Overview

overview

10

Static

static

3

89077ec352...18.exe

windows7-x64

10

89077ec352...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/08/2024, 04:41

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    89077ec35284e1aa96cfeca1b36e985d_JaffaCakes118.exe

  • Size

    135KB

  • MD5

    89077ec35284e1aa96cfeca1b36e985d

  • SHA1

    9ca905522279fde0d7fec1b2a05f11f91e6bac45

  • SHA256

    0e18f63d09c0c00051266f42adff22e4eacc5d134fdf9b254f8052769f508a86

  • SHA512

    5de9a332ce2bb0600063fbf70100fd1770d6d09163b618859c247ee5e3a1e46edcd0c6b4ecec55c78cef0c32a37abe99558d7e86d8cfa3cce7d11d82e78caa6b

  • SSDEEP

    3072:61Dl6JUPb1WpXVxAaGBvbNvNbNJkvmhyPQbaDTUXGIDbwKDqCtrwdAxaVTtVHLkL:MDlJoIDbByGPMsMP

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\89077ec35284e1aa96cfeca1b36e985d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\89077ec35284e1aa96cfeca1b36e985d_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3280
    • C:\Users\Admin\yoiiv.exe
      "C:\Users\Admin\yoiiv.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:964

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\yoiiv.exe
          Filesize

          135KB

          MD5

          22fe1724288d2c58545640831ede58b2

          SHA1

          12c306122f97cedd57d5bd6d3a0765a48d9495d7

          SHA256

          51b275ea48b571e9bf0cedaf74dc7ac4a7957dc498f5eb532c5be4049869d279

          SHA512

          f8debb09db3bd333df06f77e8b1f1b5d0d773b6dec0d9b4bb204d692ad06f443f9dfb860a06b69d5b54bc5c2921119ce4d41902deb72cfb3ab2fb8a12b2d1de5

          Download Submit

        • memory/964-34-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

          Download

        • memory/3280-0-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

          Download