Overview

overview

7

Static

static

3

7250e33ed2...18.exe

windows7-x64

7

7250e33ed2...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    26/07/2024, 02:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7250e33ed2a84b56846221dd42fb714e_JaffaCakes118.exe

  • Size

    297KB

  • MD5

    7250e33ed2a84b56846221dd42fb714e

  • SHA1

    2d114ca1e946edf060af190bf29a213e22b50e9a

  • SHA256

    008b7a5a2879e583bcb52a34fc70a4a9fe4fc7abc205883860e458cba7cb3275

  • SHA512

    059b57224b31e1a4cea99f946c598c3e7e117ac77a90efcbe6999b3255f05ff35a2d687de9570429981007fff5c39a290517c90f057b0ba5ec1601fb2887a68c

  • SSDEEP

    6144:FurqlRlRKXCVhz1CZMYOeAFyhFmd7wYITnpF1qlY:uqRlsXUxC6PeAKmd7HITVAY

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7250e33ed2a84b56846221dd42fb714e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7250e33ed2a84b56846221dd42fb714e_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\uninstal.bat
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2784
  • C:\Windows\win321.exe
    C:\Windows\win321.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2832
    • C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
      2⤵
        PID:2124

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\uninstal.bat
      Filesize

      218B

      MD5

      fe1050bdf092a79a133ad2edc7f7dbd8

      SHA1

      79cdcc89d69319cfe3ad58b3fdc6b71f143ca814

      SHA256

      e57b85307a087c58187909a0c78b2037586d0c77b5a6181639d470d795e013f6

      SHA512

      a281ef59f8c797f1961ba8476f336d7673216bcbd87e6b5a16b81037222687b6e77e3b0ce3487ddab7677de97ade662dc87bc444b50a3a2fa9e11175e905bad0

      Download Submit

    • C:\Windows\win321.exe
      Filesize

      297KB

      MD5

      7250e33ed2a84b56846221dd42fb714e

      SHA1

      2d114ca1e946edf060af190bf29a213e22b50e9a

      SHA256

      008b7a5a2879e583bcb52a34fc70a4a9fe4fc7abc205883860e458cba7cb3275

      SHA512

      059b57224b31e1a4cea99f946c598c3e7e117ac77a90efcbe6999b3255f05ff35a2d687de9570429981007fff5c39a290517c90f057b0ba5ec1601fb2887a68c

      Download Submit

    • memory/2480-0-0x0000000000400000-0x0000000000512120-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2480-1-0x0000000000508000-0x000000000050A000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2480-14-0x0000000000400000-0x0000000000512120-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2832-5-0x0000000000400000-0x0000000000512120-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2832-16-0x0000000000400000-0x0000000000512120-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2832-20-0x0000000000400000-0x0000000000512120-memory.dmp

      Filesize

      1.1MB

      Download