Overview

overview

7

Static

static

3

890e36b60d...18.exe

windows7-x64

7

890e36b60d...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/08/2024, 04:48

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    890e36b60da9343f77a3d7e5a1e60516_JaffaCakes118.exe

  • Size

    218KB

  • MD5

    890e36b60da9343f77a3d7e5a1e60516

  • SHA1

    07561bc621f9a2c4e2ba8d7c58d8444b8c8b5737

  • SHA256

    03d8ee4d9958ad70ff66da334cf0fee831102c34648862ed3fe9b82a25af14aa

  • SHA512

    c0614e3c45738dc01662245ee855420d4c983cd7c0eba3bdab93f43a09d19d5edc88ac8770c025f54d25dc641d4e8ff03f054e006110a2a1de879f6cfd686afe

  • SSDEEP

    3072:+cPCtLvtaX/8wzVN1ZdOdXvPy0IiK4fit8sUTNwkklt99WJ5jO:+cMLYX/8whre1bIl38sUTNPkVUn

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\890e36b60da9343f77a3d7e5a1e60516_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\890e36b60da9343f77a3d7e5a1e60516_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4996
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im zrIvF
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2484
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:2352

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\848900.dll
          Filesize

          157KB

          MD5

          23003b043d9e1bcfd9018530bffc7ebe

          SHA1

          42facd1899e7151bc3fc76621213866a915d9a28

          SHA256

          1857f7abe9a8f8a549230fe2cde5d81734bee0c63e5dfcaafd45db3c32ccb176

          SHA512

          e7f187218b4f1d5c1002aba01642d37f1cb358d38a5f7272f7c49743e87b05045e20380214323c05d5adf890277a4f3c3b4b26cba039016c53361820f133cbe5

          Download Submit

        • \??\c:\NT_Path.jpg
          Filesize

          98B

          MD5

          3c49c6527f3acb53e791d34644ca3188

          SHA1

          46f0860e0bfed74d0b63a9f1096232d0c473b75a

          SHA256

          ee6b908b1cfc36857b4a7efc4283cadde975703e5f8ed2e9f0b0186b8fad94b1

          SHA512

          be4edc73bc1b300129acedfa4341963dd1bfda7bf1e92c41af8c03f938f500272553c5929b39e54664db79f2d5d7b4904e5b80c78609ba8d2ffb1c7ffb2b0bad

          Download Submit

        • \??\c:\windows\SysWOW64\intnet.bmp
          Filesize

          726KB

          MD5

          9ec8ea1f8f32f8ad0bdb91cdfc1d4207

          SHA1

          114f25677df9c2fad63a3d2d91986ae1f90044c7

          SHA256

          01639382a6985f70468ff8b62c90434d21c5b4dd22549a5a18a2f1e9cafc0a0e

          SHA512

          7fec42636f14137a7309495a41799cbb43fa74654762dced67e5298400604917094939af999f7cfe2cb97096179dd45c2c196f3be0345f9870aad863c4137a14

          Download Submit