Overview

overview

7

Static

static

3

758f89335c...18.exe

windows7-x64

7

758f89335c...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/07/2024, 20:18

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    758f89335cebe33be7ec7da0cde383cc_JaffaCakes118.exe

  • Size

    621KB

  • MD5

    758f89335cebe33be7ec7da0cde383cc

  • SHA1

    f67d3c2433c7edbc0fd96e9f8fbdb454accc454a

  • SHA256

    7aa9ef4b44384a74e44041d553e9f86530e4d46e15f7b84eafc32be84e659d8f

  • SHA512

    dc5680d43b184a26ca80e714b95a1f2e61d76626e4d5d3f6b4b14273f9156c90d6ba0039105de430b4255406d4523cd77742a5f9f170f6ff2ca10bf3e1e18627

  • SSDEEP

    12288:vECgB5Ld8gMxBr6ml6NKOJa25ZF3Z4mxxn8E7PIxyJ00riPeZdRjfd0:MB/Ld89PGml6kO0IZQmXn8E7wxn6d0

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\758f89335cebe33be7ec7da0cde383cc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\758f89335cebe33be7ec7da0cde383cc_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4456
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4296
      • C:\Program Files\Common Files\Microsoft Shared\MSInfo\R_Server.exe
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\R_Server.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2704
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
            PID:1656
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Windows\system32\Deleteme.bat
          3⤵
          • System Location Discovery: System Language Discovery
          PID:5080
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe
        2⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:836
        • C:\Program Files\Common Files\Microsoft Shared\MSInfo\R_Server.exe
          "C:\Program Files\Common Files\Microsoft Shared\MSInfo\R_Server.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4972
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:1904
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Windows\system32\Deleteme.bat
            3⤵
            • System Location Discovery: System Language Discovery
            PID:4748

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe
              Filesize

              250KB

              MD5

              61411622e6fb11bfd3c8dfc9a5cb11ec

              SHA1

              de71d9f0d1eea3b898c371dcef680cc37efc7e12

              SHA256

              2cc53d6c0d299df575d5ca96b2d8691ab8f1a14eda69a09e0ac8e569bdfbbf63

              SHA512

              10526f77adaeabfd07e4e416eb7ddc019a5fabd9a7cc240eae158321f41cc265e96a58a77772a866cb95f52dbb24f60c9e881bed4d565ab87cd15dd70fa343a7

              Download Submit

            • C:\Windows\SysWOW64\Deleteme.bat
              Filesize

              154B

              MD5

              01e5b17fc2993ca111113c15642f86c8

              SHA1

              9f4512b265b18a533eb8ebaba7e6a7b7f1283e5e

              SHA256

              bfddaf9f1c8d334bc65a48141f274e219d173126a6a45dc31d094761ae659d51

              SHA512

              9c830c6d1e539702291cabdfd25d9bae356528e76f2ef937e9f141d2aec83160ad49466d7fbc49e6db27399958b39b9d9dc222b360210f2b3c3e4c947e360c20

              Download Submit

            • memory/836-48-0x0000000000400000-0x00000000004F9000-memory.dmp

              Filesize

              996KB

              Download

            • memory/836-35-0x00000000006B0000-0x00000000006B1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/836-33-0x0000000000400000-0x00000000004F9000-memory.dmp

              Filesize

              996KB

              Download

            • memory/2704-27-0x0000000000400000-0x00000000004F9000-memory.dmp

              Filesize

              996KB

              Download

            • memory/2704-22-0x0000000000400000-0x00000000004F9000-memory.dmp

              Filesize

              996KB

              Download

            • memory/4296-16-0x00000000021A0000-0x00000000021A1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4296-29-0x0000000000400000-0x00000000004F9000-memory.dmp

              Filesize

              996KB

              Download

            • memory/4296-15-0x0000000000400000-0x00000000004F9000-memory.dmp

              Filesize

              996KB

              Download

            • memory/4456-9-0x0000000001000000-0x00000000010AA000-memory.dmp

              Filesize

              680KB

              Download

            • memory/4456-6-0x0000000001000000-0x00000000010AA000-memory.dmp

              Filesize

              680KB

              Download

            • memory/4456-23-0x0000000001053000-0x0000000001054000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4456-4-0x0000000001000000-0x00000000010AA000-memory.dmp

              Filesize

              680KB

              Download

            • memory/4456-0-0x0000000001000000-0x00000000010AA000-memory.dmp

              Filesize

              680KB

              Download

            • memory/4456-5-0x0000000001000000-0x00000000010AA000-memory.dmp

              Filesize

              680KB

              Download

            • memory/4456-3-0x0000000001000000-0x00000000010AA000-memory.dmp

              Filesize

              680KB

              Download

            • memory/4456-2-0x0000000001000000-0x00000000010AA000-memory.dmp

              Filesize

              680KB

              Download

            • memory/4456-1-0x0000000001053000-0x0000000001054000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4456-51-0x0000000001000000-0x00000000010AA000-memory.dmp

              Filesize

              680KB

              Download

            • memory/4972-41-0x0000000000400000-0x00000000004F9000-memory.dmp

              Filesize

              996KB

              Download

            • memory/4972-46-0x0000000000400000-0x00000000004F9000-memory.dmp

              Filesize

              996KB

              Download