Overview

overview

8

Static

static

3

758ed44651...18.exe

windows7-x64

8

758ed44651...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-07-2024 20:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    758ed44651a77a27dda48c5169a570d5_JaffaCakes118.exe

  • Size

    47KB

  • MD5

    758ed44651a77a27dda48c5169a570d5

  • SHA1

    c5cece157eaddbf875ed5fa8764ea223fc518aa0

  • SHA256

    3330a6feecaf6d03b08315c2e7377e68ce7d12d4d8b28e3abd766033b99cb57f

  • SHA512

    753cf8c72fc3440f04d9bb5fddbdd0dc82f9a6eea2fdffe4b70063a5483b271f40a1ff82b3db57bd7ee838ef9e914e1de3bb34bb5fa8e336487826b425b51c13

  • SSDEEP

    768:e/pgwi35zpaQbq0quzJ1L4B+rovo21KbNL8mG0o6rudz8va:oOn5dZbf5PBro/1UNnGb6ruVOa

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\758ed44651a77a27dda48c5169a570d5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\758ed44651a77a27dda48c5169a570d5_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1256
    • \??\c:\windows\SysWOW64\wkfiwa.exe
      c:\windows\system32\wkfiwa.exe ~xc:\users\admin\appdata\local\temp\758ed44651a77a27dda48c5169a570d5_jaffacakes118.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4040
    • \??\c:\windows\SysWOW64\spira.htnl
      c:\windows\system32\spira.htnl ~xc:\users\admin\appdata\local\temp\758ed44651a77a27dda48c5169a570d5_jaffacakes118.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2664
    • \??\c:\windows\svchosl.exe
      c:\windows\svchosl.exe
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      PID:3500

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\winskd0.dll
    Filesize

    3KB

    MD5

    c8a483ec7f34bca91ba9c5679ab2d46b

    SHA1

    2e37828f0d6f02861245298792376e81b90aca54

    SHA256

    57e9a9be0a800e4e9665615253ff784ccddb3311abdc2683d94b3f45936fdaa7

    SHA512

    0b55d83bd9cec19ff16a43f6f9ffb66117526e8dadc5d1af548bdd80c7427cd85da55ff71779233fd49e8a2f158268c3142e8e7ae0cfd183d0c9c4b3cdbd2b8e

    Download Submit

  • C:\Windows\SysWOW64\wkfiwa.exe
    Filesize

    4KB

    MD5

    a3eb66f93ea6dfb5b080e132079303b6

    SHA1

    25c775a35135b27b77aa1afe298c4a6aaf8cd30f

    SHA256

    eab06e79031340e973abffb58b4623813bc3ebd3d943bbe261a4efba344b74d9

    SHA512

    6f36843bdd9d19da4bea41e0f683f74de899ef0165732ad01afe07c85938c1d24ba3d6b1cf94823aa62604a168b21931fc6e3692b880a496b46008082fcf3738

    Download Submit

  • C:\Windows\svchosl.exe
    Filesize

    36KB

    MD5

    53000b205ee55e86c9af2df40133cf30

    SHA1

    fe5dcff8d2433772c581eecbf7a69d470674cad9

    SHA256

    0dbdfbd13d5c21a3eb6cf292607ce42206dac22f0e8d3b55fdfde9c37174f1c1

    SHA512

    abd405f2298e15895e853f1f50335d9303be157a846b37b6fc29945a758889110769e912ce108b5dcc1f2a198e939f4abc4325d9594868bfca3becdbe23d2cc4

    Download Submit

  • memory/1256-45-0x0000000000400000-0x0000000000542000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-42-0x0000000000400000-0x0000000000542000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-52-0x0000000000400000-0x0000000000542000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-51-0x0000000000400000-0x0000000000542000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-50-0x0000000000400000-0x0000000000542000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-28-0x0000000000400000-0x0000000000542000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-35-0x0000000000400000-0x0000000000542000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-36-0x0000000000400000-0x0000000000542000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-41-0x0000000000400000-0x0000000000542000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-49-0x0000000000400000-0x0000000000542000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-43-0x0000000000400000-0x0000000000542000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-44-0x0000000000400000-0x0000000000542000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-0-0x0000000000400000-0x0000000000542000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-46-0x0000000000400000-0x0000000000542000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-47-0x0000000000400000-0x0000000000542000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-48-0x0000000000400000-0x0000000000542000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2664-13-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2664-15-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4040-6-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4040-8-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download