Overview

overview

10

Static

static

3

846f8d936f...18.exe

windows7-x64

10

846f8d936f...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    10-08-2024 02:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    846f8d936f608d3000ded4691a81c0f3_JaffaCakes118.exe

  • Size

    240KB

  • MD5

    846f8d936f608d3000ded4691a81c0f3

  • SHA1

    d6e42d2c39c8e1f2d898a2c5679e13faf6597e50

  • SHA256

    f1a16f6850f31cc8f6715bb641ce3c002b25554f92b5f83f16ef3a4726712d1b

  • SHA512

    80fb5c5635e22c38b768d23f64ac404cf015b0a52ff2f8543c0eb5a803121b7c2981ac71feb6fc5fb13eb89c4d33d74b84b1f99df7eb166ee49e0d92d3950290

  • SSDEEP

    6144:tU13dwqsNwemAB0EqxF6snji81RUinKchhyZS36:edQQJsAK

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 27 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\846f8d936f608d3000ded4691a81c0f3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\846f8d936f608d3000ded4691a81c0f3_JaffaCakes118.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2944
    • C:\Users\Admin\nugus.exe
      "C:\Users\Admin\nugus.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2748

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\nugus.exe
    Filesize

    240KB

    MD5

    3d76af76510e20253f8900371f9a0816

    SHA1

    c827df9a14fadf9c835c8ea925224dcdf38718df

    SHA256

    14461c3e2b2a40fa249c0e04d3daabe878ca8f28628c55e6c8d1f32ac0b9b377

    SHA512

    85b531f626d4bcc47503f8912fd42c4e8cff62102621eed230deae57c8e40cade0dc3078f57930b4680bc6c60c0bc16a28e15c98c94abab146d13fc21fa71fce

    Download Submit

  • memory/2748-15-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2748-20-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2944-0-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2944-9-0x00000000035E0000-0x000000000361E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2944-19-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download