Overview

overview

7

Static

static

3

890e36b60d...18.exe

windows7-x64

7

890e36b60d...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    11/08/2024, 04:48

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    890e36b60da9343f77a3d7e5a1e60516_JaffaCakes118.exe

  • Size

    218KB

  • MD5

    890e36b60da9343f77a3d7e5a1e60516

  • SHA1

    07561bc621f9a2c4e2ba8d7c58d8444b8c8b5737

  • SHA256

    03d8ee4d9958ad70ff66da334cf0fee831102c34648862ed3fe9b82a25af14aa

  • SHA512

    c0614e3c45738dc01662245ee855420d4c983cd7c0eba3bdab93f43a09d19d5edc88ac8770c025f54d25dc641d4e8ff03f054e006110a2a1de879f6cfd686afe

  • SSDEEP

    3072:+cPCtLvtaX/8wzVN1ZdOdXvPy0IiK4fit8sUTNwkklt99WJ5jO:+cMLYX/8whre1bIl38sUTNPkVUn

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\890e36b60da9343f77a3d7e5a1e60516_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\890e36b60da9343f77a3d7e5a1e60516_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im zrIvF
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2076
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:1296

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\2062300.dll
          Filesize

          157KB

          MD5

          23003b043d9e1bcfd9018530bffc7ebe

          SHA1

          42facd1899e7151bc3fc76621213866a915d9a28

          SHA256

          1857f7abe9a8f8a549230fe2cde5d81734bee0c63e5dfcaafd45db3c32ccb176

          SHA512

          e7f187218b4f1d5c1002aba01642d37f1cb358d38a5f7272f7c49743e87b05045e20380214323c05d5adf890277a4f3c3b4b26cba039016c53361820f133cbe5

          Download Submit

        • C:\Windows\SysWOW64\intnet.bmp
          Filesize

          2.2MB

          MD5

          978e903d42b3929d08facc269f5c38ad

          SHA1

          cbda3ef8d4960ab37e3f887101eb1e38a37aa992

          SHA256

          6e78c1ec35413cb697435dade9b27d54c32e49a57c8600ceb10d29b9c2af0ce2

          SHA512

          27cdf2acae505c6bfe7b6f3cfcc5a38b000b506d09289014a5b9e5643a83d14cc88dd315f9de071541ad610d830d8fd0026a689bab3fbe34acf9c9f6b2273489

          Download Submit

        • \??\c:\NT_Path.jpg
          Filesize

          99B

          MD5

          ad0c54822253dea45f8cfb04245b1ec6

          SHA1

          290334c3ad70ed87f79308b88492a355e5ad51c1

          SHA256

          1b87767be7571f22415d46a5c81e17788b8b2828ead5241923f16105a07adbc9

          SHA512

          1d63cc1cb46105a6d571ed68a1feb2fc78398ed1c70dbde1ef336ab7fc55ca6ceebb89a36e939b4c21d7b9c401c71c3724ef67c7c0f4164e23f9dd652e11767e

          Download Submit

        • memory/2032-12-0x0000000010000000-0x000000001002D000-memory.dmp

          Filesize

          180KB

          Download