\Program Files\Common Files\Microsoft\cVer.ini
    Filesize

    68B

    MD5

    f272a14f7c0a7a1be084bfd471253957

    SHA1

    c3349b83bee9a3761d204620ff1415b7d1f06bdf

    SHA256

    385f74a077bc08b53ec1f18e093b7549b1a47461d5e88d47d667b5dd8f01ead1

    SHA512

    91ec24b44637c648e7a91acbf8ef558fe50108129a4c161bf96409c795847d36254b6d054eabe95f20c1aefa949810ac8af298db058d66f6a855176eb9968ba5

    Download Submit

  • C:\Program Files\Common Files\Microsoft\cVer.ini
    Filesize

    68B

    MD5

    3933e5ecf9cbb85472b64019cade74e6

    SHA1

    37abe7c458037d5843a536cbd0da42e00f26c11b

    SHA256

    397c7f4065d74bd56195c91a0d1abe73921467adcef02e99c35ffb256262c2fe

    SHA512

    2d870c6c7b5501108c765b8f07abc0cacf4eba485410f744d1df3bf1e58f5116e123331bacc720b34613798eb4b75623ecd7efaf1798089309ec9f87a58e700e

    Download Submit

  • C:\Program Files\Common Files\Microsoft\cVer.ini
    Filesize

    68B

    MD5

    33af46d6c886b6b72f9cd77812a0349d

    SHA1

    7b213ac72c05bc7898a92abed0c912bf7ba87e01

    SHA256

    9718ec13ca72b5733843b10dd7164e6d5fcd10e27ac71f30834a48e67d31d857

    SHA512

    94e9a0e47ff80ef261e8edecd39a7d5c2ca0706f8ca2fd3a142028f1a72747191d5808afac580c2fea0db28b66484cb299186a7701218207b78293cb7032e1be

    Download Submit

  • C:\Program Files\Common Files\Microsoft\cVer.ini
    Filesize

    58B

    MD5

    cdceeceee6fed31fe739fa9f3e995fe0

    SHA1

    c18060df86d2f0b6129dba8ed965dc8c7fb2aa55

    SHA256

    9b16f939608d7d8ec3d7c78a28b91d59bd4401a5f86f9899ebce6c7d9bad8f1a

    SHA512

    4d46cb1eceb00dd4fca14dff0b08ed0b2fefca1024593ad06df07e239638788040032f8d7de80e2a1764d7199ac3ed80cb810cdf1bcf3f93b864b554768c4c30

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr
    Filesize

    378KB

    MD5

    aaf112c6e858ed3fd8d2132cc60bf8c8

    SHA1

    c0b9c27c14de77ac78f6dbc8cba1ae403d82cf7c

    SHA256

    42f6867590e93aee0c7723802b771981c2b01f95e611e2e4691eb1af2353863f

    SHA512

    cc8ec3f9e2f06df2b66477f5a4b70fc8e6d6977ca997091d6dc853dcf8e13d4f2a14668e12c1907541660f43ac93c7e3f10b3a17c09ab909fa18d42ef762a245

    Download Submit

  • memory/2944-64-0x0000000010000000-0x0000000010121000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2944-80-0x0000000010000000-0x0000000010121000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2944-33-0x0000000000400000-0x00000000004F4000-memory.dmp

    Filesize

    976KB

    Download

  • memory/2944-35-0x0000000010000000-0x0000000010121000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2944-36-0x0000000002100000-0x0000000002102000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2944-72-0x0000000010000000-0x0000000010121000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2944-87-0x0000000010000000-0x0000000010121000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2944-54-0x0000000010000000-0x0000000010121000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2944-56-0x0000000000400000-0x00000000004F4000-memory.dmp

    Filesize

    976KB

    Download

  • memory/2944-57-0x0000000002100000-0x0000000002102000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3476-7-0x0000000010000000-0x0000000010121000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3476-45-0x0000000000400000-0x0000000000594000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3476-44-0x0000000010000000-0x0000000010121000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3476-0-0x0000000000400000-0x0000000000594000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3476-8-0x00000000006F0000-0x00000000006F2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3476-2-0x0000000000400000-0x0000000000594000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3476-1-0x00000000006F0000-0x00000000006F1000-memory.dmp

    Filesize

    4KB

    Download