Overview

overview

7

Static

static

3

71eafa1350...18.exe

windows7-x64

7

71eafa1350...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    26/07/2024, 00:40

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    71eafa1350dcdeaa18d621929574642a_JaffaCakes118.exe

  • Size

    268KB

  • MD5

    71eafa1350dcdeaa18d621929574642a

  • SHA1

    4a379dc7a31af36cdb2a4b7f6ff7f5c1cac28832

  • SHA256

    549df45ddd1528e878098f6c71d78cb96604d9888f7c082c30924ae6982c560c

  • SHA512

    5b2a7ea01f2e476a3b2f839827c186aeb8d2ab642fbf8fb5b91defa940b2d15e1fc94a9b826e19520992bd3b8327f4317f2567343564b9b6ce989eb0c752f82f

  • SSDEEP

    3072:9gdesn3BUCejNTYUFrsry+2B/lS1sJqJCV1DQLAvWsXz9rW+R1PRJhTA9lXBgp:GdesxNe+/6JqJCAL4WsXz11PDhTAXBg

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1324
      • C:\Users\Admin\AppData\Local\Temp\71eafa1350dcdeaa18d621929574642a_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\71eafa1350dcdeaa18d621929574642a_JaffaCakes118.exe"
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2348
        • C:\Users\Admin\Desktop\server.exe
          "C:\Users\Admin\Desktop\server.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2872
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      PID:2784

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\Desktop\fawri7.JPG
            Filesize

            10KB

            MD5

            00c7cdf40e3bf63e0a6c236f117acff2

            SHA1

            f0ea5cca86f01b2adaa4e269ffcdc770c4e90d4a

            SHA256

            3f5a8910c70b63daaae292daec95dd14b0bf234c26acbf67a4d5a013dc15b06e

            SHA512

            1cc32f47ab737c4f57eaf313493f6e6cb84ecb1308865f5ad6df3df9b5b3d2d5d238291a2fc737a286fb3362aff404bb0e6a784e968682e3df4028778eddeafb

            Download Submit

          • \Users\Admin\Desktop\server.exe
            Filesize

            62KB

            MD5

            1079039963bf0f6e919caf541a5ca15d

            SHA1

            0f8c2d47bac92251519b2b1a06b3168b85224f8b

            SHA256

            82ae5cd45338d49932ebae4e7b4f9e1dd87c06797d382ac2c2570dfbdb99c7fc

            SHA512

            6850c5f0c14a8c5cd48ca827734b7c15e76fdc317bf4934f28a50e15d7552b3e7902efd429f49edd7fbcff8ccfe01e3f67ce20ad9d507868d3527f5c83a86233

            Download Submit

          • memory/1324-22-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1324-32-0x000000007EFC0000-0x000000007EFC6000-memory.dmp

            Filesize

            24KB

            Download

          • memory/2348-15-0x0000000000700000-0x000000000070B000-memory.dmp

            Filesize

            44KB

            Download

          • memory/2348-28-0x00000000023C0000-0x00000000023C2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2348-16-0x0000000000700000-0x000000000070B000-memory.dmp

            Filesize

            44KB

            Download

          • memory/2348-4-0x00000000006F0000-0x00000000006FB000-memory.dmp

            Filesize

            44KB

            Download

          • memory/2784-29-0x00000000001B0000-0x00000000001B2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2784-31-0x0000000000230000-0x0000000000231000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2784-48-0x0000000000230000-0x0000000000231000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2872-21-0x0000000010000000-0x0000000010012000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2872-44-0x0000000010000000-0x0000000010012000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2872-46-0x0000000000400000-0x000000000040B000-memory.dmp

            Filesize

            44KB

            Download